Changelogs

Next Version

enhance Azure Application Insights telemetry in preparation for Grafana dashboards and alerting

v1.4.1

Fixed

include historical booths in user's allowed booths as read-only

v1.4.0

🚧 Temporary Export Workaround (ZIP Downloads)

This release introduces a temporary bulk download workaround for booth-related documents.

The implementation intentionally violates backend architecture principles (file-byte processing, ZIP creation) and exists only until a dedicated export/delivery service is available.

All affected code paths are explicitly marked as temporary and scheduled for migration.

Affected Files:

FtpMediaBucketWrapper.cs - GetObjectAsBytesAsync/GetObjectToStreamAsync (new)
MediaService.cs - StreamZipArchiveAsync (new)
BoothsController.cs - /booths//documents/download (new)
IMediaBuckedWrapper.cs - Interface extensions

Fixed

improve robustness when streaming multiple media files into a single archive

Added

add GET api/v2.0/Auth/Impersonate/{userId} with industry-standard JWT impersonation implementation CI-611
add ZIP download for booth-related documents (temporary workaround) Allows bulk download of all documents associated with a Booth, Hall or Event as a single ZIP archive CI-619
- Missing or inaccessible files are skipped or replaced with placeholders
- Intended as a short-term solution only
- Will be migrated to a storage-adjacent export service
add GET api/v2.0/Exhibitors/Of/Event/{eventId}/Export returning a flattened, row-based exhibitor-of-event export CI-607
add GET /api/v2.0/Booths/Of/Event/{eventId}/Kpi returning an aggregated KPI overview (halls, booths, open or accepted orders, orders with media) intended for moderation and dashboard use cases CI-606
add GET /api/v2.0/Booths/Of/Event/{eventId} providing a paginated, moderation-focused booth overview with enriched context data CI-606

Changed

mark GET api/v1.0/Users/{userId}/DebugJWT as obsolete
remove technical debt caused by reusing API DTO enums in domain models and refine IModerated logic of the OrderDomainModel

Removed

database is now the single source of truth for user data; removed the obsolete RolesReplacer system

v1.3.0

New V2 Response Model

Due to a rapid growth of graph-like DTOs and recurring ambiguity around "Is this data actually included or not?", we decided to change how data is returned.

Upcoming V2 endpoints no longer return Graph DTOs.

Instead, the new response model is based on composed, context-specific slices. Each endpoint now returns a clearly defined response contract, tailored to its specific use case.

All V2 response types are available in the shared project under:
messeapp.Shared.Slices.Response.v2

Fixed

endpoint GET /api/v1.0/Orders/Of/Event/{eventId} return only submitted orders for event endpoint
allow exhibitors to update accepted orders CI-617

Added

add GET /api/v2.0/Orders/Of/Event/{eventId}/Submitted
Returns submitted orders with full contextual data (Booth, Exhibitor, Hall, Order details) CI-597
add GET /api/v2.0/Orders/Of/Event/{eventId}/Unsubmitted
Returns booths with unsubmitted orders, providing contextual data only (no Order data) CI-597

v1.2.0

⚠️ Preparation for new User Management

As discussed in the last meeting with the Messe-Team, we will likely manage users ourselves in the future instead of relying on the old system. Therefore, we no longer overwrite user data in our database.
Data is now only added if no data is present in the user table.

Added

add version endpoint
add GET /api/v1.0/health/ready to provide detailed readiness information about external service availability
add GET /api/v1.0/health/domain to provide detailed insight into domain-level faults and logical system consistency
add health dashboard to backend-ui and minimize auth availability workload
add GET /api/v1.0/Users/{userId}/DebugJwt for user impersonation
add POST /api/v1.0/events/{eventId}/batch-link-users endpoint to batch link users to booths by company name
add GET /api/v1.0/events/attended to retrieve events accessible to the current user
add GET /api/v{version}/Booths/Of/User to retrieve booths accessible to the current user

Changed

only fill missing user fields from claims during upsert

v1.1.0

Added

added a feature flag, to toggle sending a mail to the Messe-Team, whenever an exhibitor places an order.

Changed

Event initialization now accepts an optional CompanyName (Exhibitor) for the Booth CI-589

v1.0.1 – Day One Patch

Fixed

Fixed the Puppeteer PDF generator by installing Chromium and its required dependencies in the Docker image.
Removed the requirement for wayXYZ headers in the authentication response, as users without a customer number do not generate them.
Implemented a low-level SQL Server search provider to support native, database-consistent search behavior.

Jira: CI-565 – Booth Status beim manuellen anlegen setzen

Changed

POST /api/v1.0/Booths setzt den Booth RequestStatus beim generieren direkt auf Accepted

Jira: CI-555 – Löschen eines Digitalauftritts-Rechts

Changed

normalized the UserRight claim type to http://messeapp.chefsinspiration.de/claims/user_right

Jirales Change

Fixed

extended HttpClient setup for the import process, now configurable through new fields in ChefsInspirationEventImportOptions:
- DisableSslCheck: false
- Headers_Host: ""

Change update-conflict logic for booths with existing orders

Changed

PATCH /api/v1.0/Booths/{boothId} no longer returns a conflict when only the booth name is updated.
Updates to Exhibitor or Hall still trigger conflict validation as before.

Bugfix: 500 error during `PUT /Events/

changed

replaced legacy payload from IReadOnlyList<RequestAddonDto> to RequestIdsDto for cleaner and conflict-free update logic.

Jira: CI-546 – MediaMetadata bei Booth-of-Endpunkten

Added

Added Booth MediaMetadata enrichment to GET /api/v1.0/Orders/Of/Event/{eventId}.
Since all order list endpoints share the same pagination pipeline, the following endpoints now also include Booth MediaMetadata:
- GET /api/v1.0/Orders
- GET /api/v1.0/Orders/With/Addon/{addonId}
- GET /api/v1.0/Orders/Of/Exhibitor/{exhibitorId}

Jira: CI-543 – Backend – Neuzuweisen von Ausstellern zu Booths

Changed

Updated business logic for PATCH /api/v1.0/Booths/{boothId}. Refer to Swagger documentation for details.

Jira: CI-542 – Backend – Erstellen von Ausstellern schlägt fehl

Changed

POST /api/v1.0/Exhibitors now returns a RFC 7231-conform 201 Created instead of 200 OK.

Jira: CI-525 – Backend – Es fehlen Endpunkte für Booth CRUD

Added

Added POST /api/v1.0/Booths to create a booth
Added PATCH /api/v1.0/Booths/{boothId} to update a booth
Added DELETE /api/v1.0/Booths/{boothId} to delete a single booth (Booths with existing orders cannot be deleted and will return 409 Conflict)

Jira: CI-533 – Add missing AddonCategory Delete endpoint

Added

add DELETE /api/v1.0/AddonCategories/{int} to remove a single addon-category

Jira: CI-527 – Delete Endpunkt für Halls anlegen

Added

add DELETE /api/v1.0/Halls/{hallId} to remove a single hall.

Jira: CI-519 – Importendpunkt anlegen

Added

added PUT /api/v1.0/Events/{eventId}/Init to batch initialize halls and booths.
introduced RequestEventImportDto for structured import payloads.
introduced ResponseEventImportDto to encapsulate results of the initialization process.

Jira: CI-505 – Backend - Endpunkt zum Updaten aller Eventverknüpfungen für eine Addon Id

Added

added endpoint PUT /api/v1.0/Addons/{addonId}/Events to fully replace all EventAddon links for the specified Addon. This operation synchronizes the complete set of associated events.

Jira: CI-515 – User Rollen über Konfig setzen

Added

add appsettings RoleReplacer to override roles for specific users

Jira: CI-514 – Endpunkte reparieren

Fixed

added missing pagination support to /users/of endpoints (requested by frontend, even though technically unnecessary)

Jira: CI-511 – UserRights per API Endpunkt ausgeben

Added

enriched user endpoints to expose each user's UserRights array.

Fixed

repaired user full-text search by replacing non-translatable filters with SQL-compatible expressions.

Changed

added UserRights property to ResponseUserDto.

Jira: CI-508 – Verwaltung von Orders

Added

added PATCH /api/v1.0/OrderItems/{orderItemId}/Reject to reject individual order items
added PATCH /api/v1.0/Orders/{orderId}/Reject to reject an entire order (useful when issues are not item-scoped)
added PATCH /api/v1.0/Orders/{orderId}/Accept to accept an order

Changed

updated business logic of PUT /api/v1.0/Booths/{boothId}/Order – exhibitor users can no longer update accepted orders

Fixed

corrected response type of GET /api/v1.0/Booths/{boothId}/Order from IEnumerable<ResponseOrderDto> to ResponseOrderDto

REST Naming Convention

⚠️ Breaking Changes

All controller names have been aligned with plural REST naming conventions.

Since the application is still in active development, an internal redirect for clients with poor or missing 3xx redirect handling has not been implemented.
However, requests to outdated routes respond with a 308 Permanent Redirect to their updated counterparts.

As a result, clients that do not properly follow redirects may fail to resolve the requested resource until they are updated to use the new pluralized endpoints.

Changed

renamed ANY /api/v1.0/AddonCategory → ANY /api/v1.0/AddonCategories
renamed ANY /api/v1.0/Addon → ANY /api/v1.0/Addons
renamed ANY /api/v1.0/Booth → ANY /api/v1.0/Booths
renamed ANY /api/v1.0/DigitalBooth → ANY /api/v1.0/DigitalBooths
renamed ANY /api/v1.0/Event → ANY /api/v1.0/Events
renamed ANY /api/v1.0/Exhibitor → ANY /api/v1.0/Exhibitors
renamed ANY /api/v1.0/Hall → ANY /api/v1.0/Halls

Jira: CI-489

Added

Added PATCH /api/v1.0/UserStories/{userStoryDraftId}/Withdraw Allows withdrawing a previously submitted user story draft.

Jira: CI-507 – Extend User Data via API Key

Added

Added GET /api/v1.0/Users/Of/DigitalBooth/{digitalBoothId} to retrieve all users assigned to a given DigitalBooth.
Added GET /api/v1.0/Users/Of/Booth/{boothId} to retrieve all users assigned to a given Booth.
Extended ResponseUserDto - Added new properties: CompanyName, PostalCode, Locality, CustomerNumber, and Street.

Changed

Renamed endpoint GET /api/v1.0/User → GET /api/v1.0/Users for consistency with plural REST resource naming conventions.
GET /api/v1.0/Users now returns a PaginatedResponse<ResponseUserDto> instead of a raw list.

Jira: CI-458

Added

Added GET /api/v1.0/Event/With/Addon/{addonId} endpoint to retrieve a list of event IDs.
Added ResponseIdsDto to provide a generic response type for returning lists of IDs.

Jira: CI-495

Bugfix

Removed legacy Id property from RequestOrderItemDto to prevent SQL identity insert errors.

Changed

RequestOrderItemDto no longer exposes an Id property to ensure API requests cannot trigger invalid identity inserts.

Unnamed Changelog

Added – DevStub for UserAuth

A new development authentication stub (DevStubUserAuth) was introduced to allow local authentication without the external WayAuth service.
This enables developers to work with fake users instead of needing to create real accounts during local development or testing.

To enable it, add the following section to your appsettings.Local.json (or another environment-specific configuration).
Local has hot reloading enabled, allowing live updates to the stub configuration without restarting the backend.

{
  "DevStubUserAuth": {
    "Enabled": true,
    "Users": {
      "admin__1234": {
        "Username": "admin",
        "GivenName": "Alice",
        "Surname": "Adminsson",
        "ScreenName": "AliceA",
        "Email": "alice.adminsson@messeapp.dev",
        "Role": "Admin",
        "PreferredUserName": "alicea",
        "Phone": "+49123456789",
        "Zip": "47574",
        "City": "Goch",
        "Company": "MesseApp Dev GmbH",
        "Street": "Beispielstraße",
        "HouseNumber": "5",
        "CustomerNumber": "123568975"
      }
    }
  }
}

Each user key is a combination of username__password.

The stub automatically replaces the real RequestWayUserAuth implementation whenever "DevStubUserAuth.Enabled": true in configuration.

Jira: CI-465

⚠️ Breaking Changes

JWT structure updated:
The previous dual-token approach (Way JWT + Rights JWT) has been replaced with a single, fully self-contained JWT.
Any external systems parsing or validating tokens must be updated accordingly.
API key handling implemented:
API keys are now fully functional within the authentication pipeline.
API keys must be exchanged for a JWT via POST api/v1.0/Auth/ApiKey.
Requests using legacy API key headers will no longer be accepted.
Configuration structure changed:
API key definitions have been moved to appsettings.ApiKeys.json.
Deployments must ensure this file is present and properly configured; otherwise, API key authentication will fail.
User endpoint removed:
The endpoint GET api/v1.0/User/Claims has been removed.
Use the new JWT-based token introspection flow to determine user identity and rights.

Added

Introduced a new POST api/v1.0/Auth/ApiKey endpoint that allows registered API keys to obtain a signed JWT for API access.
Introduced a new POST api/v1.0/Auth/User endpoint that allows Chefsculinar user logins to obtain a signed JWT for API access.
Introduced a new POST api/v1.0/Auth/Refresh endpoint to refresh existing JWTs. (Requires the previous access token as part of the request.)
Added a global unhandled-exception middleware to improve observability and consistency of error responses.
Added extensive configuration validation to prevent runtime errors caused by invalid or incomplete settings.
Added new DTOs to support the updated authentication flow:
- RequestApiKeyDto – used for API key authentication
- RequestCredentialsDto – used for user authentication
- RequestRefreshTokenDto – used for token refresh operations

Changed

All api/v1.0/Jobs endpoints now require either a valid API key or a logged-in admin user ( Role: administrator).
The authentication and authorization flow has been fully refactored.
The system no longer uses the combined Way JWT + Rights JWT model,
but now issues a single self-contained JWT that complies with official standards (see Breaking Changes above).
API key configurations have been moved into a dedicated, isolated configuration file ( appsettings.apikeys.json)
and now support runtime hot-reloading.
Extended ResponseTokenDto to include additional fields required by the new authentication process.

Removed

Removed GET api/v1.0/User/Claims in favor of the new unified authentication system.

Jira: CI-363

Removed

Removed property PreviousUserStoryId from RequestUserStoryDraftDto → It's determent in the backend now.

Jira: CI-483

Added

Add bool query parameter mail to PUT /api/v1.0/Booth/{boothId}/Order, adding the current user’s email in the submit confirmation mail.

Jira: CI-480

Breaking change
This Jira introduces a major architectural refactoring regarding Booth-Order handling.
As a result, related endpoints will break in implementing systems and DTOs have been partly to heavily altered.

All ResponseOrderDtos underwent the same updates as the RequestOrderDtos.
To avoid redundancy, the changes are only listed once and apply to both request and response DTO scopes.

Added

Added property Comment to RequestOrderItemDto (previously part of RequestOrderDto).
Created a new DTO RequestOrderDto, replacing the old one.

Changed

GET /api/v1.0/Booth/{boothId}/Orders → GET /api/v1.0/Booth/{boothId}/Order Now returns a single Order object instead of a list of OrderItems.
PUT /api/v1.0/Booth/{boothId}/Orders → PUT /api/v1.0/Booth/{boothId}/Order Now accepts and returns a single Order object instead of a list of OrderItems.
GET /api/v1.0/Orders/Of/Addon/{addonId} → GET /api/v1.0/Orders/With/Addon/{addonId} Behavior changed: now returns all orders that include the given addon as part of their OrderItems.
The old RequestOrderDto was renamed to RequestOrderItemDto.
Property ResponseBoothDto.Orders renamed to Order. Returns a single ResponseOrderDto (previously a list of ResponseOrderItemDto).

Removed

Due to circular dependencies, ResponseBoothDtoUp no longer includes the Order property.

Jira: CI-466

Added

Added GET /api/v1.0/Event/{eventId}/Media, to retrieve all media of an Event.
Added PATCH /api/v1.0/Event/{eventId}/Media, to update Event-Metadata.
Added GET /api/v1.0/Hall/{hallId}/Media, to retrieve all media of a hall.
Added PATCH /api/v1.0/Hall/{hallId}/Media, to update HallMetadata.

Changed

Moved /api/v1.0/Booth/{boothId}/Media/{mediaId} → /api/v1.0/Booth/{boothId}/Media.
/api/v1.0/Booth/{boothId}/Media now accepts RequestUpdateMediaMetadataDto instead of RequestUpdateMediaMetadataDto.
Added property MediaMetadata to ResponseHallDtoDown.

Jira: CI-427:

Added

Added endpoint GET /api/v1.0/Exhibitor/Of/Category/{exhibitorCategoryId} to retrieve all exhibitors that belong to a specific exhibitor category.
Added endpoint GET /api/v1.0/Exhibitor/Of/Category/0 to retrieve all exhibitors that are not assigned to any exhibitor category.
Added endpoint GET /api/v1.0/ExhibitorCategories to retrieve a paginated list of all exhibitor categories.
Added endpoint POST /api/v1.0/ExhibitorCategories to create a new exhibitor category.
Added endpoint PATCH /api/v1.0/ExhibitorCategories to update an existing exhibitor category.
Added endpoint DELETE /api/v1.0/ExhibitorCategories/{exhibitorCategoryId} to delete an exhibitor category by ID.
Added endpoint PUT /api/v1.0/ExhibitorCategories/{exhibitorCategoryId}/Media to assign media metadata to an exhibitor category.
Added endpoint POST /api/v1.0/ExhibitorCategories/{exhibitorCategoryId}/Exhibitors to mass-assign multiple exhibitors to a category.
Added endpoint PATCH /api/v1.0/ExhibitorCategories/{exhibitorCategoryId}/Exhibitors/Add/{exhibitorId} to add a single exhibitor to a category.
Added endpoint PATCH /api/v1.0/ExhibitorCategories/{exhibitorCategoryId}/Exhibitors/Remove/{exhibitorId} to remove a single exhibitor from a category.
Added ResponseExhibitorCategoryDto.ExhibitorCount so UIs can show but disable categories with zero Exhibitors.

Changed

Renamed RequestEventIdsDto → RequestIdsDto to make it reusable.

Removed

Removed legacy property ResponseDigitalBoothDataDto.Exhibitor.

Jira: CI-454

Added

Added signed endpoint /api/v1.0/DigitalBooth/{digitalBoothId}/Drafts/Preview to receive UserStoryDraft preview data in the same format as live data.

Changed

Several endpoints that previously returned a list of UserStoryDrafts and said empty string now return the signed link required to call the new preview endpoint.

Jira: CI-361

Added

Added DELETE /api/v1.0/Booth/{boothId}/Unassign/{userId} to remove a user from a booth.
Added GET /api/v1.0/Booth/Of/Exhibitor/{exhibitorId} to retrieve paginated booths for a specific exhibitor.
Added ResponseBoothDtoUp to support updated booth responses including exhibitor information.

Changed

ResponseBoothDto now includes Exhibitor and Event properties.
Updated user search functionality to perform filtering across Email, FirstName, and LastName.

Jira: CI-456

Added

Added /api/v1.0/DigitalBooth/{digitalBoothId}/UserStoryDrafts/Submit to mark all drafts of a DigitalBooth as ready for review.
Added RequestUpdateUserStoryDraftDto.cs for the new PATCH /api/v1.0/UserStories endpoint.
Added Submitted property to ResponseUserStoryDraftDto.cs to expose the submit status of a draft.

Changed

Moved /api/v1.0/Exhibitor/{exhibitorId}/UserStories/Drafts →
/api/v1.0/DigitalBooth/{digitalBoothId}/Drafts.
Updated all endpoints that previously returned a plain list of user story drafts to now return
the new ResponseUserStoryDraftDtos DTO.
Renamed /api/v1.0/UserStories/{digitalBoothId} →
/api/v1.0/UserStories/Of/DigitalBooth/{digitalBoothId} for consistent endpoint naming.
Split [POST & PATCH] /api/v1.0/UserStories into two separate methods
(no changes to the actual routes).
Updated Swagger-UI to automatically match the user's preferred theme (light/dark).
Updated all UserStoryDraft responses to use ResponseUserStoryDraftDtos.cs,
which will later include a presigned link to generate user story data as if all drafts were approved.

Untracked Job

Added

Added PATCH /api/v1.0/Addon/{addonId}/Events to associate the given addon with all events in the payload.

Changed

Replaced custom UI file provider with the default implementation.

Jira: CI-438

Added

Added API key requirement for all job endpoints to prepare for potential public availability.
→ Configurable via appsettings.json (implementation still requires further refinement).
Introduced the ability to make specific API endpoints publicly accessible through the "ApiKeys" configuration section.
⚠️ This feature is partially hardcoded and not yet fully finalized, but can already be used by other systems for early integration or testing purposes.
Added support for enabling the ChefsInspiration event import via the "ChefsInspirationEventImportOptions" configuration section.

Changed

Changed GET /api/v1.0/Jobs/EventImportJob → POST /api/v1.0/Jobs/EventImportJob.
Changed GET /api/v1.0/Jobs/EndOfRegistrationScanJob → POST /api/v1.0/Jobs/EndOfRegistrationScanJob.
Made role identifiers lowercase to match the case-sensitive conventions used by other systems.
The ESB service API key is no longer included in the default appsettings.json file.

Jira: CI-358

Added

Added GET /api/v1.0/addoncategory to retrieve a paginated list of available add-on categories
Added POST /api/v1.0/addoncategory to create a new add-on category
Added PATCH /api/v1.0/addoncategory/{addonCategoryId} to update an existing add-on category
Added POST /api/v1.0/addon/{addonId}/media to update its respective media
Added DELETE /api/v1.0/media/{mediaMetadataId} to delete a specific media entry + bucket blob ( available for moderators and higher)
Added ArchitectureInfo.md to the documentation

Changed

Addons now can have media
Name property is now a key
Media uploads now respect per-resource rules (append vs. replace), instead of always appending

Removed

Removed POST /api/v1.0/exhibitor/{exhibitorId}/media as it was not needed

Hotfix:

Changed

Changed PATCH /api/v1.0/Booth/{boothId}/Media → PATCH /api/v1.0/Booth/{boothId}/Media/{mediaId} to enhance security

Jira: CI-425

Added

added user-story-question types: Undefined, Image, Video

Jira: CI-424

Added

added download links to UserStory GET endpoints

Change

the expiry of Up- / Download links is now configured via appsettings

Jira: CI-360

Added

Added GET /api/v1.0/addon to retrieve a paginated list of available addons
Added GET /api/v1.0/orders → all order endpoints include respective exhibitors and events
Added GET /api/v1.0/orders/of/addon/{addonId} to retrieve a paginated list of orders for a specific addon
Added GET /api/v1.0/orders/of/event/{eventId} to retrieve a paginated list of orders for a specific event
Added GET /api/v1.0/orders/of/exhibitor/{exhibitorId} to retrieve a paginated list of orders for a specific exhibitor

Changed

Introduced -Up and -Down DTO variants to prevent circular dependencies. see docs

HotFix [untested]:

Added

Added PUT /api/v1.0/DigitalBooth/{digitalBoothId}/Media/Logo preparing scope unique Logo
Added PUT /api/v1.0/DigitalBooth/{digitalBoothId}/Media/Splash preparing scope unique SplashArt

Changed

GET /api/v1.0/DigitalBooth/{digitalBoothId} now returns Logo and Splash as Metadata
GET /api/v1.0/Exhibitor/{exhibitorId} now contains DigitalBooth Data with Logo and Splash as Metadata

Jira: CI-355

Added

Added ObjectKey property to ResponseMediaMetadataDto
Added shared MediaDataValidator and configurable MetadataPolicyOptions
Added GET /api/v1.0/booth/{boothId}/media to retrieve media metadata for a booth
Added PATCH /api/v1.0/booth/{boothId}/media
Added PATCH /api/v1.0/booth/{boothId}/media/{mediaMetadataId}/reject
Added DELETE /api/v1.0/booth/{boothId}/media/{mediaMetadataId}
Added POST /api/v1.0/hall/{hallId}/media
Added PATCH /api/v1.0/media/{mediaMetadataId}/accept
Added GET /api/v1.0/user to retrieve paginated users

Changed

/api/v1.0/user/rights → /api/v1.0/user/claims
UserClaims now include a Subject property containing their respective IDs
UserClaims now include the Shared.Models.User.ExhibitorClaimKey claim containing the respective Exhibitor (can be empty)
User has been drastically refactored – we now store a read-only dataset of the user

Removed

Removed PATCH /api/v1.0/media/{mediaMetadataId}/status