Add multi-user support with export feature

- New users table (migration 004) with user_id on exercises, training_sets, sessions
- User CRUD endpoints (GET/POST /api/v1/users, DELETE /api/v1/users/{id})
- All existing endpoints scoped to X-User-ID header
- CSV export endpoint (GET /api/v1/export) for completed sessions
- UserGate in PageShell: blocks app until a user is selected
- Settings page for managing users (create, switch, delete)
- BottomNav/Sidebar updated with settings navigation
- Fix: nil pointer panic in handleDeleteUser on success path
- Fix: export download now uses fetch with X-User-ID header instead of window.location.href

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/internal/handler/exercise.go

@@ -7,10 +7,15 @@ import (
 )
 
 func (h *Handler) handleListExercises(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	muscleGroup := r.URL.Query().Get("muscle_group")
 	query := r.URL.Query().Get("q")
 
-	exercises, err := h.store.ListExercises(muscleGroup, query)
+	exercises, err := h.store.ListExercises(uid, muscleGroup, query)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Laden der Übungen")
 		return
@@ -19,6 +24,12 @@ func (h *Handler) handleListExercises(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleCreateExercise(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
 	var req model.CreateExerciseRequest
 	if err := decodeJSON(r, &req); err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültiger Request-Body")
@@ -29,7 +40,7 @@ func (h *Handler) handleCreateExercise(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	exercise, err := h.store.CreateExercise(&req)
+	exercise, err := h.store.CreateExercise(uid, &req)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Erstellen der Übung")
 		return
@@ -38,6 +49,11 @@ func (h *Handler) handleCreateExercise(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleUpdateExercise(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	id, err := pathID(r, "id")
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültige ID")
@@ -54,7 +70,7 @@ func (h *Handler) handleUpdateExercise(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	exercise, err := h.store.UpdateExercise(id, &req)
+	exercise, err := h.store.UpdateExercise(id, uid, &req)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Aktualisieren der Übung")
 		return
@@ -67,13 +83,18 @@ func (h *Handler) handleUpdateExercise(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleDeleteExercise(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	id, err := pathID(r, "id")
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültige ID")
 		return
 	}
 
-	err = h.store.SoftDeleteExercise(id)
+	err = h.store.SoftDeleteExercise(id, uid)
 	if err == sql.ErrNoRows {
 		writeError(w, http.StatusNotFound, "Übung nicht gefunden")
 		return

backend/internal/handler/export.go

@@ -0,0 +1,42 @@
+package handler
+
+import (
+	"encoding/csv"
+	"net/http"
+	"strconv"
+	"time"
+)
+
+// handleExport gibt alle Trainingsdaten eines Nutzers als CSV zurück.
+func (h *Handler) handleExport(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	rows, err := h.store.ExportLogs(uid)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "Export fehlgeschlagen")
+		return
+	}
+
+	filename := "training-export-" + time.Now().Format("2006-01-02") + ".csv"
+	w.Header().Set("Content-Type", "text/csv; charset=utf-8")
+	w.Header().Set("Content-Disposition", "attachment; filename=\""+filename+"\"")
+
+	cw := csv.NewWriter(w)
+	cw.Write([]string{"datum", "uebung", "satz", "gewicht_kg", "wiederholungen", "notiz"})
+
+	for _, row := range rows {
+		cw.Write([]string{
+			row.SessionStarted.Format("2006-01-02 15:04"),
+			row.ExerciseName,
+			strconv.Itoa(row.SetNumber),
+			strconv.FormatFloat(row.WeightKg, 'f', 2, 64),
+			strconv.Itoa(row.Reps),
+			row.Note,
+		})
+	}
+	cw.Flush()
+}

backend/internal/handler/handler.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"encoding/json"
+	"errors"
 	"krafttrainer/internal/store"
 	"net/http"
 	"strconv"
@@ -19,6 +20,11 @@ func New(store *store.Store) *Handler {
 
 // RegisterRoutes registriert alle API-Routen am ServeMux.
 func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
+	// Users (kein X-User-ID Header nötig)
+	mux.HandleFunc("GET /api/v1/users", h.handleListUsers)
+	mux.HandleFunc("POST /api/v1/users", h.handleCreateUser)
+	mux.HandleFunc("DELETE /api/v1/users/{id}", h.handleDeleteUser)
+
 	// Exercises
 	mux.HandleFunc("GET /api/v1/exercises", h.handleListExercises)
 	mux.HandleFunc("POST /api/v1/exercises", h.handleCreateExercise)
@@ -46,6 +52,9 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) {
 	mux.HandleFunc("GET /api/v1/exercises/{id}/last-log", h.handleGetLastLog)
 	mux.HandleFunc("GET /api/v1/exercises/{id}/history", h.handleGetExerciseHistory)
 	mux.HandleFunc("GET /api/v1/stats/overview", h.handleGetStatsOverview)
+
+	// Export
+	mux.HandleFunc("GET /api/v1/export", h.handleExport)
 }
 
 // --- Hilfsfunktionen ---
@@ -81,3 +90,16 @@ func queryInt(r *http.Request, name string, defaultVal int) int {
 	}
 	return n
 }
+
+// userID liest die X-User-ID aus dem Request-Header.
+func userID(r *http.Request) (int64, error) {
+	v := r.Header.Get("X-User-ID")
+	if v == "" {
+		return 0, errors.New("X-User-ID Header fehlt")
+	}
+	id, err := strconv.ParseInt(v, 10, 64)
+	if err != nil || id <= 0 {
+		return 0, errors.New("ungültige User-ID")
+	}
+	return id, nil
+}

backend/internal/handler/session.go

@@ -8,6 +8,12 @@ import (
 )
 
 func (h *Handler) handleCreateSession(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
 	var req model.CreateSessionRequest
 	if err := decodeJSON(r, &req); err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültiger Request-Body")
@@ -18,7 +24,7 @@ func (h *Handler) handleCreateSession(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	session, err := h.store.CreateSession(req.SetID)
+	session, err := h.store.CreateSession(uid, req.SetID)
 	if err != nil {
 		if strings.Contains(err.Error(), "existiert nicht") {
 			writeError(w, http.StatusBadRequest, err.Error())
@@ -31,10 +37,15 @@ func (h *Handler) handleCreateSession(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleListSessions(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	limit := queryInt(r, "limit", 20)
 	offset := queryInt(r, "offset", 0)
 
-	sessions, err := h.store.ListSessions(limit, offset)
+	sessions, err := h.store.ListSessions(uid, limit, offset)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Laden der Sessions")
 		return
@@ -62,6 +73,11 @@ func (h *Handler) handleGetSession(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleEndSession(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	id, err := pathID(r, "id")
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültige ID")
@@ -71,10 +87,9 @@ func (h *Handler) handleEndSession(w http.ResponseWriter, r *http.Request) {
 	var body struct {
 		Note string `json:"note"`
 	}
-	// Body ist optional
 	decodeJSON(r, &body)
 
-	session, err := h.store.EndSession(id, body.Note)
+	session, err := h.store.EndSession(id, uid, body.Note)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Beenden der Session")
 		return

backend/internal/handler/stats.go

@@ -3,13 +3,18 @@ package handler
 import "net/http"
 
 func (h *Handler) handleGetLastLog(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	id, err := pathID(r, "id")
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültige ID")
 		return
 	}
 
-	lastLog, err := h.store.GetLastLog(id)
+	lastLog, err := h.store.GetLastLog(id, uid)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Laden des letzten Logs")
 		return
@@ -22,6 +27,11 @@ func (h *Handler) handleGetLastLog(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleGetExerciseHistory(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	id, err := pathID(r, "id")
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültige ID")
@@ -29,7 +39,7 @@ func (h *Handler) handleGetExerciseHistory(w http.ResponseWriter, r *http.Reques
 	}
 	limit := queryInt(r, "limit", 30)
 
-	logs, err := h.store.GetExerciseHistory(id, limit)
+	logs, err := h.store.GetExerciseHistory(id, uid, limit)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Laden der Übungshistorie")
 		return
@@ -38,7 +48,13 @@ func (h *Handler) handleGetExerciseHistory(w http.ResponseWriter, r *http.Reques
 }
 
 func (h *Handler) handleGetStatsOverview(w http.ResponseWriter, r *http.Request) {
-	overview, err := h.store.GetStatsOverview()
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	overview, err := h.store.GetStatsOverview(uid)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Laden der Statistiken")
 		return

backend/internal/handler/training_set.go

@@ -8,7 +8,13 @@ import (
 )
 
 func (h *Handler) handleListSets(w http.ResponseWriter, r *http.Request) {
-	sets, err := h.store.ListSets()
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	sets, err := h.store.ListSets(uid)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "Fehler beim Laden der Sets")
 		return
@@ -17,6 +23,12 @@ func (h *Handler) handleListSets(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleCreateSet(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
 	var req model.CreateSetRequest
 	if err := decodeJSON(r, &req); err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültiger Request-Body")
@@ -27,7 +39,7 @@ func (h *Handler) handleCreateSet(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	set, err := h.store.CreateSet(&req)
+	set, err := h.store.CreateSet(uid, &req)
 	if err != nil {
 		if strings.Contains(err.Error(), "existiert nicht") {
 			writeError(w, http.StatusBadRequest, err.Error())
@@ -40,6 +52,11 @@ func (h *Handler) handleCreateSet(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleUpdateSet(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	id, err := pathID(r, "id")
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültige ID")
@@ -56,7 +73,7 @@ func (h *Handler) handleUpdateSet(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	set, err := h.store.UpdateSet(id, &req)
+	set, err := h.store.UpdateSet(id, uid, &req)
 	if err != nil {
 		if strings.Contains(err.Error(), "existiert nicht") {
 			writeError(w, http.StatusBadRequest, err.Error())
@@ -73,13 +90,18 @@ func (h *Handler) handleUpdateSet(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) handleDeleteSet(w http.ResponseWriter, r *http.Request) {
+	uid, err := userID(r)
+	if err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
 	id, err := pathID(r, "id")
 	if err != nil {
 		writeError(w, http.StatusBadRequest, "Ungültige ID")
 		return
 	}
 
-	err = h.store.SoftDeleteSet(id)
+	err = h.store.SoftDeleteSet(id, uid)
 	if err == sql.ErrNoRows {
 		writeError(w, http.StatusNotFound, "Set nicht gefunden")
 		return

backend/internal/handler/user.go

@@ -0,0 +1,59 @@
+package handler
+
+import (
+	"database/sql"
+	"krafttrainer/internal/model"
+	"net/http"
+	"strings"
+)
+
+func (h *Handler) handleListUsers(w http.ResponseWriter, r *http.Request) {
+	users, err := h.store.ListUsers()
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "Fehler beim Laden der Nutzer")
+		return
+	}
+	writeJSON(w, http.StatusOK, users)
+}
+
+func (h *Handler) handleCreateUser(w http.ResponseWriter, r *http.Request) {
+	var req model.CreateUserRequest
+	if err := decodeJSON(r, &req); err != nil {
+		writeError(w, http.StatusBadRequest, "Ungültiger Request-Body")
+		return
+	}
+	if err := req.Validate(); err != nil {
+		writeError(w, http.StatusBadRequest, err.Error())
+		return
+	}
+
+	user, err := h.store.CreateUser(req.Name)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "Fehler beim Erstellen des Nutzers")
+		return
+	}
+	writeJSON(w, http.StatusCreated, user)
+}
+
+func (h *Handler) handleDeleteUser(w http.ResponseWriter, r *http.Request) {
+	id, err := pathID(r, "id")
+	if err != nil {
+		writeError(w, http.StatusBadRequest, "Ungültige ID")
+		return
+	}
+
+	err = h.store.DeleteUser(id)
+	if err != nil {
+		if err == sql.ErrNoRows {
+			writeError(w, http.StatusNotFound, "Nutzer nicht gefunden")
+			return
+		}
+		if strings.Contains(err.Error(), "LAST_USER") {
+			writeError(w, http.StatusConflict, "Der letzte Nutzer kann nicht gelöscht werden")
+			return
+		}
+		writeError(w, http.StatusInternalServerError, "Fehler beim Löschen des Nutzers")
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}