@manyos/smileconnect-api 1.72.3 → 1.73.0

package/.claude/settings.local.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(cat:*)",
+      "Bash(find:*)",
+      "Bash(xargs ls:*)"
+    ]
+  }
+}

package/README.md

@@ -1 +1,202 @@
-The documentation can be found here: <https://smileconnect.manyosdocs.de>
+# SMILEconnect API
+
+A REST API proxy and abstraction layer for BMC HELIX ITSM (IT Service Management).
+
+## Overview
+
+SMILEconnect serves as a middleware/API gateway between external systems and BMC Remedy ITSM. It enables rapid interface creation and management for ITSM departments through a configuration-driven approach with minimal customization to the underlying ITSM system.
+
+**Version:** 1.72.3
+
+## Key Features
+
+- **Ticket Management** - Full CRUD operations for Incidents, Changes, Problems, and Work Orders
+- **Task Management** - Create and manage tasks linked to parent tickets
+- **CMDB Integration** - Query, create, and update Configuration Items/Assets
+- **Organizational Data** - Manage persons, support groups, and organizations
+- **Custom Scripts** - Execute custom business logic via sandboxed JavaScript (vm2)
+- **Multi-Tenant** - Support for multiple clients with isolated configurations
+- **Template Management** - Store and retrieve templates for various ticket types
+- **Work Logs & Attachments** - Attach work logs and files to tickets
+
+## Technology Stack
+
+| Component | Technology |
+|-----------|------------|
+| Runtime | Node.js 21+ |
+| Framework | Express.js 4.17.1 |
+| Authentication | Passport.js with JWT |
+| Logging | Bunyan + @manyos/logger |
+| HTTP Client | request-promise-native, node-fetch |
+| Caching | node-cache |
+| Script Execution | vm2 (sandboxed JS) |
+| Testing | Mocha, Chai |
+
+## Project Structure
+
+```
+itsmproxy/
+├── app.js                    # Main entry point (Express server)
+├── package.json              # Dependencies and metadata
+├── Dockerfile                # Docker configuration (Node.js 21)
+│
+├── controller/               # Business logic layer (12 controllers)
+│   ├── ticketController.js       # Incidents, Changes, Problems, WorkOrders
+│   ├── taskController.js         # Task management
+│   ├── cmdbobjectController.js   # CMDB/Asset operations
+│   ├── scriptController.js       # Custom script execution
+│   └── ...
+│
+├── routes/                   # Express route handlers (14 route files)
+│   ├── ticketRoutes.js
+│   ├── cmdbObjectRoutes.js
+│   ├── personRoutes.js
+│   └── ...
+│
+├── util/                     # Utilities and services
+│   ├── config.js             # Client configuration loading
+│   ├── arquery.js            # BMC AR Query abstraction
+│   ├── mappingUtil.js        # Field mapping utilities
+│   ├── cache.service.js      # In-memory caching
+│   └── ...
+│
+├── conf/                     # Configuration files
+│   ├── clients.json          # Client configurations (multi-tenant)
+│   ├── mapping.json          # Field mappings
+│   ├── customFormMapping.json
+│   ├── adapterConfig.js      # Adapter configuration
+│   └── scripts/              # Custom business logic scripts (27+)
+│
+├── test/                     # Test suite (Mocha/Chai)
+└── docs/                     # Documentation
+```
+
+## API Endpoints
+
+| Endpoint | Description |
+|----------|-------------|
+| `GET /v1/health` | Health check |
+| `GET/POST /v1/incidents` | Incident management |
+| `GET/POST /v1/changes` | Change management |
+| `GET/POST /v1/problems` | Problem management |
+| `GET/POST /v1/workorders` | Work order management |
+| `GET/POST /v1/cmdbobjects` | CMDB/Asset management |
+| `GET /v1/persons` | Person queries |
+| `GET /v1/supportgroups` | Support group queries |
+| `GET /v1/organisations` | Organization queries |
+| `POST /v1/scriptEndpoints/:name` | Execute custom script |
+| `GET /v1/openapi/:clientId` | OpenAPI specification |
+
+## Authentication
+
+- **JWT Bearer Token** via Authorization header
+- **SSO Integration** (Keycloak/OAuth2)
+- **Client-based Authorization** - Each client has isolated configuration
+- **Admin Authorization** via `ADMIN_USERS` environment variable
+- **Master Client** - Can impersonate other clients
+- **Rate Limiting** - 10,000 requests per 15 minutes (configurable)
+
+## Data Flow
+
+```
+Client Request (JWT Token)
+    ↓
+Express Middleware (Auth, Rate Limit, CORS)
+    ↓
+Route Handler → Controller
+    ↓
+Pre-Mapping Scripts (optional)
+    ↓
+Field Mapping (API → Remedy)
+    ↓
+Post-Mapping Scripts (optional)
+    ↓
+AR Query (BMC Remedy REST API)
+    ↓
+Response Processing & Reverse Mapping
+    ↓
+JSON Response
+```
+
+## Configuration
+
+### Environment Variables
+
+**Authentication:**
+- `SSO_PUBLIC_KEY` - JWT Public Key
+- `SSO_ISSUER` - JWT Issuer
+- `SSO_AUDIENCE` - JWT Audience
+- `SSO_CLIENTNAME_ATTRIBUTE` - JWT claim for client ID (default: "azp")
+- `SSO_USERNAME_ATTRIBUTE` - JWT claim for username (default: "preferred_username")
+
+**Remedy Connection:**
+- `AR_SERVER` - BMC Remedy AR Server host
+- `AR_PORT` - AR Server port
+- `AR_USER` - AR Server user
+- `AR_PASSWORD` - AR Server password
+- `BASEURL` - Remedy API base URL
+
+**Application:**
+- `RATE_LIMIT` - Rate limit per 15 minutes (default: 10000)
+- `MAX_FILESIZE` - Max upload size in MB (default: 5)
+- `MAX_HTTP_SOCKETS` - Maximum HTTP connections (default: 10)
+- `LOGLEVEL` - Log level (debug/info/warn/error)
+- `LOG_REQUEST` - Enable request logging (boolean)
+
+**Cache TTL (in seconds):**
+- `CACHETTL_CMDB`, `CACHETTL_TICKETS`, `CACHETTL_TASK`
+- `CACHETTL_CHANGE`, `CACHETTL_PEOPLE`, `CACHETTL_ORGDATA`
+- `CACHETTL_TEMPLATE`, `CACHETTL_CONFIG` (default: 3600)
+
+**Authorization:**
+- `ADMIN_USERS` - Comma-separated list of admin usernames
+- `MASTER_CLIENTS` - Comma-separated list of master client IDs
+
+## Quick Start
+
+### Prerequisites
+- Node.js 21+
+- Access to BMC Remedy ITSM
+- SSO/Keycloak configuration
+
+### Installation
+
+```bash
+npm install
+```
+
+### Running
+
+```bash
+# Development
+npm start
+
+# Docker
+docker build -t smileconnect-api .
+docker run -p 3000:3000 smileconnect-api
+```
+
+### Testing
+
+```bash
+npm test
+```
+
+## Documentation
+
+Full documentation is available at: <https://smileconnect.manyosdocs.de>
+
+- [Architecture](docs/architecture.md)
+- [Adapter Documentation](docs/adapter.md)
+- [Script System](docs/scripts.md)
+- [Getting Started](docs/getting-started/)
+- [How-To Guides](docs/howto/)
+- [Configuration](docs/configuration/)
+
+## Author
+
+Robert Hannemann
+
+## License
+
+ISC

package/docs/releases.md

@@ -1,7 +1,10 @@
 # Release Notes
 
 ## API
-### 1.72.3 - 20.01.26
+### 1.73.0 - 28.04.26
+Add detectMime flag to attachments & attachments to dynamic openapi spec.
+
+### 1.72.4 - 18.03.26
 Improve connection handling on OAUTH2 Adapater & LDAP Adapter
 
 ### 1.72.2 - 14.11.25
@@ -239,6 +242,9 @@ e.g.
 */v1/incidents?impersonateUser=abc123
 
 ## Event Manager
+### 1.37.1 - 21.01.26
+Add instanceid to eventdata.
+
 ### 1.37.0 - 15.01.25
 Add instanceid to eventdata.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@manyos/smileconnect-api",
-  "version": "1.72.3",
+  "version": "1.73.0",
   "description": "A proxy and abstraction layer for BMCs IT Service Management Suite",
   "main": "app.js",
   "scripts": {
@@ -27,8 +27,10 @@
     "express-request-id": "^1.4.1",
     "express-validator": "^6.10.1",
     "fast-xml-parser": "^3.20.3",
+    "file-type": "^16.5.4",
     "https-proxy-agent": "^5.0.1",
     "jsonwebtoken": "^9.0.2",
+    "mime-types": "^2.1.35",
     "moment": "^2.29.1",
     "mongoose": "^5.12.5",
     "node-cache": "^4.2.1",

package/test/incidentTest.js

@@ -362,6 +362,19 @@ describe('Integration Tests - Incidents', function () {
                 })
         })
 
+        it('it should detect image/png when detectMime=true', function (done) {
+            this.timeout(5000);
+            chai.request(server)
+                .get(attachmentUrl + '?detectMime=true')
+                .set('Authorization', 'Bearer ' + authUser.access_token)
+                .end(function (err, res) {
+                    res.should.have.status(200);
+                    res.should.have.header('content-type', 'image/png');
+                    res.should.have.header('content-disposition', 'attachment; filename=logo.png');
+                    done();
+                })
+        })
+
 
         it ('it should get all incident worklogs', function (done) {
             this.timeout(5000);

package/test/testUtils.js

@@ -4,7 +4,7 @@ const expect = chai.expect;
 this.authenticateUser = (user, app) =>
     new Promise((resolve, reject) => {
         chai.request('https://sso.manyos.it')
-            .post('/auth/realms/itsmproxy/protocol/openid-connect/token')
+            .post('/realms/itsmproxy/protocol/openid-connect/token')
             .auth(user.id, user.secret)
             .type('form')
             .send({

package/todo.md

@@ -0,0 +1,137 @@
+# SMILEconnect API - TODO
+
+## Phase 1: Stabilität (Kritisch)
+
+### 1.1 Deprecated Dependencies ersetzen
+- [ ] `request` / `request-promise-native` durch `axios` ersetzen
+  - Dateien: `util/arquery.js`, `controller/scriptController.js`
+- [ ] `vm2` durch `isolated-vm` ersetzen (Sicherheitslücken)
+  - Dateien: `controller/scriptController.js`
+- [ ] `uuid@3` auf `uuid@9` upgraden
+- [ ] `mongoose@5` auf `mongoose@8` upgraden
+- [ ] `socket.io@2` auf `socket.io@4` upgraden
+
+### 1.2 Security Headers
+- [ ] `helmet.js` integrieren für Security Headers
+  - Content-Security-Policy
+  - X-Content-Type-Options
+  - Strict-Transport-Security
+  - X-Frame-Options
+
+### 1.3 Offene TODOs im Code
+- [ ] `app.js:142-143` - Config error abfangen, AdminScope implementieren
+- [ ] `ticketController.js:130, 327` - Code-Cleanup
+- [ ] `taskController.js:189` - Phase handling für Records ohne Phases
+- [ ] `taskController.js:273` - Attachment handling hinzufügen
+- [ ] `taskController.js:421` - Scripts aktivieren
+- [ ] `ticketCIRelationController.js:181, 221` - Impersonate implementieren
+- [ ] `scriptController.js:76` - Script nur einmal hinzufügen
+- [ ] `scriptController.js:119` - Timeout hinzufügen
+- [ ] `ticketWorkLogController.js:52` - Ticket-Existenz prüfen
+- [ ] `arquery.js:185` - Impersonate hinzufügen
+
+---
+
+## Phase 2: Performance
+
+### 2.1 Distributed Caching
+- [ ] Redis-Integration für verteiltes Caching
+- [ ] Fallback auf in-memory wenn Redis nicht verfügbar
+- [ ] Cache-Invalidierung über Pub/Sub
+
+### 2.2 Rate Limiting pro Client
+- [ ] Rate Limit basierend auf JWT clientId statt nur IP
+- [ ] Konfigurierbare Limits pro Client in `clients.json`
+
+### 2.3 Connection Pooling
+- [ ] Separate Pools für verschiedene Backend-Services
+- [ ] Keep-Alive Connections optimieren
+- [ ] HTTP/2 Support für Remedy-Backend evaluieren
+
+### 2.4 Health Check erweitern
+- [ ] Dependency-Status hinzufügen (Remedy, MongoDB, Redis)
+- [ ] Latenz-Metriken
+- [ ] Version und Uptime
+
+---
+
+## Phase 3: Developer Experience
+
+### 3.1 Strukturierte Error Responses
+- [ ] RFC 7807 Problem Details Format implementieren
+- [ ] Einheitliche Error-Struktur über alle Endpoints
+- [ ] Datei: `util/responsehandler.js`
+
+### 3.2 Test Coverage
+- [ ] Jest für Unit Tests einführen
+- [ ] Coverage Report (Ziel: 80%)
+- [ ] Testcontainers für Integration Tests
+
+### 3.3 OpenAPI Auto-Generation
+- [ ] swagger-jsdoc integrieren
+- [ ] OpenAPI 3.1 Upgrade
+- [ ] Validierung gegen Schema
+
+### 3.4 Prometheus Metrics
+- [ ] `prom-client` integrieren
+- [ ] Request Duration Histogram
+- [ ] Request Counter (by endpoint, status)
+- [ ] Cache Hit/Miss Rate
+- [ ] Endpoint: `GET /metrics`
+
+---
+
+## Phase 4: Neue Features
+
+### 4.1 Webhook/Event System
+- [ ] Webhook-Registrierung pro Client
+- [ ] Events: ticket.created, ticket.updated, ticket.resolved
+- [ ] Retry-Logik mit exponential backoff
+- [ ] Signature Verification
+
+### 4.2 Batch-Operationen
+- [ ] `POST /v1/incidents/batch` Endpoint
+- [ ] Bulk-Create und Bulk-Update
+- [ ] Transaktionale Verarbeitung
+
+### 4.3 API Key Authentifizierung
+- [ ] API Keys als Alternative zu JWT
+- [ ] Key Rotation
+- [ ] Scope-basierte Berechtigungen
+
+### 4.4 Audit Trail
+- [ ] Alle Änderungen in Audit-Log speichern
+- [ ] `GET /v1/{type}/{id}/history` Endpoint
+- [ ] Wer hat wann was geändert
+
+---
+
+## Phase 5: Strategisch
+
+### 5.1 TypeScript Migration
+- [ ] TypeScript-Konfiguration aufsetzen
+- [ ] Schrittweise Migration (util/ zuerst)
+- [ ] Type Definitions für alle Entities
+
+### 5.2 GraphQL API (Optional)
+- [ ] Apollo Server evaluieren
+- [ ] Schema Design
+- [ ] Parallel zu REST API
+
+---
+
+## Notizen
+
+**Priorität:** Phase 1 > Phase 2 > Phase 3 > Phase 4 > Phase 5
+
+**Kritische Sicherheitsprobleme:**
+- `vm2` hat bekannte Sandbox-Escape-Vulnerabilities
+- `request` ist deprecated und erhält keine Security-Updates mehr
+
+**Deprecated Dependencies in package-lock.json:**
+- debug (ReDos vulnerability)
+- glob (versions prior to v9)
+- mkdirp (legacy versions)
+- rimraf (versions prior to v4)
+- superagent (upgrade recommended)
+- uuid (Math.random() issue in v3)

package/util/arquery.js

@@ -1,6 +1,8 @@
 require('dotenv').config();
 const request = require('request-promise-native');
 const path = require('path');
+const mime = require('mime-types');
+const FileType = require('file-type');
 const {getEventLog} = require("./eventLog");
 let log = require('@manyos/logger').setupLog('SMILEconnect', path.basename(__filename));
 
@@ -315,13 +317,24 @@ function getAttachment(form, entryId, attachmentfield) {
 
         log.debug('start attachment request on:', uri);
         request(options).auth(process.env.AR_USER, process.env.AR_PASSWORD, true)
-            .then(function (response) {
+            .then(async function (response) {
                 log.debug('RAPI return', response.headers);
                 const fileName = response.headers['content-disposition'].split(';')[1].split('=')[1];
                 log.debug('filename', fileName);
+                const fromExt = mime.lookup(fileName);
+                let fromMagic = null;
+                if (!fromExt) {
+                    try {
+                        fromMagic = (await FileType.fromBuffer(response.body))?.mime;
+                    } catch (err) {
+                        log.debug('file-type detection failed, falling back to octet-stream', err.message);
+                    }
+                }
+                const contentType = fromExt || fromMagic || 'application/octet-stream';
                 const file = {
                     data : response.body,
-                    fileName : fileName
+                    fileName : fileName,
+                    contentType : contentType
                 }
                 resolve(file);
             })

package/util/config.js

@@ -435,6 +435,7 @@ async function getDesignPackage(clientId) {
                 schemas[config.requestTypeWorkLog] = await getObjectSchema(clientConfig[config.requestTypeWorkLog].fields, mapping, config.forms.workLog)
                 schemas[config.requestTypeWorkLog + '_create_update'] = await getObjectSchema(clientConfig[config.requestTypeWorkLog].fields, mapping, config.forms.workLog, true)
                 paths = {...paths, ... await getPathDef(config.assocTicketType, config.baseURI + '/{ticketId}/worklogs', config.requestTypeWorkLog, true, true)}
+                paths = {...paths, ... await getAttachmentPathDef(config.assocTicketType, config.baseURI + '/{ticketId}/worklogs')}
             }
             if (config.requestTemplate && clientConfig[config.requestTemplate].fields  && clientConfig[config.requestTemplate].fields.length > 0) {
                 const mapping = getDeprecatedMappingAsCustom(config.requestTemplate)
@@ -552,7 +553,25 @@ async function getDesignPackage(clientId) {
         paths = {...paths, ... await getPathDef('cmdbobject', '/v1/cmdbobjects', cmdbSchemaList)}
     }
 
-    return {openapi: "3.0.1", info, servers, paths, components: {schemas}}
+    const attachmentResponse = {
+        description: "Attachment binary content. Content-Type is application/octet-stream by default; with ?detectMime=true it reflects the detected MIME type (extension lookup with magic-byte fallback).",
+        headers: {
+            "Content-Disposition": {
+                description: "attachment; filename=<filename>",
+                schema: { type: "string" }
+            }
+        },
+        content: {
+            "application/octet-stream": { schema: { type: "string", format: "binary" } },
+            "application/pdf":          { schema: { type: "string", format: "binary" } },
+            "image/png":                { schema: { type: "string", format: "binary" } },
+            "image/jpeg":               { schema: { type: "string", format: "binary" } },
+            "image/gif":                { schema: { type: "string", format: "binary" } },
+            "text/plain":               { schema: { type: "string", format: "binary" } }
+        }
+    }
+
+    return {openapi: "3.0.1", info, servers, paths, components: {schemas, responses: {attachmentResponse}}}
 }
 
 async function getPathDef(objectName, baseUri, schema, isSubTicket, suppressUpdate, suppressCreate) {
@@ -632,6 +651,76 @@ async function getPathDef(objectName, baseUri, schema, isSubTicket, suppressUpda
     return pathDef
 }
 
+async function getAttachmentPathDef(objectName, workLogBaseUri) {
+    const ticketIdParam = {
+        name: "ticketId",
+        description: "id of the parent ticket",
+        schema: { "type": "string" },
+        in: "path",
+        required: true
+    }
+    const worklogIdParam = {
+        name: "worklogId",
+        description: "id of the worklog the attachment belongs to",
+        schema: { "type": "string" },
+        in: "path",
+        required: true
+    }
+    const detectMimeParam = {
+        name: "detectMime",
+        description: "If set to 'true', the response Content-Type reflects the detected MIME type of the attachment (filename extension lookup with magic-byte fallback). Without the parameter the response keeps the legacy default 'application/octet-stream' for backwards compatibility.",
+        schema: {
+            type: "string",
+            enum: ["true", "false"]
+        },
+        in: "query",
+        required: false,
+        examples: {
+            detect: { value: "true" }
+        }
+    }
+
+    const pathDef = {}
+    for (const slot of [1, 2, 3]) {
+        const uri = `${workLogBaseUri}/{worklogId}/attachments/${slot}`
+        pathDef[uri] = {
+            parameters: [ticketIdParam, worklogIdParam],
+            get: {
+                tags: [objectName, 'Attachments'],
+                summary: `Download attachment ${slot} of a ${objectName} worklog`,
+                description: "Returns the binary attachment. Default Content-Type is application/octet-stream; pass ?detectMime=true to receive the detected MIME type.",
+                parameters: [detectMimeParam],
+                responses: {
+                    "200": { "$ref": "#/components/responses/attachmentResponse" }
+                }
+            },
+            post: {
+                tags: [objectName, 'Attachments'],
+                summary: `Upload attachment ${slot} for a ${objectName} worklog`,
+                description: 'Send the file in the form field "file".',
+                requestBody: {
+                    required: true,
+                    content: {
+                        "multipart/form-data": {
+                            schema: {
+                                type: "object",
+                                properties: {
+                                    file: { type: "string", format: "binary" }
+                                },
+                                required: ["file"]
+                            }
+                        }
+                    }
+                },
+                responses: {
+                    "200": { description: "Attachment added" }
+                }
+            }
+        }
+    }
+    return pathDef
+}
+
 function getOpenApiParameters(operation) {
     const parameters = [
         {

package/util/responsehandler.js

@@ -103,6 +103,11 @@ function eventQueueHandler(req, res, next) {
             req.log
             ).then( success => {
                 if (req.downloadResult) {
+                    const detect = req.query && req.query.detectMime === 'true';
+                    const contentType = detect
+                        ? (req.downloadResult.contentType || 'application/octet-stream')
+                        : 'application/octet-stream';
+                    res.set('Content-Type', contentType);
                     res.set('Content-disposition', 'attachment; filename=' + req.downloadResult.fileName);
                     res.status(200).send(req.downloadResult.data);
                 } else {