fix: admin panel — password rotation, vehicle edit DOM clash, nginx cache headers

frontend/admin.html

@@ -131,7 +131,7 @@
                 <div class="panel">
                     <h2 id="formTitle">Neues Fahrzeug</h2>
                     <form class="admin-form" id="vehicleForm">
-                        <input type="hidden" name="id" />
+                        <input type="hidden" name="vid" />
 
                         <div class="admin-photo-preview" id="photoPreview"></div>
                         <label>

frontend/admin.js

@@ -59,9 +59,12 @@ const state = {
 // AUTH FLOW
 // =========================================================================
 async function bootstrap() {
-    const { data } = await supabase.auth.getSession();
+    const { data: { session } } = await supabase.auth.getSession();
-    if (data?.session) {
+    if (session) {
-        await onAuthenticated(data.session.user);
+        // Always fetch fresh user from server so metadata (must_change_password) is current.
+        const { data: { user }, error } = await supabase.auth.getUser();
+        if (error || !user) { await supabase.auth.signOut(); show("login"); return; }
+        await onAuthenticated(user);
     } else {
         show("login");
     }
@@ -214,7 +217,7 @@ function loadForEdit(id) {
     const v = state.vehicleMap.get(id);
     if (!v) return;
     formTitle.textContent = `Fahrzeug bearbeiten · ${v.brand} ${v.model}`;
-    vehicleForm.id.value               = v.id;
+    vehicleForm.vid.value              = v.id;
     vehicleForm.brand.value            = v.brand;
     vehicleForm.model.value            = v.model;
     vehicleForm.power_hp.value         = v.power_hp;
@@ -235,7 +238,7 @@ function loadForEdit(id) {
 
 resetBtn.addEventListener("click", () => {
     vehicleForm.reset();
-    vehicleForm.id.value = "";
+    vehicleForm.vid.value = "";
     vehicleForm.is_active.checked = true;
     vehicleForm.sort_order.value = 100;
     vehicleForm.location.value = "Steiermark (TBD)";
@@ -269,15 +272,15 @@ vehicleForm.addEventListener("submit", async (e) => {
             photo_path:      state.currentPhotoPath,
             is_active:       !!fd.get("is_active"),
         };
-        const id = fd.get("id");
+        const vid = fd.get("vid");
-        const { error } = id
+        const { error } = vid
-            ? await supabase.from("vehicles").update(payload).eq("id", id)
+            ? await supabase.from("vehicles").update(payload).eq("id", vid)
             : await supabase.from("vehicles").insert(payload);
         if (error) throw error;
         formFeedback.textContent = "Gespeichert.";
         await loadVehicles();
         renderVehicles();
-        if (!id) resetBtn.click();
+        if (!vid) resetBtn.click();
     } catch (err) {
         formFeedback.className = "form-feedback error";
         formFeedback.textContent = err.message || String(err);

frontend/nginx.conf

@@ -13,10 +13,14 @@ server {
         try_files $uri $uri/ /index.html;
     }
 
-    # Static assets can be cached aggressively.
+    # Static assets: images/fonts can be cached, JS/CSS must revalidate.
-    location ~* \.(?:css|js|jpg|jpeg|png|webp|svg|ico|woff2?)$ {
+    location ~* \.(?:jpg|jpeg|png|webp|svg|ico|woff2?)$ {
         expires 7d;
         add_header Cache-Control "public";
         try_files $uri =404;
     }
+    location ~* \.(?:css|js)$ {
+        add_header Cache-Control "no-cache";
+        try_files $uri =404;
+    }
 }