@vario-software/vario-app-framework-backend 2025.46.2 → 2026.3.2

package/api/Api.js

@@ -227,11 +227,13 @@ class Api
 
   async onError(error)
   {
+    const maskedBody = this.suppressLogs ? '[secret]' : this.body;
+
     const message = {
       request: {
         requestUrl: this.fullPath,
         requestOptions: this.requestOptions,
-        body: this.body,
+        body: maskedBody,
       },
       response: error,
       duration: `${(performance.now() - this.timer).toFixed(2)}ms`,
@@ -248,7 +250,7 @@ class Api
         request: {
           requestUrl: this.fullPath,
           requestOptions: this.requestOptions,
-          body: this.body,
+          body: maskedBody,
         },
         response: {
           data: error,

package/api/ErpApi.js

@@ -8,7 +8,7 @@ const Migration = require('#backend/api/modules/migration.js');
 const TextEnum = require('#backend/api/modules/textEnum.js');
 const Webhook = require('#backend/api/modules/webhook.js');
 const PermittedToken = require('#backend/api/modules/permittedToken.js');
-const { validateOfflineToken } = require('#backend/utils/token.js');
+const { validateOfflineToken, isAppTokenExpired, refreshAppToken } = require('#backend/utils/token.js');
 
 const singletonPromise = new PromiseSingletonMap();
 class ErpApi extends Api
@@ -20,21 +20,26 @@ class ErpApi extends Api
     } = getContext();
 
     const {
-      excecuteAsAppUser = runAsAppUser,
+      executeAsAppUser = runAsAppUser,
       ...restOptions
     } = options;
 
     super(path, restOptions);
 
-    this.excecuteAsAppUser = excecuteAsAppUser;
+    this.executeAsAppUser = executeAsAppUser;
   }
 
   async onBeforeRequest()
   {
     const { baseUrl, Authorization } = await this.getAuthorization();
 
-    if (!this.excecuteAsAppUser)
+    if (!this.executeAsAppUser)
     {
+      if (isAppTokenExpired())
+      {
+        await refreshAppToken();
+      }
+
       this.setHeaders({
         'X-Forwarded-App-Token': getAppToken(),
       });

package/api/modules/webhook.js

@@ -8,7 +8,7 @@ const Webhook = class
     this.ApiAdapter = ApiAdapter;
   }
 
-  register = async function(destinationQueue, url)
+  register = async function(destinationQueue, url, destinationOwner)
   {
     const apiUrl = `${process.env.WEBHOOK_HOST ?? `https://${getRequest().get('host')}`}`;
 
@@ -18,13 +18,14 @@ const Webhook = class
       method: 'POST',
       body: JSON.stringify({
         url: `${apiUrl}${url}`,
+        destinationOwner,
         destinationQueue,
         appIdentifier: app.client.appIdentifier,
       }),
     });
   };
 
-  deregister = async function(destinationQueue, url)
+  deregister = async function(destinationQueue, url, destinationOwner)
   {
     const apiUrl = `${process.env.WEBHOOK_HOST ?? `https://${getRequest().get('host')}`}`;
 
@@ -34,6 +35,7 @@ const Webhook = class
       method: 'POST',
       body: JSON.stringify({
         url: `${apiUrl}${url}`,
+        destinationOwner,
         destinationQueue,
         appIdentifier: app.client.appIdentifier,
       }),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vario-software/vario-app-framework-backend",
-  "version": "2025.46.2",
+  "version": "2026.03.2",
   "repository": "https://github.com/vario-software/vario-app-framework",
   "author": "VARIO Software AG",
   "homepage": "https://www.vario.ag",

package/utils/migrator.js

@@ -144,16 +144,16 @@ const Migrator = class
       return textEnumGroup;
     },
 
-    registerWebhook: async (destinationQueue, url) =>
+    registerWebhook: async (destinationQueue, url, destinationOwner) =>
     {
-      await this.ApiAdapter.webhook.register(destinationQueue, url);
+      await this.ApiAdapter.webhook.register(destinationQueue, url, destinationOwner);
 
       await this.methods.log(`Webhook for destination "${destinationQueue}" registered\n`);
     },
 
-    deregisterWebhook: async (destinationQueue, url) =>
+    deregisterWebhook: async (destinationQueue, url, destinationOwner) =>
     {
-      await this.ApiAdapter.webhook.deregister(destinationQueue, url);
+      await this.ApiAdapter.webhook.deregister(destinationQueue, url, destinationOwner);
 
       await this.methods.log(`Webhook for destination "${destinationQueue}" deregistered\n`);
     },
@@ -353,22 +353,79 @@ const Migrator = class
 
       if (existingProxyId)
       {
-        this.methods.updateAppScriptingTrigger(triggerId, script, existingProxyId);
+        await this.methods.updateAppScriptingTrigger(triggerId, script, existingProxyId);
 
         return;
       }
 
+      const { data: existingGroups } = await this.ApiAdapter.fetch(
+        '/cmn/computed-queries/scripting/script-module-groups',
+        {
+          useInternalApi: true,
+          method: 'POST',
+          body: {
+            adhocPreset: {
+              queryPredicate: {
+                type: 'FILTER',
+                operator: 'EQUALS',
+                property: 'name',
+                values: [this.app.client.appIdentifier],
+              },
+              results: [
+                { property: 'id' },
+                { property: 'name' },
+              ],
+            },
+          },
+        },
+      );
+
+      let scriptGroup;
+
+      if (existingGroups?.data && existingGroups.data.length > 0)
+      {
+        scriptGroup = existingGroups.data[0];
+      }
+      else
+      {
+        const { data: newGroup } = await this.ApiAdapter.fetch(
+          '/cmn/scripting/module-groups',
+          {
+            useInternalApi: true,
+            method: 'POST',
+            body: { name: this.app.client.appIdentifier },
+          },
+        );
+        scriptGroup = newGroup;
+      }
+
+      const { data: scriptModule } = await this.ApiAdapter.fetch(
+        '/cmn/scripting/modules/presettings',
+        {
+          useInternalApi: true,
+          method: 'POST',
+          body: {
+            name: triggerId,
+            script: typeof script === 'string' ? script : JSON.stringify(script),
+            domain: 'app',
+            groupRef: { id: scriptGroup.id },
+            permissionAggregation: {},
+          },
+        },
+      );
+
       await this.ApiAdapter.fetch(
         '/community/latest/cmn/system/app-scripting-proxy',
         {
           useInternalApi: true,
           method: 'POST',
-          body: JSON.stringify({
+          body: {
             appIdentifier: this.app.client.appIdentifier,
             triggerId,
-            script,
-          }),
-        });
+            scriptModuleRef: { id: scriptModule.id },
+          },
+        },
+      );
 
       await this.methods.log(`App-Script-Trigger with id "${triggerId}" successfully created\n`);
     },
@@ -377,20 +434,45 @@ const Migrator = class
     {
       if (!id)
       {
-        id = await this.getAppScriptingTriggerId(triggerId);
+        id = await this.methods.getAppScriptingTriggerId(triggerId);
       }
 
-      await this.ApiAdapter.fetch(
+      const { data: proxy } = await this.ApiAdapter.fetch(
         `/community/latest/cmn/system/app-scripting-proxy/${id}`,
+        {
+          useInternalApi: true,
+          method: 'GET',
+        },
+      );
+
+      const scriptModuleId = proxy?.scriptModuleRef?.id;
+
+      if (!scriptModuleId)
+      {
+        await this.methods.log(`App-Script-Trigger with id "${triggerId}" has no scriptModuleRef\n`, 'ERROR');
+
+        return;
+      }
+
+      const { data: existingScriptModule } = await this.ApiAdapter.fetch(
+        `/cmn/scripting/modules/${scriptModuleId}/presettings`,
+        {
+          useInternalApi: true,
+          method: 'GET',
+        },
+      );
+
+      await this.ApiAdapter.fetch(
+        `/cmn/scripting/modules/${scriptModuleId}/presettings`,
         {
           useInternalApi: true,
           method: 'PUT',
-          body: JSON.stringify({
-            appIdentifier: this.app.client.appIdentifier,
-            triggerId,
-            script,
-          }),
-        });
+          body: {
+            ...existingScriptModule,
+            script: typeof script === 'string' ? script : JSON.stringify(script),
+          },
+        },
+      );
 
       await this.methods.log(`App-Script-Trigger with id "${triggerId}" successfully updated\n`);
     },
@@ -400,7 +482,7 @@ const Migrator = class
       const { data: existingProxy } = await this.ApiAdapter.vql({
         statement: `
 SELECT id
-  FROM system.queryAppScriptingProxies 
+  FROM system.queryAppScriptingProxies
  WHERE appIdentifier = '${this.app.client.appIdentifier}'
    AND triggerId = '${triggerId}'
 `,

package/utils/token.js

@@ -1,5 +1,6 @@
 const { jwtVerify, decodeJwt, importJWK } = require('jose');
 const { getApp } = require('#backend/utils/context.js');
+const { getAppToken, getContext } = require('#backend/utils/context.js');
 
 function validateOfflineToken(offlineToken)
 {
@@ -82,7 +83,45 @@ function validateAppToken(appToken)
   });
 }
 
+function isAppTokenExpired()
+{
+  const { accessToken } = getContext();
+
+  const { exp } = accessToken;
+
+  return ((exp - 2) < (Date.now() / 1000));
+}
+
+async function refreshAppToken()
+{
+  const appToken = getAppToken();
+  const app = getApp();
+
+  const { data } = await app.erp.fetch(`/cmn/apps/${app.client.appIdentifier}/refresh-token`, {
+    method: 'POST',
+    body: appToken,
+    useInternalApi: true,
+    headers: {
+      'Content-Type': 'text/plain',
+    },
+    secret: true,
+    executeAsAppUser: true,
+    secretsToMask: ['bearerToken'],
+  });
+
+  const newAppToken = data.bearerToken;
+
+  const accessToken = await validateAppToken(newAppToken);
+
+  const context = getContext();
+
+  context.appToken = newAppToken;
+  context.accessToken = accessToken;
+}
+
 module.exports = {
   validateOfflineToken,
   validateAppToken,
+  isAppTokenExpired,
+  refreshAppToken,
 };