@vario-software/vario-app-framework-backend 2025.44.0 → 2025.46.0

package/api/Api.js

@@ -19,6 +19,7 @@ class Api
     resolveOn = 'end',
     timeout = 15 * 60 * 1000,
     suppressLogs = false,
+    secretsToMask = ['value'],
     followRedirects,
     body,
     inputStream,
@@ -41,6 +42,7 @@ class Api
     this.restOptions = restOptions;
     this.suppressLogs = suppressLogs;
     this.followRedirects = followRedirects;
+    this.secretsToMask = secretsToMask;
 
     this.app = getApp();
 
@@ -171,7 +173,7 @@ class Api
           requestOptions: this.requestOptions,
           body: this.body,
         },
-        response: this.secret ? maskSpecificKey(response, 'value') : response,
+        response: this.secret ? maskSpecificKey(response, this.secretsToMask) : response,
         duration: `${(performance.now() - this.timer).toFixed(2)}ms`,
         retryCount: this.retryCount,
       };
@@ -422,7 +424,7 @@ Api.redirectRequest = redirectRequestFn;
 
 module.exports = Api;
 
-function maskSpecificKey(response, keyToMask = 'value', mask = '[secret]')
+function maskSpecificKey(response, secretsToMask = ['value'], mask = '[secret]')
 {
   if (!response || typeof response !== 'object')
   {
@@ -431,13 +433,13 @@ function maskSpecificKey(response, keyToMask = 'value', mask = '[secret]')
 
   return Object.keys(response).reduce((acc, key) =>
   {
-    if (key === keyToMask)
+    if (secretsToMask.includes(key))
     {
       acc[key] = mask;
     }
     else if (typeof response[key] === 'object' && response[key] !== null)
     {
-      acc[key] = maskSpecificKey(response[key], keyToMask, mask);
+      acc[key] = maskSpecificKey(response[key], secretsToMask, mask);
     }
     else
     {

package/api/ErpApi.js

@@ -1,5 +1,5 @@
 const Api = require('#backend/api/Api.js');
-const { getTenant } = require('#backend/utils/context.js');
+const { getTenant, getAppToken } = require('#backend/utils/context.js');
 
 const PromiseSingletonMap = require('#backend/utils/promiseSingletonMap.js');
 const refreshAccessToken = require('#backend/utils/keycloak.js');
@@ -7,6 +7,7 @@ const Eav = require('#backend/api/modules/eav.js');
 const Migration = require('#backend/api/modules/migration.js');
 const TextEnum = require('#backend/api/modules/textEnum.js');
 const Webhook = require('#backend/api/modules/webhook.js');
+const PermittedToken = require('#backend/api/modules/permittedToken.js');
 const { validateOfflineToken } = require('#backend/utils/token.js');
 
 const singletonPromise = new PromiseSingletonMap();
@@ -16,6 +17,10 @@ class ErpApi extends Api
   {
     const { baseUrl, Authorization } = await this.getAuthorization();
 
+    this.setHeaders({
+      'X-Forwarded-App-Token': getAppToken(),
+    });
+
     this.setAuthorization(Authorization);
 
     if (this.useInternalApi)
@@ -90,5 +95,6 @@ ErpApi.migration = new Migration(ErpApi);
 ErpApi.eav = new Eav(ErpApi);
 ErpApi.textenum = new TextEnum(ErpApi);
 ErpApi.webhook = new Webhook(ErpApi);
+ErpApi.permittedToken = new PermittedToken(ErpApi);
 
 module.exports = ErpApi;

package/api/modules/eav.js

@@ -35,9 +35,7 @@ const Eav = class
 
   changeGroup = async function (groupKey, callback)
   {
-    let { data: eavGroup } = await this.ApiAdapter.fetch(`/cmn/eav-groups/by-key/${groupKey}`, {
-      method: 'GET',
-    });
+    let eavGroup = await this.getGroup(groupKey);
 
     eavGroup = callback(eavGroup);
 
@@ -51,7 +49,7 @@ const Eav = class
 
   deleteGroup = async function (groupKey)
   {
-    const { data: eavGroup } = await this.ApiAdapter.fetch(`/cmn/eav-groups/by-key/${groupKey}`);
+    const eavGroup = await this.getGroup(groupKey);
 
     await this.ApiAdapter.fetch(`/cmn/eav-groups/${eavGroup.id}/remove-data`, {
       method: 'POST',
@@ -65,11 +63,27 @@ const Eav = class
     return true;
   };
 
+  removeDataFromGroup = async function (groupKey, attributeKeys = [])
+  {
+    const eavGroup = await this.getGroup(groupKey);
+
+    const attributeId = attributeKeys
+      .map(attrKey => eavGroup.attributes?.find(({ key }) => key === attrKey)?.id)
+      .filter(id => id !== null || id !== undefined);
+
+    await this.ApiAdapter.fetch(`/cmn/eav-groups/${eavGroup.id}/remove-data`, {
+      method: 'POST',
+      body: JSON.stringify({ entities: eavGroup.entities, attributeId }),
+    });
+
+    return true;
+  };
+
   getGroupIdByKey = async function(groupKey)
   {
     try
     {
-      const { data: eavGroup } = await this.ApiAdapter.fetch(`/cmn/eav-groups/by-key/${groupKey}`);
+      const eavGroup = await this.getGroup(groupKey);
 
       return eavGroup.id;
     }

package/api/modules/permittedToken.js

@@ -0,0 +1,29 @@
+const { getApp } = require('#backend/utils/context.js');
+
+const PermittedToken = class
+{
+  constructor(ApiAdapter)
+  {
+    this.ApiAdapter = ApiAdapter;
+  }
+
+  create = async function(expiresAt, permissions)
+  {
+    const app = getApp();
+
+    const { data } = await this.ApiAdapter.fetch(`/cmn/apps/${app.client.appIdentifier}/permitted-token`, {
+      method: 'POST',
+      body: JSON.stringify({
+        expiresAt,
+        permissions,
+      }),
+      secret: true,
+      secretsToMask: ['bearerToken'],
+      useInternalApi: true,
+    });
+
+    return data;
+  };
+};
+
+module.exports = PermittedToken;

package/app.js

@@ -111,13 +111,22 @@ function validateClient(client)
     throw new Error('client config missing');
   }
 
-  const missingProps = ['clientId', 'clientSecret', 'appIdentifier']
+  const missingProps = ['clientId', 'clientSecret', 'appIdentifier', 'appJWK']
     .filter(prop => !client[prop]);
 
   if (missingProps.length)
   {
     throw new Error(`client config is missing: ${missingProps.join()}`);
   }
+
+  try
+  {
+    JSON.parse(client.appJWK);
+  }
+  catch
+  {
+    throw new Error('appJWK is not a valid JSON');
+  }
 }
 
 module.exports = VarioCloudApp;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vario-software/vario-app-framework-backend",
-  "version": "2025.44.0",
+  "version": "2025.46.0",
   "repository": "https://github.com/vario-software/vario-app-framework",
   "author": "VARIO Software AG",
   "homepage": "https://www.vario.ag",

package/setup/appAuthentication.js

@@ -26,6 +26,12 @@ function appAuthentication(req, res, next)
       context.appToken = token;
       context.accessToken = accessToken;
 
+      if (accessToken.tokenType === 'PERMITTED_TOKEN')
+      {
+        res.status(401).end();
+        return;
+      }
+
       next();
     })
     .catch(error =>

package/setup/context.js

@@ -21,7 +21,7 @@ function setupContext(app)
     res.on('finish', async () =>
     {
       await app.log(
-        `${(performance.now() - specificContext.startTime).toFixed(2)}ms`,
+        `${(performance.now() - specificContext.startTime).toFixed(2)}ms (${res.statusCode} ${res.statusMessage})`,
         'setup/context/finish',
         'DEBUG',
       );

package/utils/migrator.js

@@ -53,6 +53,26 @@ const Migrator = class
     }
   };
 
+  always = async function (key, callback)
+  {
+    const migration = `${this.key}.${key}`;
+
+    const context = getContext();
+
+    context.migration = migration;
+
+    try
+    {
+      await callback(this.methods, this.migrationResults);
+    }
+    catch (error)
+    {
+      await this.app.onMigrationError(error);
+
+      await this.methods.log(`Migration "${migration}" failed\n\n${error.message}`, 'ERROR', error.message);
+    }
+  };
+
   methods = {
     log: async (message, level = 'INFO') =>
     {
@@ -101,6 +121,20 @@ const Migrator = class
       return eavGroup;
     },
 
+    removeDataFromEavGroup: async (groupKey, attributeKeys) =>
+    {
+      const eavGroup = await this.ApiAdapter.eav.removeDataFromGroup(groupKey, attributeKeys);
+
+      const hasAttributeKeys = Array.isArray(attributeKeys) && attributeKeys.length > 0;
+      const logMessage = hasAttributeKeys
+        ? `Data for the specified attributes (${attributeKeys.join(', ')}) in EAV group "${groupKey}" was successfully removed.\n`
+        : `All data from EAV group "${groupKey}" was successfully removed.\n`;
+
+      await this.methods.log(logMessage);
+
+      return eavGroup;
+    },
+
     createTextEnumGroup: async textEnumGroup =>
     {
       textEnumGroup = await this.ApiAdapter.textenum.setGroup(textEnumGroup);

package/utils/permission.js

@@ -1,28 +1,35 @@
 const { getAccessToken } = require('#backend/utils/context.js');
 const HttpError = require('#backend/utils/httpError.js');
 
-async function checkPermission(verb)
+function checkPermission(verb, strict = true)
 {
-  const { isSuperUser, permissions } = await getAccessToken();
+  const { isSuperUser, permissions } = getAccessToken();
 
   if (!(isSuperUser || permissions?.includes(verb)))
   {
-    throw new HttpError(
-      'APP_AUTHORIZATION_FAILED',
-      403,
-      'utils/permission',
-      { missingVerb: verb },
-      null,
-      'ERROR',
-    );
+    if (strict)
+    {
+      throw new HttpError(
+        'APP_AUTHORIZATION_FAILED',
+        403,
+        'utils/permission',
+        { missingVerb: verb },
+        null,
+        'ERROR',
+      );
+    }
+
+    return false;
   }
+
+  return true;
 }
 
 function checkPermissionMiddleware(verb)
 {
   return async (req, res, next) =>
   {
-    await checkPermission(verb);
+    checkPermission(verb);
 
     next();
   };

package/utils/token.js

@@ -1,4 +1,4 @@
-const { jwtVerify, decodeJwt } = require('jose');
+const { jwtVerify, decodeJwt, importJWK } = require('jose');
 const { getApp } = require('#backend/utils/context.js');
 
 function validateOfflineToken(offlineToken)
@@ -48,30 +48,35 @@ function validateAppToken(appToken)
 
     const app = getApp();
 
-    const { clientSecret, appIdentifier } = app.client;
+    const { appIdentifier, appJWK } = app.client;
 
-    const key = new TextEncoder().encode(clientSecret);
+    const jwk = JSON.parse(appJWK).keys[0];
 
-    jwtVerify(appToken, key)
-      .then(({ payload }) =>
+    importJWK(jwk, 'ES256')
+      .then(key =>
       {
-        const { aud, exp } = payload;
+        jwtVerify(appToken, key)
+          .then(({ payload }) =>
+          {
+            const { aud, exp } = payload;
 
-        if (!aud || aud !== appIdentifier)
-        {
-          console.log('First cond', !aud, aud !== appIdentifier);
-          reject();
-          return;
-        }
+            if (!aud || aud !== appIdentifier)
+            {
+              console.log('First cond', !aud, aud !== appIdentifier);
+              reject();
+              return;
+            }
 
-        if (!exp || exp < (Date.now() / 1000))
-        {
-          console.log('Second cond', !exp, exp < (Date.now() / 1000));
-          reject();
-          return;
-        }
+            if (!exp || exp < (Date.now() / 1000))
+            {
+              console.log('Second cond', !exp, exp < (Date.now() / 1000));
+              reject();
+              return;
+            }
 
-        resolve(payload);
+            resolve(payload);
+          })
+          .catch(reject);
       })
       .catch(reject);
   });