npm - @manyos/smileconnect-api - Versions diffs - 1.72.3 → 1.72.4 - Mend

@manyos/smileconnect-api 1.72.3 → 1.72.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/.claude/settings.local.json +9 -0
package/README.md +202 -1
package/docs/releases.md +3 -0
package/package.json +1 -1
package/todo.md +137 -0

package/.claude/settings.local.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(cat:*)",
+      "Bash(find:*)",
+      "Bash(xargs ls:*)"
+    ]
+  }
+}

package/README.md CHANGED Viewed

@@ -1 +1,202 @@
-The documentation can be found here: <https://smileconnect.manyosdocs.de>
+# SMILEconnect API
+A REST API proxy and abstraction layer for BMC HELIX ITSM (IT Service Management).
+## Overview
+SMILEconnect serves as a middleware/API gateway between external systems and BMC Remedy ITSM. It enables rapid interface creation and management for ITSM departments through a configuration-driven approach with minimal customization to the underlying ITSM system.
+**Version:** 1.72.3
+## Key Features
+- **Ticket Management** - Full CRUD operations for Incidents, Changes, Problems, and Work Orders
+- **Task Management** - Create and manage tasks linked to parent tickets
+- **CMDB Integration** - Query, create, and update Configuration Items/Assets
+- **Organizational Data** - Manage persons, support groups, and organizations
+- **Custom Scripts** - Execute custom business logic via sandboxed JavaScript (vm2)
+- **Multi-Tenant** - Support for multiple clients with isolated configurations
+- **Template Management** - Store and retrieve templates for various ticket types
+- **Work Logs & Attachments** - Attach work logs and files to tickets
+## Technology Stack
+| Component | Technology |
+|-----------|------------|
+| Runtime | Node.js 21+ |
+| Framework | Express.js 4.17.1 |
+| Authentication | Passport.js with JWT |
+| Logging | Bunyan + @manyos/logger |
+| HTTP Client | request-promise-native, node-fetch |
+| Caching | node-cache |
+| Script Execution | vm2 (sandboxed JS) |
+| Testing | Mocha, Chai |
+## Project Structure
+```
+itsmproxy/
+├── app.js                    # Main entry point (Express server)
+├── package.json              # Dependencies and metadata
+├── Dockerfile                # Docker configuration (Node.js 21)
+│
+├── controller/               # Business logic layer (12 controllers)
+│   ├── ticketController.js       # Incidents, Changes, Problems, WorkOrders
+│   ├── taskController.js         # Task management
+│   ├── cmdbobjectController.js   # CMDB/Asset operations
+│   ├── scriptController.js       # Custom script execution
+│   └── ...
+│
+├── routes/                   # Express route handlers (14 route files)
+│   ├── ticketRoutes.js
+│   ├── cmdbObjectRoutes.js
+│   ├── personRoutes.js
+│   └── ...
+│
+├── util/                     # Utilities and services
+│   ├── config.js             # Client configuration loading
+│   ├── arquery.js            # BMC AR Query abstraction
+│   ├── mappingUtil.js        # Field mapping utilities
+│   ├── cache.service.js      # In-memory caching
+│   └── ...
+│
+├── conf/                     # Configuration files
+│   ├── clients.json          # Client configurations (multi-tenant)
+│   ├── mapping.json          # Field mappings
+│   ├── customFormMapping.json
+│   ├── adapterConfig.js      # Adapter configuration
+│   └── scripts/              # Custom business logic scripts (27+)
+│
+├── test/                     # Test suite (Mocha/Chai)
+└── docs/                     # Documentation
+```
+## API Endpoints
+| Endpoint | Description |
+|----------|-------------|
+| `GET /v1/health` | Health check |
+| `GET/POST /v1/incidents` | Incident management |
+| `GET/POST /v1/changes` | Change management |
+| `GET/POST /v1/problems` | Problem management |
+| `GET/POST /v1/workorders` | Work order management |
+| `GET/POST /v1/cmdbobjects` | CMDB/Asset management |
+| `GET /v1/persons` | Person queries |
+| `GET /v1/supportgroups` | Support group queries |
+| `GET /v1/organisations` | Organization queries |
+| `POST /v1/scriptEndpoints/:name` | Execute custom script |
+| `GET /v1/openapi/:clientId` | OpenAPI specification |
+## Authentication
+- **JWT Bearer Token** via Authorization header
+- **SSO Integration** (Keycloak/OAuth2)
+- **Client-based Authorization** - Each client has isolated configuration
+- **Admin Authorization** via `ADMIN_USERS` environment variable
+- **Master Client** - Can impersonate other clients
+- **Rate Limiting** - 10,000 requests per 15 minutes (configurable)
+## Data Flow
+```
+Client Request (JWT Token)
+    ↓
+Express Middleware (Auth, Rate Limit, CORS)
+    ↓
+Route Handler → Controller
+    ↓
+Pre-Mapping Scripts (optional)
+    ↓
+Field Mapping (API → Remedy)
+    ↓
+Post-Mapping Scripts (optional)
+    ↓
+AR Query (BMC Remedy REST API)
+    ↓
+Response Processing & Reverse Mapping
+    ↓
+JSON Response
+```
+## Configuration
+### Environment Variables
+**Authentication:**
+- `SSO_PUBLIC_KEY` - JWT Public Key
+- `SSO_ISSUER` - JWT Issuer
+- `SSO_AUDIENCE` - JWT Audience
+- `SSO_CLIENTNAME_ATTRIBUTE` - JWT claim for client ID (default: "azp")
+- `SSO_USERNAME_ATTRIBUTE` - JWT claim for username (default: "preferred_username")
+**Remedy Connection:**
+- `AR_SERVER` - BMC Remedy AR Server host
+- `AR_PORT` - AR Server port
+- `AR_USER` - AR Server user
+- `AR_PASSWORD` - AR Server password
+- `BASEURL` - Remedy API base URL
+**Application:**
+- `RATE_LIMIT` - Rate limit per 15 minutes (default: 10000)
+- `MAX_FILESIZE` - Max upload size in MB (default: 5)
+- `MAX_HTTP_SOCKETS` - Maximum HTTP connections (default: 10)
+- `LOGLEVEL` - Log level (debug/info/warn/error)
+- `LOG_REQUEST` - Enable request logging (boolean)
+**Cache TTL (in seconds):**
+- `CACHETTL_CMDB`, `CACHETTL_TICKETS`, `CACHETTL_TASK`
+- `CACHETTL_CHANGE`, `CACHETTL_PEOPLE`, `CACHETTL_ORGDATA`
+- `CACHETTL_TEMPLATE`, `CACHETTL_CONFIG` (default: 3600)
+**Authorization:**
+- `ADMIN_USERS` - Comma-separated list of admin usernames
+- `MASTER_CLIENTS` - Comma-separated list of master client IDs
+## Quick Start
+### Prerequisites
+- Node.js 21+
+- Access to BMC Remedy ITSM
+- SSO/Keycloak configuration
+### Installation
+```bash
+npm install
+```
+### Running
+```bash
+# Development
+npm start
+# Docker
+docker build -t smileconnect-api .
+docker run -p 3000:3000 smileconnect-api
+```
+### Testing
+```bash
+npm test
+```
+## Documentation
+Full documentation is available at: <https://smileconnect.manyosdocs.de>
+- [Architecture](docs/architecture.md)
+- [Adapter Documentation](docs/adapter.md)
+- [Script System](docs/scripts.md)
+- [Getting Started](docs/getting-started/)
+- [How-To Guides](docs/howto/)
+- [Configuration](docs/configuration/)
+## Author
+Robert Hannemann
+## License
+ISC

package/docs/releases.md CHANGED Viewed

@@ -239,6 +239,9 @@ e.g.
 */v1/incidents?impersonateUser=abc123
 ## Event Manager
+### 1.37.1 - 21.01.26
+Add instanceid to eventdata.
 ### 1.37.0 - 15.01.25
 Add instanceid to eventdata.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@manyos/smileconnect-api",
-  "version": "1.72.3",
+  "version": "1.72.4",
   "description": "A proxy and abstraction layer for BMCs IT Service Management Suite",
   "main": "app.js",
   "scripts": {

package/todo.md ADDED Viewed

@@ -0,0 +1,137 @@
+# SMILEconnect API - TODO
+## Phase 1: Stabilität (Kritisch)
+### 1.1 Deprecated Dependencies ersetzen
+- [ ] `request` / `request-promise-native` durch `axios` ersetzen
+  - Dateien: `util/arquery.js`, `controller/scriptController.js`
+- [ ] `vm2` durch `isolated-vm` ersetzen (Sicherheitslücken)
+  - Dateien: `controller/scriptController.js`
+- [ ] `uuid@3` auf `uuid@9` upgraden
+- [ ] `mongoose@5` auf `mongoose@8` upgraden
+- [ ] `socket.io@2` auf `socket.io@4` upgraden
+### 1.2 Security Headers
+- [ ] `helmet.js` integrieren für Security Headers
+  - Content-Security-Policy
+  - X-Content-Type-Options
+  - Strict-Transport-Security
+  - X-Frame-Options
+### 1.3 Offene TODOs im Code
+- [ ] `app.js:142-143` - Config error abfangen, AdminScope implementieren
+- [ ] `ticketController.js:130, 327` - Code-Cleanup
+- [ ] `taskController.js:189` - Phase handling für Records ohne Phases
+- [ ] `taskController.js:273` - Attachment handling hinzufügen
+- [ ] `taskController.js:421` - Scripts aktivieren
+- [ ] `ticketCIRelationController.js:181, 221` - Impersonate implementieren
+- [ ] `scriptController.js:76` - Script nur einmal hinzufügen
+- [ ] `scriptController.js:119` - Timeout hinzufügen
+- [ ] `ticketWorkLogController.js:52` - Ticket-Existenz prüfen
+- [ ] `arquery.js:185` - Impersonate hinzufügen
+---
+## Phase 2: Performance
+### 2.1 Distributed Caching
+- [ ] Redis-Integration für verteiltes Caching
+- [ ] Fallback auf in-memory wenn Redis nicht verfügbar
+- [ ] Cache-Invalidierung über Pub/Sub
+### 2.2 Rate Limiting pro Client
+- [ ] Rate Limit basierend auf JWT clientId statt nur IP
+- [ ] Konfigurierbare Limits pro Client in `clients.json`
+### 2.3 Connection Pooling
+- [ ] Separate Pools für verschiedene Backend-Services
+- [ ] Keep-Alive Connections optimieren
+- [ ] HTTP/2 Support für Remedy-Backend evaluieren
+### 2.4 Health Check erweitern
+- [ ] Dependency-Status hinzufügen (Remedy, MongoDB, Redis)
+- [ ] Latenz-Metriken
+- [ ] Version und Uptime
+---
+## Phase 3: Developer Experience
+### 3.1 Strukturierte Error Responses
+- [ ] RFC 7807 Problem Details Format implementieren
+- [ ] Einheitliche Error-Struktur über alle Endpoints
+- [ ] Datei: `util/responsehandler.js`
+### 3.2 Test Coverage
+- [ ] Jest für Unit Tests einführen
+- [ ] Coverage Report (Ziel: 80%)
+- [ ] Testcontainers für Integration Tests
+### 3.3 OpenAPI Auto-Generation
+- [ ] swagger-jsdoc integrieren
+- [ ] OpenAPI 3.1 Upgrade
+- [ ] Validierung gegen Schema
+### 3.4 Prometheus Metrics
+- [ ] `prom-client` integrieren
+- [ ] Request Duration Histogram
+- [ ] Request Counter (by endpoint, status)
+- [ ] Cache Hit/Miss Rate
+- [ ] Endpoint: `GET /metrics`
+---
+## Phase 4: Neue Features
+### 4.1 Webhook/Event System
+- [ ] Webhook-Registrierung pro Client
+- [ ] Events: ticket.created, ticket.updated, ticket.resolved
+- [ ] Retry-Logik mit exponential backoff
+- [ ] Signature Verification
+### 4.2 Batch-Operationen
+- [ ] `POST /v1/incidents/batch` Endpoint
+- [ ] Bulk-Create und Bulk-Update
+- [ ] Transaktionale Verarbeitung
+### 4.3 API Key Authentifizierung
+- [ ] API Keys als Alternative zu JWT
+- [ ] Key Rotation
+- [ ] Scope-basierte Berechtigungen
+### 4.4 Audit Trail
+- [ ] Alle Änderungen in Audit-Log speichern
+- [ ] `GET /v1/{type}/{id}/history` Endpoint
+- [ ] Wer hat wann was geändert
+---
+## Phase 5: Strategisch
+### 5.1 TypeScript Migration
+- [ ] TypeScript-Konfiguration aufsetzen
+- [ ] Schrittweise Migration (util/ zuerst)
+- [ ] Type Definitions für alle Entities
+### 5.2 GraphQL API (Optional)
+- [ ] Apollo Server evaluieren
+- [ ] Schema Design
+- [ ] Parallel zu REST API
+---
+## Notizen
+**Priorität:** Phase 1 > Phase 2 > Phase 3 > Phase 4 > Phase 5
+**Kritische Sicherheitsprobleme:**
+- `vm2` hat bekannte Sandbox-Escape-Vulnerabilities
+- `request` ist deprecated und erhält keine Security-Updates mehr
+**Deprecated Dependencies in package-lock.json:**
+- debug (ReDos vulnerability)
+- glob (versions prior to v9)
+- mkdirp (legacy versions)
+- rimraf (versions prior to v4)
+- superagent (upgrade recommended)
+- uuid (Math.random() issue in v3)