@vario-software/vario-app-framework-backend 2025.43.0 → 2025.45.0

package/api/Api.js

@@ -19,6 +19,7 @@ class Api
     resolveOn = 'end',
     timeout = 15 * 60 * 1000,
     suppressLogs = false,
+    secretsToMask = ['value'],
     followRedirects,
     body,
     inputStream,
@@ -41,6 +42,7 @@ class Api
     this.restOptions = restOptions;
     this.suppressLogs = suppressLogs;
     this.followRedirects = followRedirects;
+    this.secretsToMask = secretsToMask;
 
     this.app = getApp();
 
@@ -171,7 +173,7 @@ class Api
           requestOptions: this.requestOptions,
           body: this.body,
         },
-        response: this.secret ? maskSpecificKey(response, 'value') : response,
+        response: this.secret ? maskSpecificKey(response, this.secretsToMask) : response,
         duration: `${(performance.now() - this.timer).toFixed(2)}ms`,
         retryCount: this.retryCount,
       };
@@ -422,7 +424,7 @@ Api.redirectRequest = redirectRequestFn;
 
 module.exports = Api;
 
-function maskSpecificKey(response, keyToMask = 'value', mask = '[secret]')
+function maskSpecificKey(response, secretsToMask = ['value'], mask = '[secret]')
 {
   if (!response || typeof response !== 'object')
   {
@@ -431,13 +433,13 @@ function maskSpecificKey(response, keyToMask = 'value', mask = '[secret]')
 
   return Object.keys(response).reduce((acc, key) =>
   {
-    if (key === keyToMask)
+    if (secretsToMask.includes(key))
     {
       acc[key] = mask;
     }
     else if (typeof response[key] === 'object' && response[key] !== null)
     {
-      acc[key] = maskSpecificKey(response[key], keyToMask, mask);
+      acc[key] = maskSpecificKey(response[key], secretsToMask, mask);
     }
     else
     {

package/api/ErpApi.js

@@ -1,5 +1,5 @@
 const Api = require('#backend/api/Api.js');
-const { getTenant } = require('#backend/utils/context.js');
+const { getTenant, getAppToken } = require('#backend/utils/context.js');
 
 const PromiseSingletonMap = require('#backend/utils/promiseSingletonMap.js');
 const refreshAccessToken = require('#backend/utils/keycloak.js');
@@ -7,6 +7,7 @@ const Eav = require('#backend/api/modules/eav.js');
 const Migration = require('#backend/api/modules/migration.js');
 const TextEnum = require('#backend/api/modules/textEnum.js');
 const Webhook = require('#backend/api/modules/webhook.js');
+const PermittedToken = require('#backend/api/modules/permittedToken.js');
 const { validateOfflineToken } = require('#backend/utils/token.js');
 
 const singletonPromise = new PromiseSingletonMap();
@@ -16,6 +17,10 @@ class ErpApi extends Api
   {
     const { baseUrl, Authorization } = await this.getAuthorization();
 
+    this.setHeaders({
+      'X-Forwarded-App-Token': getAppToken(),
+    });
+
     this.setAuthorization(Authorization);
 
     if (this.useInternalApi)
@@ -90,5 +95,6 @@ ErpApi.migration = new Migration(ErpApi);
 ErpApi.eav = new Eav(ErpApi);
 ErpApi.textenum = new TextEnum(ErpApi);
 ErpApi.webhook = new Webhook(ErpApi);
+ErpApi.permittedToken = new PermittedToken(ErpApi);
 
 module.exports = ErpApi;

package/api/modules/permittedToken.js

@@ -0,0 +1,29 @@
+const { getApp } = require('#backend/utils/context.js');
+
+const PermittedToken = class
+{
+  constructor(ApiAdapter)
+  {
+    this.ApiAdapter = ApiAdapter;
+  }
+
+  create = async function(expiresAt, permissions)
+  {
+    const app = getApp();
+
+    const { data } = await this.ApiAdapter.fetch(`/cmn/apps/${app.client.appIdentifier}/permitted-token`, {
+      method: 'POST',
+      body: JSON.stringify({
+        expiresAt,
+        permissions,
+      }),
+      secret: true,
+      secretsToMask: ['bearerToken'],
+      useInternalApi: true,
+    });
+
+    return data;
+  };
+};
+
+module.exports = PermittedToken;

package/app.js

@@ -111,13 +111,22 @@ function validateClient(client)
     throw new Error('client config missing');
   }
 
-  const missingProps = ['clientId', 'clientSecret', 'appIdentifier']
+  const missingProps = ['clientId', 'clientSecret', 'appIdentifier', 'appJWK']
     .filter(prop => !client[prop]);
 
   if (missingProps.length)
   {
     throw new Error(`client config is missing: ${missingProps.join()}`);
   }
+
+  try
+  {
+    JSON.parse(client.appJWK);
+  }
+  catch
+  {
+    throw new Error('appJWK is not a valid JSON');
+  }
 }
 
 module.exports = VarioCloudApp;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vario-software/vario-app-framework-backend",
-  "version": "2025.43.0",
+  "version": "2025.45.0",
   "repository": "https://github.com/vario-software/vario-app-framework",
   "author": "VARIO Software AG",
   "homepage": "https://www.vario.ag",

package/setup/appAuthentication.js

@@ -26,6 +26,12 @@ function appAuthentication(req, res, next)
       context.appToken = token;
       context.accessToken = accessToken;
 
+      if (accessToken.tokenType === 'PERMITTED_TOKEN')
+      {
+        res.status(401).end();
+        return;
+      }
+
       next();
     })
     .catch(error =>

package/setup/context.js

@@ -21,7 +21,7 @@ function setupContext(app)
     res.on('finish', async () =>
     {
       await app.log(
-        `${(performance.now() - specificContext.startTime).toFixed(2)}ms`,
+        `${(performance.now() - specificContext.startTime).toFixed(2)}ms (${res.statusCode} ${res.statusMessage})`,
         'setup/context/finish',
         'DEBUG',
       );

package/utils/migrator.js

@@ -124,7 +124,7 @@ const Migrator = class
       await this.methods.log(`Webhook for destination "${destinationQueue}" deregistered\n`);
     },
 
-    createSalesChannelBackend: async label =>
+    createSalesChannelBackend: async (label, validChannelTypes) =>
     {
       const { data: salesChannelBackend } = await this.ApiAdapter.fetch('/erp/sales-channels/backend', {
         method: 'POST',
@@ -132,6 +132,7 @@ const Migrator = class
           appId: this.app.client.appIdentifier,
           label,
           type: 'APP',
+          validChannelTypes,
           active: true,
         }),
       });
@@ -141,6 +142,18 @@ const Migrator = class
       return salesChannelBackend;
     },
 
+    changeSalesChannelBackend: async body =>
+    {
+      const { data: salesChannelBackend } = await this.ApiAdapter.fetch(`/erp/sales-channels/backend/${body.id}`, {
+        method: 'PUT',
+        body: JSON.stringify(body),
+      });
+
+      await this.methods.log(`Sales-Channel-Backend with id "${salesChannelBackend.id}" successfully updated\n`);
+
+      return salesChannelBackend;
+    },
+
     createSalesChannel: async (salesChannelBackend, label, description, channelType = 'ECOMMERCE') =>
     {
       const { data: salesChannel } = await this.ApiAdapter.fetch('/erp/sales-channels', {

package/utils/permission.js

@@ -1,28 +1,35 @@
 const { getAccessToken } = require('#backend/utils/context.js');
 const HttpError = require('#backend/utils/httpError.js');
 
-async function checkPermission(verb)
+function checkPermission(verb, strict = true)
 {
-  const { isSuperUser, permissions } = await getAccessToken();
+  const { isSuperUser, permissions } = getAccessToken();
 
   if (!(isSuperUser || permissions?.includes(verb)))
   {
-    throw new HttpError(
-      'APP_AUTHORIZATION_FAILED',
-      403,
-      'utils/permission',
-      { missingVerb: verb },
-      null,
-      'ERROR',
-    );
+    if (strict)
+    {
+      throw new HttpError(
+        'APP_AUTHORIZATION_FAILED',
+        403,
+        'utils/permission',
+        { missingVerb: verb },
+        null,
+        'ERROR',
+      );
+    }
+
+    return false;
   }
+
+  return true;
 }
 
 function checkPermissionMiddleware(verb)
 {
   return async (req, res, next) =>
   {
-    await checkPermission(verb);
+    checkPermission(verb);
 
     next();
   };

package/utils/token.js

@@ -1,4 +1,4 @@
-const { jwtVerify, decodeJwt } = require('jose');
+const { jwtVerify, decodeJwt, importJWK } = require('jose');
 const { getApp } = require('#backend/utils/context.js');
 
 function validateOfflineToken(offlineToken)
@@ -48,30 +48,35 @@ function validateAppToken(appToken)
 
     const app = getApp();
 
-    const { clientSecret, appIdentifier } = app.client;
+    const { appIdentifier, appJWK } = app.client;
 
-    const key = new TextEncoder().encode(clientSecret);
+    const jwk = JSON.parse(appJWK).keys[0];
 
-    jwtVerify(appToken, key)
-      .then(({ payload }) =>
+    importJWK(jwk, 'ES256')
+      .then(key =>
       {
-        const { aud, exp } = payload;
+        jwtVerify(appToken, key)
+          .then(({ payload }) =>
+          {
+            const { aud, exp } = payload;
 
-        if (!aud || aud !== appIdentifier)
-        {
-          console.log('First cond', !aud, aud !== appIdentifier);
-          reject();
-          return;
-        }
+            if (!aud || aud !== appIdentifier)
+            {
+              console.log('First cond', !aud, aud !== appIdentifier);
+              reject();
+              return;
+            }
 
-        if (!exp || exp < (Date.now() / 1000))
-        {
-          console.log('Second cond', !exp, exp < (Date.now() / 1000));
-          reject();
-          return;
-        }
+            if (!exp || exp < (Date.now() / 1000))
+            {
+              console.log('Second cond', !exp, exp < (Date.now() / 1000));
+              reject();
+              return;
+            }
 
-        resolve(payload);
+            resolve(payload);
+          })
+          .catch(reject);
       })
       .catch(reject);
   });