refactor: resolve merge conflicts

Reviewed-on: #24

TODO.md

@@ -0,0 +1,65 @@
+# Project Review & Refactoring TODOs
+
+This document contains the prioritized list of refactoring tasks, architectural improvements, and testing strategies for the Aktiteil project.
+
+## 🚨 Must do (Security & Critical Best Practices)
+
+- [ ] **Fix Critical XSS Vulnerability (`{@html}` without sanitization)**
+  - **Where:** `src/routes/akti/[aktiId]/+page.svelte`
+  - **Why:** Rendering user input via `{@html data.akti.body}` without sanitization allows malicious scripts to be injected.
+  - **Fix:** Use the already installed `sanitize-html` library on the server to sanitize `changeRequest.body` before updating/inserting into the database.
+
+- [ ] **Move Server-Only Code to `$lib/server`**
+  - **Where:** `src/lib/auth.ts`
+  - **Why:** It imports from `./server/db`. Keeping server-side dependencies in the general `$lib` folder risks accidental imports by client components, breaking the Vite build and potentially leaking server logic.
+  - **Fix:** Move and rename it to `src/lib/server/session.ts` (or `authUtils.ts`) and update imports in `.server.ts` files.
+
+- [ ] **Fix Action Validation Error Handling**
+  - **Where:** `src/routes/akti/[aktiId]/+page.server.ts` and `src/routes/akti/[aktiId]/comment/+page.server.ts`
+  - **Why:** Currently returning `error(400)` on validation failure, which wipes form data and shows a generic error page.
+  - **Fix:** Use SvelteKit's `fail(400, { message: 'Invalid data' })` to keep the user on the page and preserve their input.
+
+- [ ] **Fix Hacky Fallback in Auth Query**
+  - **Where:** `src/lib/auth.ts` -> `getSession()`
+  - **Why:** Querying the DB with a fallback UUID (`eaf930...`) when email is missing is an anti-pattern.
+  - **Fix:** Implement an early return (`if (!session?.user?.email) return null;`) before hitting the database.
+
+## 🛠️ Should do (Performance & Architecture)
+
+- [ ] **Parallelize Database Queries**
+  - **Where:** `src/routes/akti/[aktiId]/+page.server.ts` (load function)
+  - **Why:** Queries are running sequentially.
+  - **Fix:** Use `Promise.all([ db.query.aktis.findFirst(...), db.query.ratings.findMany(...) ])` to run concurrently.
+
+- [ ] **Implement Pagination / Limit for the Dashboard**
+  - **Where:** `src/routes/+page.server.ts`
+  - **Why:** Querying all records joined with ratings will scale poorly.
+  - **Fix:** Add a `.limit()` clause and consider basic pagination or infinite scrolling.
+
+- [ ] **Extend Auth.js Types Globally**
+  - **Where:** `src/app.d.ts`
+  - **Why:** TypeScript doesn't inherently know `session.user.id` exists, leading to hacky workarounds.
+  - **Fix:** Override `@auth/sveltekit` Session types in `app.d.ts` to include `id` and `email` strictly.
+
+- [ ] **Consider Adopting a Form Library**
+  - **Where:** `src/lib/extractFormData.ts`
+  - **Why:** Custom form extractors lack instant client-side validation and seamless server-side error mapping.
+  - **Fix:** Consider switching to `sveltekit-superforms` which integrates well with Valibot.
+
+## ✨ Nice to have (UX & Polish)
+
+- [ ] **Clarify File Naming (`auth.ts` vs `auth.ts`)**
+  - Rename `src/lib/auth.ts` to `session.ts` or similar to distinguish from `src/auth.ts` (Auth.js setup).
+
+- [ ] **Abstract Heavy Database Queries**
+  - Move complex aggregations (like computing averages in `src/routes/+page.server.ts`) into a dedicated `src/lib/server/db/queries.ts` file to keep routes clean.
+
+- [ ] **Clean up Redundant Imports**
+  - In `src/routes/+layout.server.ts`, change `import { getSession as getSession }` to `import { getSession }`.
+
+## 🧪 Testing Plan
+
+- [ ] **Add Playwright (End-to-End Testing)**
+  - Install Playwright to test SvelteKit server actions, DB integration, and Flowbite forms holistically.
+- [ ] **Add Vitest + Svelte Testing Library (Unit/Component Testing)**
+  - Set up Vitest to test UI components (`AktiCard`, `AktiEditor`) and utility functions (`extractFormData`) in isolation.

drizzle/0004_wealthy_groot.sql

@@ -0,0 +1 @@
+ALTER TABLE "rating" ALTER COLUMN "comment" SET NOT NULL;

drizzle/meta/0004_snapshot.json

@@ -0,0 +1,436 @@
+{
+	"id": "0528e286-2cd4-4447-a3a4-5a7c2cda83b9",
+	"prevId": "8f81af0f-3a4e-4fb8-b7f1-cf4e6eec7ecb",
+	"version": "7",
+	"dialect": "postgresql",
+	"tables": {
+		"public.account": {
+			"name": "account",
+			"schema": "",
+			"columns": {
+				"userId": {
+					"name": "userId",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"type": {
+					"name": "type",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"provider": {
+					"name": "provider",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"providerAccountId": {
+					"name": "providerAccountId",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"refresh_token": {
+					"name": "refresh_token",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"access_token": {
+					"name": "access_token",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"expires_at": {
+					"name": "expires_at",
+					"type": "integer",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"token_type": {
+					"name": "token_type",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"scope": {
+					"name": "scope",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"id_token": {
+					"name": "id_token",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"session_state": {
+					"name": "session_state",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				}
+			},
+			"indexes": {},
+			"foreignKeys": {
+				"account_userId_user_id_fk": {
+					"name": "account_userId_user_id_fk",
+					"tableFrom": "account",
+					"tableTo": "user",
+					"columnsFrom": ["userId"],
+					"columnsTo": ["id"],
+					"onDelete": "cascade",
+					"onUpdate": "no action"
+				}
+			},
+			"compositePrimaryKeys": {},
+			"uniqueConstraints": {},
+			"policies": {},
+			"checkConstraints": {},
+			"isRLSEnabled": false
+		},
+		"public.authenticator": {
+			"name": "authenticator",
+			"schema": "",
+			"columns": {
+				"credentialID": {
+					"name": "credentialID",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"userId": {
+					"name": "userId",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"providerAccountId": {
+					"name": "providerAccountId",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"credentialPublicKey": {
+					"name": "credentialPublicKey",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"counter": {
+					"name": "counter",
+					"type": "integer",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"credentialDeviceType": {
+					"name": "credentialDeviceType",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"credentialBackedUp": {
+					"name": "credentialBackedUp",
+					"type": "boolean",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"transports": {
+					"name": "transports",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				}
+			},
+			"indexes": {},
+			"foreignKeys": {
+				"authenticator_userId_user_id_fk": {
+					"name": "authenticator_userId_user_id_fk",
+					"tableFrom": "authenticator",
+					"tableTo": "user",
+					"columnsFrom": ["userId"],
+					"columnsTo": ["id"],
+					"onDelete": "cascade",
+					"onUpdate": "no action"
+				}
+			},
+			"compositePrimaryKeys": {},
+			"uniqueConstraints": {
+				"authenticator_credentialID_unique": {
+					"name": "authenticator_credentialID_unique",
+					"nullsNotDistinct": false,
+					"columns": ["credentialID"]
+				}
+			},
+			"policies": {},
+			"checkConstraints": {},
+			"isRLSEnabled": false
+		},
+		"public.session": {
+			"name": "session",
+			"schema": "",
+			"columns": {
+				"sessionToken": {
+					"name": "sessionToken",
+					"type": "text",
+					"primaryKey": true,
+					"notNull": true
+				},
+				"userId": {
+					"name": "userId",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"expires": {
+					"name": "expires",
+					"type": "timestamp",
+					"primaryKey": false,
+					"notNull": true
+				}
+			},
+			"indexes": {},
+			"foreignKeys": {
+				"session_userId_user_id_fk": {
+					"name": "session_userId_user_id_fk",
+					"tableFrom": "session",
+					"tableTo": "user",
+					"columnsFrom": ["userId"],
+					"columnsTo": ["id"],
+					"onDelete": "cascade",
+					"onUpdate": "no action"
+				}
+			},
+			"compositePrimaryKeys": {},
+			"uniqueConstraints": {},
+			"policies": {},
+			"checkConstraints": {},
+			"isRLSEnabled": false
+		},
+		"public.verificationToken": {
+			"name": "verificationToken",
+			"schema": "",
+			"columns": {
+				"identifier": {
+					"name": "identifier",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"token": {
+					"name": "token",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"expires": {
+					"name": "expires",
+					"type": "timestamp",
+					"primaryKey": false,
+					"notNull": true
+				}
+			},
+			"indexes": {},
+			"foreignKeys": {},
+			"compositePrimaryKeys": {},
+			"uniqueConstraints": {},
+			"policies": {},
+			"checkConstraints": {},
+			"isRLSEnabled": false
+		},
+		"public.user": {
+			"name": "user",
+			"schema": "",
+			"columns": {
+				"id": {
+					"name": "id",
+					"type": "text",
+					"primaryKey": true,
+					"notNull": true
+				},
+				"name": {
+					"name": "name",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"email": {
+					"name": "email",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"emailVerified": {
+					"name": "emailVerified",
+					"type": "timestamp",
+					"primaryKey": false,
+					"notNull": false
+				},
+				"image": {
+					"name": "image",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": false
+				}
+			},
+			"indexes": {},
+			"foreignKeys": {},
+			"compositePrimaryKeys": {},
+			"uniqueConstraints": {
+				"user_email_unique": {
+					"name": "user_email_unique",
+					"nullsNotDistinct": false,
+					"columns": ["email"]
+				}
+			},
+			"policies": {},
+			"checkConstraints": {},
+			"isRLSEnabled": false
+		},
+		"public.akti": {
+			"name": "akti",
+			"schema": "",
+			"columns": {
+				"id": {
+					"name": "id",
+					"type": "uuid",
+					"primaryKey": true,
+					"notNull": true,
+					"default": "gen_random_uuid()"
+				},
+				"title": {
+					"name": "title",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"summary": {
+					"name": "summary",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"body": {
+					"name": "body",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"user_id": {
+					"name": "user_id",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"version": {
+					"name": "version",
+					"type": "integer",
+					"primaryKey": false,
+					"notNull": true,
+					"default": 1
+				}
+			},
+			"indexes": {},
+			"foreignKeys": {
+				"akti_user_id_user_id_fk": {
+					"name": "akti_user_id_user_id_fk",
+					"tableFrom": "akti",
+					"tableTo": "user",
+					"columnsFrom": ["user_id"],
+					"columnsTo": ["id"],
+					"onDelete": "no action",
+					"onUpdate": "no action"
+				}
+			},
+			"compositePrimaryKeys": {},
+			"uniqueConstraints": {},
+			"policies": {},
+			"checkConstraints": {},
+			"isRLSEnabled": false
+		},
+		"public.rating": {
+			"name": "rating",
+			"schema": "",
+			"columns": {
+				"id": {
+					"name": "id",
+					"type": "uuid",
+					"primaryKey": true,
+					"notNull": true,
+					"default": "gen_random_uuid()"
+				},
+				"akti_id": {
+					"name": "akti_id",
+					"type": "uuid",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"user_id": {
+					"name": "user_id",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"rating": {
+					"name": "rating",
+					"type": "real",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"comment": {
+					"name": "comment",
+					"type": "text",
+					"primaryKey": false,
+					"notNull": true
+				},
+				"akti_version": {
+					"name": "akti_version",
+					"type": "integer",
+					"primaryKey": false,
+					"notNull": true
+				}
+			},
+			"indexes": {},
+			"foreignKeys": {
+				"rating_akti_id_akti_id_fk": {
+					"name": "rating_akti_id_akti_id_fk",
+					"tableFrom": "rating",
+					"tableTo": "akti",
+					"columnsFrom": ["akti_id"],
+					"columnsTo": ["id"],
+					"onDelete": "cascade",
+					"onUpdate": "no action"
+				},
+				"rating_user_id_user_id_fk": {
+					"name": "rating_user_id_user_id_fk",
+					"tableFrom": "rating",
+					"tableTo": "user",
+					"columnsFrom": ["user_id"],
+					"columnsTo": ["id"],
+					"onDelete": "cascade",
+					"onUpdate": "no action"
+				}
+			},
+			"compositePrimaryKeys": {},
+			"uniqueConstraints": {},
+			"policies": {},
+			"checkConstraints": {},
+			"isRLSEnabled": false
+		}
+	},
+	"enums": {},
+	"schemas": {},
+	"sequences": {},
+	"roles": {},
+	"policies": {},
+	"views": {},
+	"_meta": {
+		"columns": {},
+		"schemas": {},
+		"tables": {}
+	}
+}

drizzle/meta/_journal.json

@@ -29,6 +29,13 @@
 			"when": 1764000151184,
 			"tag": "0003_tranquil_iron_monger",
 			"breakpoints": true
+		},
+		{
+			"idx": 4,
+			"version": "7",
+			"when": 1765385786051,
+			"tag": "0004_wealthy_groot",
+			"breakpoints": true
 		}
 	]
 }

package.json

@@ -30,6 +30,7 @@
 		"@tailwindcss/vite": "^4.1.17",
 		"@tiptap/core": "3.7.2",
 		"@types/node": "^20.19.25",
+		"@types/sanitize-html": "^2.16.1",
 		"drizzle-kit": "^0.31.7",
 		"drizzle-orm": "^0.44.7",
 		"eslint": "^9.39.1",

pnpm-lock.yaml

@@ -60,6 +60,9 @@ importers:
       '@types/node':
         specifier: ^20.19.25
         version: 20.19.25
+      '@types/sanitize-html':
+        specifier: ^2.16.1
+        version: 2.16.1
       drizzle-kit:
         specifier: ^0.31.7
         version: 0.31.7
@@ -638,56 +641,67 @@ packages:
     resolution: {integrity: sha512-k9oD15soC/Ln6d2Wv/JOFPzZXIAIFLp6B+i14KhxAfnq76ajt0EhYc5YPeX6W1xJkAdItcVT+JhKl1QZh44/qw==}
     cpu: [arm]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-arm-musleabihf@4.53.3':
     resolution: {integrity: sha512-vTNlKq+N6CK/8UktsrFuc+/7NlEYVxgaEgRXVUVK258Z5ymho29skzW1sutgYjqNnquGwVUObAaxae8rZ6YMhg==}
     cpu: [arm]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-arm64-gnu@4.53.3':
     resolution: {integrity: sha512-RGrFLWgMhSxRs/EWJMIFM1O5Mzuz3Xy3/mnxJp/5cVhZ2XoCAxJnmNsEyeMJtpK+wu0FJFWz+QF4mjCA7AUQ3w==}
     cpu: [arm64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-arm64-musl@4.53.3':
     resolution: {integrity: sha512-kASyvfBEWYPEwe0Qv4nfu6pNkITLTb32p4yTgzFCocHnJLAHs+9LjUu9ONIhvfT/5lv4YS5muBHyuV84epBo/A==}
     cpu: [arm64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-loong64-gnu@4.53.3':
     resolution: {integrity: sha512-JiuKcp2teLJwQ7vkJ95EwESWkNRFJD7TQgYmCnrPtlu50b4XvT5MOmurWNrCj3IFdyjBQ5p9vnrX4JM6I8OE7g==}
     cpu: [loong64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-ppc64-gnu@4.53.3':
     resolution: {integrity: sha512-EoGSa8nd6d3T7zLuqdojxC20oBfNT8nexBbB/rkxgKj5T5vhpAQKKnD+h3UkoMuTyXkP5jTjK/ccNRmQrPNDuw==}
     cpu: [ppc64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-riscv64-gnu@4.53.3':
     resolution: {integrity: sha512-4s+Wped2IHXHPnAEbIB0YWBv7SDohqxobiiPA1FIWZpX+w9o2i4LezzH/NkFUl8LRci/8udci6cLq+jJQlh+0g==}
     cpu: [riscv64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-riscv64-musl@4.53.3':
     resolution: {integrity: sha512-68k2g7+0vs2u9CxDt5ktXTngsxOQkSEV/xBbwlqYcUrAVh6P9EgMZvFsnHy4SEiUl46Xf0IObWVbMvPrr2gw8A==}
     cpu: [riscv64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-s390x-gnu@4.53.3':
     resolution: {integrity: sha512-VYsFMpULAz87ZW6BVYw3I6sWesGpsP9OPcyKe8ofdg9LHxSbRMd7zrVrr5xi/3kMZtpWL/wC+UIJWJYVX5uTKg==}
     cpu: [s390x]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-x64-gnu@4.53.3':
     resolution: {integrity: sha512-3EhFi1FU6YL8HTUJZ51imGJWEX//ajQPfqWLI3BQq4TlvHy4X0MOr5q3D2Zof/ka0d5FNdPwZXm3Yyib/UEd+w==}
     cpu: [x64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-x64-musl@4.53.3':
     resolution: {integrity: sha512-eoROhjcc6HbZCJr+tvVT8X4fW3/5g/WkGvvmwz/88sDtSJzO7r/blvoBDgISDiCjDRZmHpwud7h+6Q9JxFwq1Q==}
     cpu: [x64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-openharmony-arm64@4.53.3':
     resolution: {integrity: sha512-OueLAWgrNSPGAdUdIjSWXw+u/02BRTcnfw9PN41D2vq/JSEPnJnVuBgw18VkN8wcd4fjUs+jFHVM4t9+kBSNLw==}
@@ -823,24 +837,28 @@ packages:
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [linux]
+    libc: [glibc]
 
   '@tailwindcss/oxide-linux-arm64-musl@4.1.17':
     resolution: {integrity: sha512-HvZLfGr42i5anKtIeQzxdkw/wPqIbpeZqe7vd3V9vI3RQxe3xU1fLjss0TjyhxWcBaipk7NYwSrwTwK1hJARMg==}
     engines: {node: '>= 10'}
     cpu: [arm64]
     os: [linux]
+    libc: [musl]
 
   '@tailwindcss/oxide-linux-x64-gnu@4.1.17':
     resolution: {integrity: sha512-M3XZuORCGB7VPOEDH+nzpJ21XPvK5PyjlkSFkFziNHGLc5d6g3di2McAAblmaSUNl8IOmzYwLx9NsE7bplNkwQ==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [linux]
+    libc: [glibc]
 
   '@tailwindcss/oxide-linux-x64-musl@4.1.17':
     resolution: {integrity: sha512-k7f+pf9eXLEey4pBlw+8dgfJHY4PZ5qOUFDyNf7SI6lHjQ9Zt7+NcscjpwdCEbYi6FI5c2KDTDWyf2iHcCSyyQ==}
     engines: {node: '>= 10'}
     cpu: [x64]
     os: [linux]
+    libc: [musl]
 
   '@tailwindcss/oxide-wasm32-wasi@4.1.17':
     resolution: {integrity: sha512-cEytGqSSoy7zK4JRWiTCx43FsKP/zGr0CsuMawhH67ONlH+T79VteQeJQRO/X7L0juEUA8ZyuYikcRBf0vsxhg==}
@@ -1232,6 +1250,9 @@ packages:
   '@types/resolve@1.20.2':
     resolution: {integrity: sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q==}
 
+  '@types/sanitize-html@2.16.1':
+    resolution: {integrity: sha512-n9wjs8bCOTyN/ynwD8s/nTcTreIHB1vf31vhLMGqUPNHaweKC4/fAl4Dj+hUlCTKYgm4P3k83fmiFfzkZ6sgMA==}
+
   '@types/unist@3.0.3':
     resolution: {integrity: sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==}
 
@@ -1551,6 +1572,10 @@ packages:
     resolution: {integrity: sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==}
     engines: {node: '>=0.12'}
 
+  entities@7.0.1:
+    resolution: {integrity: sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==}
+    engines: {node: '>=0.12'}
+
   esbuild-register@3.6.0:
     resolution: {integrity: sha512-H2/S7Pm8a9CL1uhp9OvjwrBh5Pvx0H8qVOxNu8Wed9Y7qv56MPtq+GGM8RJpq6glYJn9Wspr8uw7l55uyinNeg==}
     peerDependencies:
@@ -1734,6 +1759,9 @@ packages:
     resolution: {integrity: sha512-Xwwo44whKBVCYoliBQwaPvtd/2tYFkRQtXDWj1nackaV2JPXx3L0+Jvd8/qCJ2p+ML0/XVkJ2q+Mr+UVdpJK5w==}
     engines: {node: '>=12.0.0'}
 
+  htmlparser2@10.1.0:
+    resolution: {integrity: sha512-VTZkM9GWRAtEpveh7MSF6SjjrpNVNNVJfFup7xTY3UpFtm67foy9HDVXneLtFVt4pMz5kZtgNcvCniNFb1hlEQ==}
+
   htmlparser2@8.0.2:
     resolution: {integrity: sha512-GYdjWKDkbRLkZ5geuHs5NY1puJ+PXwP7+fHPRz06Eirsb9ugf6d8kkXav6ADhcODhFFPMIXyxkxSuMf3D6NCFA==}
 
@@ -1870,24 +1898,28 @@ packages:
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [linux]
+    libc: [glibc]
 
   lightningcss-linux-arm64-musl@1.30.2:
     resolution: {integrity: sha512-5Vh9dGeblpTxWHpOx8iauV02popZDsCYMPIgiuw97OJ5uaDsL86cnqSFs5LZkG3ghHoX5isLgWzMs+eD1YzrnA==}
     engines: {node: '>= 12.0.0'}
     cpu: [arm64]
     os: [linux]
+    libc: [musl]
 
   lightningcss-linux-x64-gnu@1.30.2:
     resolution: {integrity: sha512-Cfd46gdmj1vQ+lR6VRTTadNHu6ALuw2pKR9lYq4FnhvgBc4zWY1EtZcAc6EffShbb1MFrIPfLDXD6Xprbnni4w==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [linux]
+    libc: [glibc]
 
   lightningcss-linux-x64-musl@1.30.2:
     resolution: {integrity: sha512-XJaLUUFXb6/QG2lGIW6aIk6jKdtjtcffUT0NKvIqhSBY3hh9Ch+1LCeH80dR9q9LBjG3ewbDjnumefsLsP6aiA==}
     engines: {node: '>= 12.0.0'}
     cpu: [x64]
     os: [linux]
+    libc: [musl]
 
   lightningcss-win32-arm64-msvc@1.30.2:
     resolution: {integrity: sha512-FZn+vaj7zLv//D/192WFFVA0RgHawIcHqLX9xuWiQt7P0PtdFEVaxgF9rjM/IRYHQXNnk61/H/gb2Ei+kUQ4xQ==}
@@ -3372,6 +3404,10 @@ snapshots:
 
   '@types/resolve@1.20.2': {}
 
+  '@types/sanitize-html@2.16.1':
+    dependencies:
+      htmlparser2: 10.1.0
+
   '@types/unist@3.0.3': {}
 
   '@typescript-eslint/eslint-plugin@8.48.0(@typescript-eslint/parser@8.48.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3)':
@@ -3616,6 +3652,8 @@ snapshots:
 
   entities@4.5.0: {}
 
+  entities@7.0.1: {}
+
   esbuild-register@3.6.0(esbuild@0.25.12):
     dependencies:
       debug: 4.4.3
@@ -3897,6 +3935,13 @@ snapshots:
 
   highlight.js@11.11.1: {}
 
+  htmlparser2@10.1.0:
+    dependencies:
+      domelementtype: 2.3.0
+      domhandler: 5.0.3
+      domutils: 3.2.2
+      entities: 7.0.1
+
   htmlparser2@8.0.2:
     dependencies:
       domelementtype: 2.3.0

src/lib/components/rating/RatingCard.svelte

@@ -0,0 +1,31 @@
+<script lang="ts">
+	import { Rating as FbRating } from 'flowbite-svelte';
+	import UserDisplay from '../UserDisplay.svelte';
+	interface Rating {
+		rating: number;
+		comment: string;
+		outdated?: boolean;
+		user?: {
+			name: string | null;
+			image: string | null;
+		};
+	}
+	let { rating }: { rating: Rating } = $props();
+</script>
+
+<div
+	class="w-full bg-white border border-gray-200 dark:bg-gray-800 dark:border-gray-700 shadow-md flex flex-col items-start p-5 gap-5"
+>
+	{#if rating.user}
+		<UserDisplay user={rating.user} />
+	{/if}
+	{#if rating.outdated}
+		<span class="self-end">i</span>
+	{/if}
+
+	<p class="text-left">{rating.comment}</p>
+
+	{#if rating.rating}
+		<FbRating id="example-1b" total={5} size={30} rating={rating.rating} class="self-end mt-auto" />
+	{/if}
+</div>

src/lib/components/rating/RatingEditor.svelte

@@ -0,0 +1,27 @@
+<script lang="ts">
+	import { Button, Label, Textarea } from 'flowbite-svelte';
+	import RatingInput from './RatingInput.svelte';
+	interface Rating {
+		rating: number;
+		comment: string;
+	}
+	let { rating }: { rating: Rating } = $props();
+</script>
+
+<form method="POST" class="flex flex-col gap-5">
+	<div>
+		<Label>Komentar</Label>
+		<Textarea
+			value={rating.comment}
+			name="comment"
+			required
+			minlength={5}
+			class="w-full min-h-40"
+		/>
+	</div>
+	<div>
+		<Label>Bewärtig</Label>
+		<RatingInput value={rating.rating} name="rating" />
+	</div>
+	<Button type="submit" class="grow-0 self-end">Spichere</Button>
+</form>

src/lib/components/rating/RatingInput.svelte

@@ -0,0 +1,63 @@
+<script lang="ts">
+	import { StarHalfSolid, StarSolid } from 'flowbite-svelte-icons';
+	import { twMerge, type ClassNameValue } from 'tailwind-merge';
+
+	let {
+		value = $bindable(5),
+		name,
+		disabled = false,
+		class: className
+	}: { value?: number; name?: string; disabled?: boolean; class?: ClassNameValue } = $props();
+
+	let stars = $derived(
+		[0, 1, 2, 3, 4].map((i) => {
+			if (value - i >= 1) {
+				return { id: i, value: 1 };
+			} else if (value - i >= 0.5) {
+				return { id: i, value: 0.5 };
+			}
+			return { id: i, value: 0 };
+		})
+	);
+</script>
+
+{#if name}
+	<input
+		type="number"
+		{name}
+		bind:value
+		tabindex="-1"
+		style="opacity: 0; position: absolute; pointer-events: none; z-index: -1; bottom: 0; left: 50%; height: 0; width: 0;"
+	/>
+{/if}
+
+<span class={twMerge('flex justify-between ', className)}>
+	<!-- es -->
+	{#each stars as s (s.id)}
+		<button
+			type="button"
+			{disabled}
+			onclick={() => {
+				if (s.id === 0 && value == 0.5) {
+					value = 0;
+					return;
+				}
+				if (value === s.id + 1) {
+					value = s.id + 0.5;
+					return;
+				}
+				value = s.id + 1;
+			}}
+			class="grid grid-cols-2 grid-rows-1"
+		>
+			{#if s.value >= 1}
+				<StarSolid class="col-span-2 text-amber-400" />
+			{:else}
+				<StarSolid class="col-span-2 col-start-1 row-start-1" />
+				{#if s.value >= 0.5}
+					<StarHalfSolid class="col-span-1 col-start-1 row-start-1 text-amber-400" />
+				{/if}
+			{/if}
+		</button>
+	{/each}
+</span>

src/lib/server/db/queries.ts

@@ -0,0 +1,16 @@
+import { db } from '$lib/server/db';
+import { aktis, ratings } from '$lib/server/db/schema';
+import { avg, eq } from 'drizzle-orm';
+
+export async function getAktisWithAvgRating() {
+	return await db
+		.select({
+			id: aktis.id,
+			title: aktis.title,
+			summary: aktis.summary,
+			rating: avg(ratings.rating)
+		})
+		.from(aktis)
+		.leftJoin(ratings, eq(aktis.id, ratings.aktiId))
+		.groupBy(aktis.id, aktis.title, aktis.summary);
+}

src/lib/server/db/schema/akti.ts

@@ -26,7 +26,7 @@ export const ratings = pgTable('rating', {
 		.notNull()
 		.references(() => users.id, { onDelete: 'cascade' }),
 	rating: real().notNull(),
-	comment: text(),
+	comment: text().notNull(),
 	aktiVersion: integer('akti_version').notNull()
 });
 

src/lib/server/session.ts

@@ -1,7 +1,7 @@
 import type { Session, User } from '@auth/sveltekit';
 import { error } from '@sveltejs/kit';
-import { db } from './server/db';
-import { users } from './server/db/schema';
+import { db } from './db';
+import { users } from './db/schema';
 import { eq } from 'drizzle-orm';
 interface Event {
 	locals: {

src/routes/+layout.server.ts

@@ -1,4 +1,4 @@
-import { getSession as getSession } from '$lib/auth';
+import { getSession as getSession } from '$lib/server/session';
 import type { LayoutServerLoad } from './$types';
 
 export const load: LayoutServerLoad = async (event) => {

src/routes/+page.server.ts

@@ -1,19 +1,8 @@
-import { db } from '$lib/server/db';
-import { aktis, ratings } from '$lib/server/db/schema';
-import { avg, eq } from 'drizzle-orm';
+import { getAktisWithAvgRating } from '$lib/server/db/queries';
 import type { PageServerLoad } from './$types';
 
 export const load: PageServerLoad = async () => {
-	const a = await db
-		.select({
-			id: aktis.id,
-			title: aktis.title,
-			summary: aktis.summary,
-			rating: avg(ratings.rating)
-		})
-		.from(aktis)
-		.leftJoin(ratings, eq(aktis.id, ratings.aktiId))
-		.groupBy(aktis.id, aktis.title, aktis.summary);
+	const a = await getAktisWithAvgRating();
 
 	return {
 		aktis: a.map((a) => ({ ...a, rating: a.rating ? parseFloat(a.rating) : undefined }))

src/routes/akti/+page.server.ts

@@ -4,9 +4,10 @@ import { extractFormData } from '$lib/extractFormData';
 import { resolve } from '$app/paths';
 
 import * as v from 'valibot';
-import { ensureAuth } from '$lib/auth';
+import { ensureAuth } from '$lib/server/session';
 import { db } from '$lib/server/db';
 import { aktis } from '$lib/server/db/schema';
+import sanitizeHtml from 'sanitize-html';
 export const load: PageServerLoad = async (event) => {
 	await ensureAuth(event);
 	return {};
@@ -28,6 +29,8 @@ export const actions = {
 
 		if (!akti) return {};
 
+		akti.body = sanitizeHtml(akti.body);
+
 		const res = await db
 			.insert(aktis)
 			.values({ ...akti, author: user.id! })

src/routes/akti/[aktiId]/+page.server.ts

@@ -1,23 +1,25 @@
 import { db } from '$lib/server/db';
 import { aktis, ratings } from '$lib/server/db/schema';
-import { error, redirect, type Actions } from '@sveltejs/kit';
-import { eq } from 'drizzle-orm';
+import { error, fail, redirect, type Actions } from '@sveltejs/kit';
+import { and, eq } from 'drizzle-orm';
 import type { PageServerLoad } from './$types';
-import { ensureAuth } from '$lib/auth';
+import { ensureAuth } from '$lib/server/session';
 import { extractFormData } from '$lib/extractFormData';
 import * as v from 'valibot';
 import { resolve } from '$app/paths';
+import sanitizeHtml from 'sanitize-html';
 
 export const load: PageServerLoad = async (event) => {
-	const akti = await db.query.aktis.findFirst({
+	const [akti, r] = await Promise.all([
+		db.query.aktis.findFirst({
 			where: eq(aktis.id, event.params.aktiId),
 			with: { author: true }
-	});
-
-	const r = await db.query.ratings.findMany({
+		}),
+		db.query.ratings.findMany({
 			with: { user: true },
 			where: eq(ratings.aktiId, event.params.aktiId)
-	});
+		})
+	]);
 
 	if (!akti) {
 		error(404, { message: 'Die Akti gits garnid, sorry...' });
@@ -54,13 +56,15 @@ export const actions = {
 			)
 		).data;
 
-		if (!changeRequest) return error(400);
+		if (!changeRequest) return fail(400, { message: 'Invalid data' });
 
-		const res = await db
-			.insert(aktis)
-			.values({ ...changeRequest, author: user.id, version: akti[0].version + 1 })
-			.returning({ id: aktis.id });
+		changeRequest.body = sanitizeHtml(changeRequest.body);
 
-		return redirect(303, resolve(`/akti/[aktiId]`, { aktiId: res[0].id }));
+		await db
+			.update(aktis)
+			.set({ ...changeRequest, version: akti[0].version + 1 })
+			.where(and(eq(aktis.author, user.id), eq(aktis.id, event.params.aktiId)));
+
+		return redirect(303, resolve(`/akti/[aktiId]`, { aktiId: event.params.aktiId }));
 	}
 } satisfies Actions;

src/routes/akti/[aktiId]/+page.svelte

@@ -4,10 +4,17 @@
 	import { EditOutline, CloseOutline } from 'flowbite-svelte-icons';
 	import AktiEditor from '$lib/components/akti/AktiEditor.svelte';
 	import UserDisplay from '$lib/components/UserDisplay.svelte';
+	import RatingCard from '$lib/components/rating/RatingCard.svelte';
+	import { resolve } from '$app/paths';
 
 	let { data }: PageProps = $props();
 
 	let edit = $state(false);
+	let canComment = $derived.by(() => {
+		if (!data.session) return false;
+		if (data.akti.author.id === data.session.user.id) return false;
+		return true;
+	});
 </script>
 
 <div class="flex justify-between">
@@ -37,4 +44,19 @@
 	</div>
 	<!-- eslint-disable-next-line svelte/no-at-html-tags -->
 	{@html data.akti.body}
+
+	<div class="mt-10 mb-5 flex justify-between items-center">
+		<h3>Kommentär</h3>
+		{#if canComment}
+			<Button href={resolve('/akti/[aktiId]/comment', { aktiId: data.akti.id })}>
+				Ä Kommentar da la
+			</Button>
+		{/if}
+	</div>
+
+	<section class="grid grid-cols-1 gap-5 2xl:grid-cols-3">
+		{#each data.ratings as rating (rating.id)}
+			<RatingCard {rating} />
+		{/each}
+	</section>
 {/if}

src/routes/akti/[aktiId]/comment/+page.server.ts

@@ -0,0 +1,68 @@
+import type { PageServerLoad } from './$types';
+import { ensureAuth } from '$lib/server/session';
+import { error, fail, redirect, type Actions } from '@sveltejs/kit';
+import { extractFormData } from '$lib/extractFormData';
+import { aktis, ratings } from '$lib/server/db/schema';
+import { eq } from 'drizzle-orm';
+
+import * as v from 'valibot';
+import { db } from '$lib/server/db';
+import { resolve } from '$app/paths';
+
+export const load: PageServerLoad = async (event) => {
+	const user = await ensureAuth(event);
+
+	const res = await db
+		.select({ authorId: aktis.author })
+		.from(aktis)
+		.where(eq(aktis.id, event.params.aktiId));
+
+	if (!res[0]) return error(404);
+
+	if (res[0].authorId === user.id) return error(403);
+
+	return;
+};
+
+export const actions = {
+	default: async (event) => {
+		const user = await ensureAuth(event);
+
+		if (!event.params.aktiId) return error(404);
+
+		const akti = await db
+			.select({ id: aktis.id, version: aktis.version, author: aktis.author })
+			.from(aktis)
+			.limit(1)
+			.where(eq(aktis.id, event.params.aktiId));
+
+		if (!akti || akti.length == 0) return error(404);
+		if (akti[0].author == user.id) return error(403);
+
+		const rating = (
+			await extractFormData(
+				event.request,
+				v.object({
+					comment: v.pipe(v.string(), v.minLength(5)),
+					rating: v.pipe(
+						v.string(),
+						v.transform((i) => Number.parseFloat(i)),
+						v.minValue(0),
+						v.maxValue(5)
+					)
+				})
+			)
+		).data;
+
+		if (!rating) return fail(400, { message: 'Invalid data' });
+
+		await db.insert(ratings).values({
+			...rating,
+			userId: user.id,
+			aktiId: event.params.aktiId,
+			aktiVersion: akti[0].version
+		});
+
+		return redirect(303, resolve(`/akti/[aktiId]`, { aktiId: event.params.aktiId }));
+	}
+} satisfies Actions;

src/routes/akti/[aktiId]/comment/+page.svelte

@@ -0,0 +1,10 @@
+<script lang="ts">
+	import RatingEditor from '$lib/components/rating/RatingEditor.svelte';
+</script>
+
+<RatingEditor
+	rating={{
+		comment: '',
+		rating: 5
+	}}
+/>