From 2c33ba55a444720d8eb4cb4a5fea7a4969078d17 Mon Sep 17 00:00:00 2001
From: chahinebrini <chahinebrini@gmail.com>
Date: Thu, 11 Jun 2026 06:36:16 +0200
Subject: [PATCH] =?UTF-8?q?fix(backend):=20username=20(Login-Identifikator?=
 =?UTF-8?q?)=20aus=20=C3=B6ffentlichen=20Payloads=20entfernt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

community/posts.get.ts + social/profile/[userId].get.ts lieferten neben
nickname auch username an fremde Clients — username ist der Login-
Identifikator ({username}@rebreak.internal) und verletzt die Nickname-
Anonymitäts-Invariante (REQ-COMM-005 / R-DATA-07) + exponiert das halbe
Login-Credential-Paar. Frontend rendert das Feld nirgends (verifiziert);
totes Typ-Feld in stores/community.ts entfernt.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 apps/rebreak-native/stores/community.ts           | 1 -
 backend/server/api/community/posts.get.ts         | 3 ++-
 backend/server/api/social/profile/[userId].get.ts | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/rebreak-native/stores/community.ts b/apps/rebreak-native/stores/community.ts
index 6beafab..5033268 100644
--- a/apps/rebreak-native/stores/community.ts
+++ b/apps/rebreak-native/stores/community.ts
@@ -4,7 +4,6 @@ export type CommunityCategory = 'all' | 'games' | 'domain_vote' | 'lyra' | 'rebr
 
 export interface CommunityPostAuthor {
   id: string | null;
-  username: string;
   nickname: string;
   avatar: string | null;
   plan: string;
diff --git a/backend/server/api/community/posts.get.ts b/backend/server/api/community/posts.get.ts
index 5e5bc43..624ef89 100644
--- a/backend/server/api/community/posts.get.ts
+++ b/backend/server/api/community/posts.get.ts
@@ -115,7 +115,8 @@ export default defineEventHandler(async (event) => {
         : null,
       author: {
         id: p.userId ?? null,
-        username: a?.username ?? "Nutzer",
+        // username ist der Login-Identifikator (→ {username}@rebreak.internal)
+        // und darf NIE an fremde Clients gehen — Anonymitäts-Invariante (nickname-only).
         nickname: a?.nickname ?? a?.username ?? "Nutzer",
         avatar: a?.avatar ?? null,
         plan: (a as any)?.plan ?? "free",
diff --git a/backend/server/api/social/profile/[userId].get.ts b/backend/server/api/social/profile/[userId].get.ts
index 9e988a1..154c7f4 100644
--- a/backend/server/api/social/profile/[userId].get.ts
+++ b/backend/server/api/social/profile/[userId].get.ts
@@ -56,7 +56,7 @@ export default defineEventHandler(async (event) => {
 
   return {
     id: profile.id,
-    username: profile.username,
+    // username (Login-Identifikator) bewusst NICHT exponiert — nickname-only.
     nickname: meta.nickname ?? profile.username,
     avatar: meta.avatar,
     bio: (profile as any).bio ?? null,