feat(auth): build login page with LoginForm, brand panel, and title

Replaces placeholder with full login page: brand panel left, LoginForm right, svelte:head title, signup link, no-nav-chrome. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat(auth): add login server action with validation and redirect
2026-04-02 16:21:31 +02:00 · 2026-04-02 16:20:02 +02:00 · 2026-04-02 16:18:49 +02:00
6 changed files with 496 additions and 6 deletions
--- a/frontend/src/lib/auth/LoginForm.svelte
+++ b/frontend/src/lib/auth/LoginForm.svelte
@@ -0,0 +1,154 @@
+<script lang="ts">
+	import { enhance } from '$app/forms';
+
+	type FormResult = {
+		errors?: Record<string, string>;
+		email?: string;
+	} | null;
+
+	let { form = null }: { form?: FormResult } = $props();
+
+	let email = $state('');
+	let password = $state('');
+	let showPassword = $state(false);
+	let formError = $state('');
+
+	let errors = $state({
+		email: '',
+		password: ''
+	});
+
+	$effect(() => {
+		if (form?.errors) {
+			errors.email = form.errors.email ?? '';
+			errors.password = form.errors.password ?? '';
+			formError = form.errors.form ?? '';
+			if (form.email) email = form.email;
+		}
+	});
+
+	function validate(): boolean {
+		let hasError = false;
+
+		errors.email = '';
+		errors.password = '';
+		formError = '';
+
+		const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+		if (!emailPattern.test(email)) {
+			errors.email = 'Ungültige E-Mail-Adresse';
+			hasError = true;
+		}
+
+		if (!password) {
+			errors.password = 'Passwort ist erforderlich';
+			hasError = true;
+		}
+
+		return hasError;
+	}
+
+	function handleSubmit(event: SubmitEvent) {
+		if (validate()) {
+			event.preventDefault();
+		}
+	}
+</script>
+
+<form method="POST" novalidate use:enhance onsubmit={handleSubmit}>
+	<h1
+		class="font-[var(--font-display)] text-[18px] font-medium tracking-[-0.02em] text-[var(--color-text)]
+			md:text-[28px]"
+	>
+		Willkommen zurück
+	</h1>
+
+	<p
+		class="mb-[20px] text-[12px] text-[var(--color-text-muted)]
+			md:mb-[32px] md:text-[14px]"
+	>
+		Melde dich an, um fortzufahren.
+	</p>
+
+	<!-- Email field -->
+	<div class="mb-[16px]">
+		<label
+			for="email"
+			class="mb-[6px] block text-[12px] font-medium text-[var(--color-text)]"
+		>
+			E-Mail
+		</label>
+		<input
+			type="email"
+			id="email"
+			name="email"
+			placeholder="du@beispiel.de"
+			autocomplete="email"
+			bind:value={email}
+			class="w-full rounded-[var(--radius-md)] border bg-[var(--color-page)] px-[12px] py-[10px] font-[var(--font-sans)] text-[14px] text-[var(--color-text)] outline-none
+				{errors.email ? 'border-[var(--color-error)]' : 'border-[var(--color-border)]'}"
+		/>
+		{#if errors.email}
+			<p class="mt-1 font-[var(--font-sans)] text-[12px] text-[var(--color-error)]">
+				{errors.email}
+			</p>
+		{/if}
+	</div>
+
+	<!-- Password field -->
+	<div class="mb-[16px]">
+		<label
+			for="password"
+			class="mb-[6px] block text-[12px] font-medium text-[var(--color-text)]"
+		>
+			Passwort
+		</label>
+		<div class="relative">
+			<input
+				type={showPassword ? 'text' : 'password'}
+				id="password"
+				name="password"
+				placeholder="Dein Passwort"
+				autocomplete="current-password"
+				bind:value={password}
+				class="w-full rounded-[var(--radius-md)] border bg-[var(--color-page)] px-[12px] py-[10px] pr-[44px] font-[var(--font-sans)] text-[14px] text-[var(--color-text)] outline-none
+					{errors.password ? 'border-[var(--color-error)]' : 'border-[var(--color-border)]'}"
+			/>
+			<button
+				type="button"
+				onclick={() => (showPassword = !showPassword)}
+				aria-label={showPassword ? 'Passwort verbergen' : 'Passwort anzeigen'}
+				class="absolute top-1/2 right-[12px] -translate-y-1/2 cursor-pointer bg-transparent p-0 text-[12px] text-[var(--color-text-muted)]"
+			>
+				{showPassword ? 'Verbergen' : 'Anzeigen'}
+			</button>
+		</div>
+		{#if errors.password}
+			<p class="mt-1 font-[var(--font-sans)] text-[12px] text-[var(--color-error)]">
+				{errors.password}
+			</p>
+		{/if}
+	</div>
+
+	{#if formError}
+		<p class="mb-[16px] rounded-[var(--radius-md)] bg-[color-mix(in_srgb,var(--color-error),transparent_90%)] px-[12px] py-[10px] text-[12px] text-[var(--color-error)]">
+			{formError}
+		</p>
+	{/if}
+
+	<!-- Submit button -->
+	<button
+		type="submit"
+		class="w-full cursor-pointer rounded-[var(--radius-md)] bg-[var(--green-dark)] px-[24px] py-[12px] text-[var(--btn-font-size)] font-[var(--btn-font-weight)] tracking-[var(--btn-letter-spacing)] text-white"
+	>
+		Anmelden &rarr;
+	</button>
+
+	<!-- Signup link -->
+	<p
+		class="mt-[16px] text-center text-[12px] text-[var(--color-text-muted)]
+			md:text-[13px]"
+	>
+		Noch kein Konto? <a href="/signup" class="font-medium text-[var(--green)] hover:underline">Registrieren</a>
+	</p>
+</form>
--- a/frontend/src/lib/auth/LoginForm.test.ts
+++ b/frontend/src/lib/auth/LoginForm.test.ts
@@ -0,0 +1,117 @@
+import { describe, it, expect, vi } from 'vitest';
+import { render, screen } from '@testing-library/svelte';
+import { userEvent } from '@testing-library/user-event';
+import LoginForm from './LoginForm.svelte';
+
+vi.mock('$app/forms', () => ({
+	enhance: () => ({ destroy: () => {} })
+}));
+
+describe('LoginForm', () => {
+	it('renders email and password fields with correct labels', () => {
+		render(LoginForm);
+		expect(screen.getByLabelText('E-Mail')).toBeInTheDocument();
+		expect(screen.getByLabelText('Passwort')).toBeInTheDocument();
+	});
+
+	it('renders heading and subtitle', () => {
+		render(LoginForm);
+		expect(screen.getByText('Willkommen zurück')).toBeInTheDocument();
+		expect(screen.getByText('Melde dich an, um fortzufahren.')).toBeInTheDocument();
+	});
+
+	it('renders submit button', () => {
+		render(LoginForm);
+		expect(screen.getByRole('button', { name: /anmelden/i })).toBeInTheDocument();
+	});
+
+	it('renders signup link', () => {
+		render(LoginForm);
+		const link = screen.getByRole('link', { name: /registrieren/i });
+		expect(link).toHaveAttribute('href', '/signup');
+		expect(link.className).toContain('text-[var(--green)]');
+		expect(link.className).toContain('font-medium');
+	});
+
+	it('submit button uses --green-dark for WCAG AA', () => {
+		render(LoginForm);
+		const button = screen.getByRole('button', { name: /anmelden/i });
+		expect(button.className).toContain('bg-[var(--green-dark)]');
+	});
+
+	it('password field is initially of type password', () => {
+		render(LoginForm);
+		expect(screen.getByLabelText('Passwort')).toHaveAttribute('type', 'password');
+	});
+
+	it('password toggle switches type', async () => {
+		const user = userEvent.setup();
+		render(LoginForm);
+
+		const input = screen.getByLabelText('Passwort');
+		const toggle = screen.getByRole('button', { name: /passwort anzeigen/i });
+
+		await user.click(toggle);
+		expect(input).toHaveAttribute('type', 'text');
+
+		await user.click(toggle);
+		expect(input).toHaveAttribute('type', 'password');
+	});
+
+	it('inputs have correct autocomplete attributes', () => {
+		render(LoginForm);
+		expect(screen.getByLabelText('E-Mail')).toHaveAttribute('autocomplete', 'email');
+		expect(screen.getByLabelText('Passwort')).toHaveAttribute('autocomplete', 'current-password');
+	});
+
+	it('shows validation error for invalid email on submit', async () => {
+		const user = userEvent.setup();
+		render(LoginForm);
+
+		await user.type(screen.getByLabelText('E-Mail'), 'notanemail');
+		await user.type(screen.getByLabelText('Passwort'), 'password123');
+		await user.click(screen.getByRole('button', { name: /anmelden/i }));
+
+		expect(screen.getByText('Ungültige E-Mail-Adresse')).toBeInTheDocument();
+	});
+
+	it('shows validation error for empty password on submit', async () => {
+		const user = userEvent.setup();
+		render(LoginForm);
+
+		await user.type(screen.getByLabelText('E-Mail'), 'test@example.com');
+		await user.click(screen.getByRole('button', { name: /anmelden/i }));
+
+		expect(screen.getByText('Passwort ist erforderlich')).toBeInTheDocument();
+	});
+
+	it('shows no errors when fields are valid', async () => {
+		const user = userEvent.setup();
+		render(LoginForm);
+
+		await user.type(screen.getByLabelText('E-Mail'), 'test@example.com');
+		await user.type(screen.getByLabelText('Passwort'), 'password123');
+		await user.click(screen.getByRole('button', { name: /anmelden/i }));
+
+		expect(screen.queryByText('Ungültige E-Mail-Adresse')).not.toBeInTheDocument();
+		expect(screen.queryByText('Passwort ist erforderlich')).not.toBeInTheDocument();
+	});
+
+	it('displays server-side form error from form prop', () => {
+		render(LoginForm, {
+			props: {
+				form: {
+					errors: { form: 'E-Mail oder Passwort ist falsch.' },
+					email: 'test@example.com'
+				}
+			}
+		});
+		expect(screen.getByText('E-Mail oder Passwort ist falsch.')).toBeInTheDocument();
+	});
+
+	it('renders placeholders', () => {
+		render(LoginForm);
+		expect(screen.getByPlaceholderText('du@beispiel.de')).toBeInTheDocument();
+		expect(screen.getByPlaceholderText('Dein Passwort')).toBeInTheDocument();
+	});
+});
--- a/frontend/src/routes/(public)/login/+page.server.ts
+++ b/frontend/src/routes/(public)/login/+page.server.ts
@@ -0,0 +1,41 @@
+import { redirect, fail } from '@sveltejs/kit';
+import { apiClient } from '$lib/server/api';
+import type { Actions } from './$types';
+
+export const actions = {
+	default: async ({ request, url, fetch }) => {
+		const formData = await request.formData();
+		const email = (formData.get('email') ?? '').toString().trim();
+		const password = (formData.get('password') ?? '').toString();
+
+		const errors: Record<string, string> = {};
+
+		const emailPattern = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+		if (!emailPattern.test(email)) {
+			errors.email = 'Ungültige E-Mail-Adresse';
+		}
+
+		if (!password) {
+			errors.password = 'Passwort ist erforderlich';
+		}
+
+		if (Object.keys(errors).length > 0) {
+			return fail(400, { errors, email });
+		}
+
+		const api = apiClient(fetch);
+		const { error } = await api.POST('/v1/auth/login', {
+			body: { email, password }
+		});
+
+		if (error) {
+			return fail(400, {
+				errors: { form: 'E-Mail oder Passwort ist falsch.' },
+				email
+			});
+		}
+
+		const redirectTo = url.searchParams.get('redirect') || '/planner';
+		redirect(303, redirectTo);
+	}
+} satisfies Actions;
--- a/frontend/src/routes/(public)/login/+page.svelte
+++ b/frontend/src/routes/(public)/login/+page.svelte
@@ -1,11 +1,25 @@
-<div class="flex min-h-screen">
-	<div class="hidden md:flex md:w-1/2 bg-[var(--green)] items-center justify-center">
+<script lang="ts">
+	import LoginForm from '$lib/auth/LoginForm.svelte';
+
+	let { form } = $props();
+</script>
+
+<svelte:head>
+	<title>Anmelden — Mealprep</title>
+</svelte:head>
+
+<!-- Mobile: stacked, Desktop: side by side -->
+<div class="flex min-h-screen flex-col md:flex-row">
+	<div
+		class="bg-[var(--green)] flex flex-col items-center justify-center
+			px-6 py-7 text-center
+			md:w-1/2 md:min-h-screen md:px-10 md:py-12"
+	>
 		<span class="font-[var(--font-display)] text-4xl text-white font-medium">Mealprep</span>
 	</div>
-	<div class="flex-1 flex items-center justify-center p-6">
-		<div>
-			<h1 class="text-2xl font-medium">Anmelden</h1>
-			<p class="text-[var(--color-text-muted)] mt-2">Login-Formular folgt.</p>
+	<div class="flex flex-1 flex-col items-start justify-center px-[20px] py-[24px] md:items-center md:px-[56px] md:py-[48px]">
+		<div class="w-full max-w-[380px]">
+			<LoginForm {form} />
 		</div>
 	</div>
 </div>
--- a/frontend/src/routes/(public)/login/page.server.test.ts
+++ b/frontend/src/routes/(public)/login/page.server.test.ts
@@ -0,0 +1,120 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+vi.mock('$env/dynamic/private', () => ({
+	env: { BACKEND_URL: 'http://localhost:8080' }
+}));
+
+const mockPost = vi.fn();
+vi.mock('$lib/server/api', () => ({
+	apiClient: () => ({ POST: mockPost })
+}));
+
+describe('login form action', () => {
+	let actions: any;
+
+	beforeEach(async () => {
+		mockPost.mockReset();
+		const mod = await import('./+page.server');
+		actions = mod.actions;
+	});
+
+	function createEvent(formData: Record<string, string>, searchParams = '') {
+		const fd = new FormData();
+		for (const [key, value] of Object.entries(formData)) {
+			fd.append(key, value);
+		}
+		return {
+			request: { formData: () => Promise.resolve(fd) },
+			url: new URL(`http://localhost/login${searchParams}`),
+			fetch: vi.fn(),
+			cookies: { get: vi.fn(), set: vi.fn() }
+		} as any;
+	}
+
+	it('calls POST /v1/auth/login with form data', async () => {
+		mockPost.mockResolvedValue({ data: { data: { id: '123' } }, error: undefined });
+
+		try {
+			await actions.default(createEvent({
+				email: 'sarah@example.com',
+				password: 'password123'
+			}));
+		} catch {
+			// redirect throws
+		}
+
+		expect(mockPost).toHaveBeenCalledWith('/v1/auth/login', {
+			body: {
+				email: 'sarah@example.com',
+				password: 'password123'
+			}
+		});
+	});
+
+	it('redirects to /planner on success by default', async () => {
+		mockPost.mockResolvedValue({ data: { data: { id: '123' } }, error: undefined });
+
+		try {
+			await actions.default(createEvent({
+				email: 'sarah@example.com',
+				password: 'password123'
+			}));
+			expect.unreachable();
+		} catch (e: any) {
+			expect(e.status).toBe(303);
+			expect(e.location).toBe('/planner');
+		}
+	});
+
+	it('redirects to ?redirect param when present', async () => {
+		mockPost.mockResolvedValue({ data: { data: { id: '123' } }, error: undefined });
+
+		try {
+			await actions.default(createEvent(
+				{ email: 'sarah@example.com', password: 'password123' },
+				'?redirect=%2Frecipes%2Fabc'
+			));
+			expect.unreachable();
+		} catch (e: any) {
+			expect(e.status).toBe(303);
+			expect(e.location).toBe('/recipes/abc');
+		}
+	});
+
+	it('rejects empty email with validation error', async () => {
+		const result = await actions.default(createEvent({
+			email: '',
+			password: 'password123'
+		}));
+
+		expect(result.status).toBe(400);
+		expect(result.data.errors.email).toBe('Ungültige E-Mail-Adresse');
+		expect(mockPost).not.toHaveBeenCalled();
+	});
+
+	it('rejects empty password with validation error', async () => {
+		const result = await actions.default(createEvent({
+			email: 'sarah@example.com',
+			password: ''
+		}));
+
+		expect(result.status).toBe(400);
+		expect(result.data.errors.password).toBe('Passwort ist erforderlich');
+		expect(mockPost).not.toHaveBeenCalled();
+	});
+
+	it('returns fail with form error on API error', async () => {
+		mockPost.mockResolvedValue({
+			data: undefined,
+			error: { status: 401, message: 'Invalid credentials' }
+		});
+
+		const result = await actions.default(createEvent({
+			email: 'sarah@example.com',
+			password: 'password123'
+		}));
+
+		expect(result.status).toBe(400);
+		expect(result.data.errors.form).toBe('E-Mail oder Passwort ist falsch.');
+	});
+});
--- a/frontend/src/routes/(public)/login/page.test.ts
+++ b/frontend/src/routes/(public)/login/page.test.ts
@@ -0,0 +1,44 @@
+import { describe, it, expect, vi } from 'vitest';
+import { render, screen } from '@testing-library/svelte';
+import Page from './+page.svelte';
+
+vi.mock('$app/stores', async () => {
+	const { readable } = await import('svelte/store');
+	return {
+		page: readable({ url: new URL('http://localhost/login') })
+	};
+});
+
+vi.mock('$app/forms', () => ({
+	enhance: () => ({ destroy: () => {} })
+}));
+
+describe('login page', () => {
+	it('renders the login form', () => {
+		render(Page);
+		expect(screen.getByText('Willkommen zurück')).toBeInTheDocument();
+	});
+
+	it('renders the brand panel', () => {
+		render(Page);
+		expect(screen.getByText('Mealprep')).toBeInTheDocument();
+	});
+
+	it('sets the page title', () => {
+		render(Page);
+		expect(document.title).toBe('Anmelden — Mealprep');
+	});
+
+	it('does not render any navigation chrome', () => {
+		render(Page);
+		expect(screen.queryByRole('navigation')).not.toBeInTheDocument();
+		expect(screen.queryByText('Planer')).not.toBeInTheDocument();
+		expect(screen.queryByText('Rezepte')).not.toBeInTheDocument();
+	});
+
+	it('renders a link to the signup page', () => {
+		render(Page);
+		const link = screen.getByRole('link', { name: /registrieren/i });
+		expect(link).toHaveAttribute('href', '/signup');
+	});
+});