@vario-software/vario-app-framework-backend 2026.3.1 → 2026.4.0

package/api/ErpApi.js

@@ -8,7 +8,7 @@ const Migration = require('#backend/api/modules/migration.js');
 const TextEnum = require('#backend/api/modules/textEnum.js');
 const Webhook = require('#backend/api/modules/webhook.js');
 const PermittedToken = require('#backend/api/modules/permittedToken.js');
-const { validateOfflineToken } = require('#backend/utils/token.js');
+const { validateOfflineToken, isAppTokenExpired, refreshAppToken } = require('#backend/utils/token.js');
 
 const singletonPromise = new PromiseSingletonMap();
 class ErpApi extends Api
@@ -35,6 +35,11 @@ class ErpApi extends Api
 
     if (!this.executeAsAppUser)
     {
+      if (isAppTokenExpired())
+      {
+        await refreshAppToken();
+      }
+
       this.setHeaders({
         'X-Forwarded-App-Token': getAppToken(),
       });

package/app.js

@@ -20,6 +20,7 @@ const VarioCloudApp = class
   {
     this.onUnhandledError = options.onUnhandledError ?? console.error;
     this.onMigrationError = options.onMigrationError ?? console.error;
+    this.onKeycloakError = options.onKeycloakError;
 
     exceptionHandler = setupException(this);
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vario-software/vario-app-framework-backend",
-  "version": "2026.03.1",
+  "version": "2026.04.0",
   "repository": "https://github.com/vario-software/vario-app-framework",
   "author": "VARIO Software AG",
   "homepage": "https://www.vario.ag",

package/utils/keycloak.js

@@ -26,20 +26,26 @@ async function refreshAccessToken(offlineToken, refreshUrl)
 
   const timer = performance.now();
 
-  const { data } = await VarioApi.fetch(refreshUrl, refreshOptions).catch(async error =>
-  {
-    await app.log(
+  const { data } = await VarioApi.fetch(refreshUrl, refreshOptions)
+    .catch(async error =>
+    {
+      await app.log(
+        {
+          request: { url: refreshUrl, body: '[secret]' },
+          response: `[secret(${Object.keys(typeof error?.data === 'object' ? error.data : {})})]`,
+          duration: `${(performance.now() - timer).toFixed(2)}ms`,
+        },
+        'utils/keycloak',
+        'DEBUG',
+      );
+
+      if (app.onKeycloakError)
       {
-        request: { url: refreshUrl, body: '[secret]' },
-        response: `[secret(${Object.keys(typeof error?.data === 'object' ? error.data : {})})]`,
-        duration: `${(performance.now() - timer).toFixed(2)}ms`,
-      },
-      'utils/keycloak',
-      'DEBUG',
-    );
-
-    throw error;
-  });
+        app.onKeycloakError(error);
+      }
+
+      throw error;
+    });
 
   await app.log(
     {

package/utils/token.js

@@ -1,5 +1,6 @@
 const { jwtVerify, decodeJwt, importJWK } = require('jose');
 const { getApp } = require('#backend/utils/context.js');
+const { getAppToken, getContext } = require('#backend/utils/context.js');
 
 function validateOfflineToken(offlineToken)
 {
@@ -82,7 +83,45 @@ function validateAppToken(appToken)
   });
 }
 
+function isAppTokenExpired()
+{
+  const { accessToken } = getContext();
+
+  const { exp } = accessToken;
+
+  return ((exp - 2) < (Date.now() / 1000));
+}
+
+async function refreshAppToken()
+{
+  const appToken = getAppToken();
+  const app = getApp();
+
+  const { data } = await app.erp.fetch(`/cmn/apps/${app.client.appIdentifier}/refresh-token`, {
+    method: 'POST',
+    body: appToken,
+    useInternalApi: true,
+    headers: {
+      'Content-Type': 'text/plain',
+    },
+    secret: true,
+    executeAsAppUser: true,
+    secretsToMask: ['bearerToken'],
+  });
+
+  const newAppToken = data.bearerToken;
+
+  const accessToken = await validateAppToken(newAppToken);
+
+  const context = getContext();
+
+  context.appToken = newAppToken;
+  context.accessToken = accessToken;
+}
+
 module.exports = {
   validateOfflineToken,
   validateAppToken,
+  isAppTokenExpired,
+  refreshAppToken,
 };