OneTimeAuthentificationLink
10.1.1
Rother OSS GmbH
https://rother-oss.com/
GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007
Update to OTOBO 10.1.
Automatically creates customer users and gives them access via one time authentification tokens.
10.0.x
2022-09-22 06:25:18
opms
# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2022 Rother OSS GmbH, https://otobo.de/
# --
# $origin: otobo - e894aef610208fdc401a4df814ca59658292fbba - Kernel/System/CustomerAuth.pm
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::CustomerAuth;

use strict;
use warnings;

use Kernel::Language qw(Translatable);

our @ObjectDependencies = (
    'Kernel::Config',
    'Kernel::System::CustomerUser',
    'Kernel::System::DateTime',
    'Kernel::System::Log',
    'Kernel::System::Main',
    'Kernel::System::SystemMaintenance',
);

=head1 NAME

Kernel::System::CustomerAuth - customer authentication module.

=head1 DESCRIPTION

The authentication module for the customer interface.

=head1 PUBLIC INTERFACE

=head2 new()

Don't use the constructor directly, use the ObjectManager instead:

    my $CustomerAuthObject = $Kernel::OM->Get('Kernel::System::CustomerAuth');

=cut

sub new {
    my ( $Type, %Param ) = @_;

    # allocate new hash for object
    my $Self = {};
    bless( $Self, $Type );

    # get needed objects
    my $MainObject   = $Kernel::OM->Get('Kernel::System::Main');
    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');

    # load auth modules
    COUNT:
    for my $Count ( '', 1 .. 10 ) {

        my $GenericModule = $ConfigObject->Get("Customer::AuthModule$Count");

        next COUNT if !$GenericModule;

        if ( !$MainObject->Require($GenericModule) ) {
            $MainObject->Die("Can't load backend module $GenericModule! $@");
        }

        $Self->{"AuthBackend$Count"} = $GenericModule->new( %{$Self}, Count => $Count );
    }

    # load 2factor auth modules
    COUNT:
    for my $Count ( '', 1 .. 10 ) {

        my $GenericModule = $ConfigObject->Get("Customer::AuthTwoFactorModule$Count");

        next COUNT if !$GenericModule;

        if ( !$MainObject->Require($GenericModule) ) {
            $MainObject->Die("Can't load backend module $GenericModule! $@");
        }

        $Self->{"AuthTwoFactorBackend$Count"} = $GenericModule->new( %{$Self}, Count => $Count );
    }

    # Initialize last error message
    $Self->{LastErrorMessage} = '';

    return $Self;
}

=head2 GetOption()

Get module options. Currently there is just one option, "PreAuth".

    if ( $AuthObject->GetOption( What => 'PreAuth' ) ) {
        print "No login screen is needed. Authentication is based on some other options. E. g. $ENV{REMOTE_USER}\n";
    }

=cut

sub GetOption {
    my ( $Self, %Param ) = @_;

    return $Self->{AuthBackend}->GetOption(%Param);
}

# Rother OSS / OneTimeAuthenticationLink
=head2 ExtendedParamNames()

Get names of extended params which provide authentification information

    my @ParamNames = $AuthObject->ExtendedParamNames();

=cut

sub ExtendedParamNames {
    my ( $Self, %Param ) = @_;

    my %Names;
    COUNT:
    for ( '', 1 .. 10 ) {
        next COUNT if !$Self->{"AuthBackend$_"};
        next COUNT if !$Self->{"AuthBackend$_"}->can('ExtendedParamNames');

        for my $ExtName ( $Self->{"AuthBackend$_"}->ExtendedParamNames() ) {
            $Names{$ExtName} = 1;
        }
    }

    return ( keys %Names );
}
# EO OneTimeAuthenticationLink

=head2 Auth()

The authentication function.

    if ( $AuthObject->Auth( User => $User, Pw => $Pw ) ) {
        print "Auth ok!\n";
    }
    else {
        print "Auth invalid!\n";
    }

=cut

sub Auth {
    my ( $Self, %Param ) = @_;

    # get customer user object
    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');
    my $ConfigObject       = $Kernel::OM->Get('Kernel::Config');

    # use all 11 auth backends and return on first true
    my $User;
    COUNT:
    for my $Count ( '', 1 .. 10 ) {

        # next on no config setting
        next COUNT if !$Self->{"AuthBackend$Count"};

        # check auth backend
        $User = $Self->{"AuthBackend$Count"}->Auth(%Param);

# Rother OSS / OneTimeAuthenticationLink
        if ( ref $User && ref $User eq 'HASH' && $User->{Error} ) {
            $Self->{LastErrorMessage} = $User->{Error};
            return;
        }
# EO OneTimeAuthenticationLink

        # next on no success
        next COUNT if !$User;

        # check 2factor auth backends
        my $TwoFactorAuth;
        TWOFACTORSOURCE:
        for my $Count ( '', 1 .. 10 ) {

            # return on no config setting
            next TWOFACTORSOURCE if !$Self->{"AuthTwoFactorBackend$Count"};

            # 2factor backend
            my $AuthOk = $Self->{"AuthTwoFactorBackend$Count"}->Auth(
                TwoFactorToken => $Param{TwoFactorToken},
                User           => $User,
            );
            $TwoFactorAuth = $AuthOk ? 'passed' : 'failed';

            last TWOFACTORSOURCE if $AuthOk;
        }

        # if at least one 2factor auth backend was checked but none was successful,
        # it counts as a failed login
        if ( $TwoFactorAuth && $TwoFactorAuth ne 'passed' ) {
            $User = undef;
            last COUNT;
        }

        # remember auth backend
        if ($User) {
            $CustomerUserObject->SetPreferences(
                Key    => 'UserAuthBackend',
                Value  => $Count,
                UserID => $User,
            );

            last COUNT;
        }
    }

    # check if record exists
    if ( !$User ) {
        my %CustomerData = $CustomerUserObject->CustomerUserDataGet( User => $Param{User} );
        if (%CustomerData) {
            my $Count = $CustomerData{UserLoginFailed} || 0;
            $Count++;
            $CustomerUserObject->SetPreferences(
                Key    => 'UserLoginFailed',
                Value  => $Count,
                UserID => $CustomerData{UserLogin},
            );
        }
        return;
    }

    # check if user is valid
    my %CustomerData = $CustomerUserObject->CustomerUserDataGet( User => $User );
    if ( defined $CustomerData{ValidID} && $CustomerData{ValidID} ne 1 ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'notice',
            Message  => "CustomerUser: '$User' is set to invalid, can't login!",
        );
        return;
    }

    return $User if !%CustomerData;

    # reset failed logins
    $CustomerUserObject->SetPreferences(
        Key    => 'UserLoginFailed',
        Value  => 0,
        UserID => $CustomerData{UserLogin},
    );

    # on system maintenance customers
    # shouldn't be allowed get into the system
    my $ActiveMaintenance = $Kernel::OM->Get('Kernel::System::SystemMaintenance')->SystemMaintenanceIsActive();

    # check if system maintenance is active
    if ($ActiveMaintenance) {

        $Self->{LastErrorMessage} =
            $ConfigObject->Get('SystemMaintenance::IsActiveDefaultLoginErrorMessage')
            || Translatable("It is currently not possible to login due to a scheduled system maintenance.");

        return;
    }

    # last login preferences update
    my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');

    $CustomerUserObject->SetPreferences(
        Key    => 'UserLastLogin',
        Value  => $DateTimeObject->ToEpoch(),
        UserID => $CustomerData{UserLogin},
    );

    return $User;
}

=head2 PreAuth()

Call the PreAuth method of the AuthBackend

    my $PreAuthInfo = $AuthObject->PreAuth(
        RequestedURL => $RequestedURL,
    );

=cut

sub PreAuth {
    my ( $Self, %Param ) = @_;

    return if !$Self->{AuthBackend}->can('PreAuth');

    return $Self->{AuthBackend}->PreAuth(%Param);
}

=head2 PostAuth()

Call the PostAuth method of the AuthBackend

    my $PostAuthInfo = $AuthObject->PostAuth();

=cut

sub PostAuth {
    my ( $Self, %Param ) = @_;

    return if !$Self->{AuthBackend}->can('PostAuth');

    return $Self->{AuthBackend}->PostAuth(%Param);
}

=head2 Logout()

Call the Logout method of the AuthBackend

    my $LogoutInfo = $AuthObject->Logout();

=cut

sub Logout {
    my ( $Self, %Param ) = @_;

    return if !$Self->{AuthBackend}->can('Logout');

    return $Self->{AuthBackend}->Logout(%Param);
}

=head2 GetLastErrorMessage()

Retrieve $Self->{LastErrorMessage} content.

    my $AuthErrorMessage = $AuthObject->GetLastErrorMessage();

    Result:

        $AuthErrorMessage = "An error string message.";

=cut

sub GetLastErrorMessage {
    my ( $Self, %Param ) = @_;

    return $Self->{LastErrorMessage};
}

1;

# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2022 Rother OSS GmbH, https://otobo.de/
# --
# $origin: otobo - e894aef610208fdc401a4df814ca59658292fbba - Kernel/System/TemplateGenerator.pm
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::TemplateGenerator;
## nofilter(TidyAll::Plugin::OTOBO::Perl::LayoutObject)

use strict;
use warnings;

use Kernel::Language;

use Kernel::System::VariableCheck qw(:all);

our @ObjectDependencies = (
    'Kernel::Config',
    'Kernel::System::AutoResponse',
    'Kernel::System::CommunicationChannel',
    'Kernel::System::CustomerUser',
    'Kernel::System::DynamicField',
    'Kernel::System::DynamicField::Backend',
    'Kernel::System::Encode',
    'Kernel::System::HTMLUtils',
    'Kernel::System::Log',
    'Kernel::System::Queue',
    'Kernel::System::Salutation',
    'Kernel::System::Signature',
    'Kernel::System::StandardTemplate',
    'Kernel::System::SystemAddress',
    'Kernel::System::Ticket',
    'Kernel::System::Ticket::Article',
    'Kernel::System::User',
    'Kernel::Output::HTML::Layout',
    'Kernel::System::DateTime',
);

=head1 NAME

Kernel::System::TemplateGenerator - signature lib

=head1 DESCRIPTION

All signature functions.

=head1 PUBLIC INTERFACE

=head2 new()

Don't use the constructor directly, use the ObjectManager instead:

    my $TemplateGeneratorObject = $Kernel::OM->Get('Kernel::System::TemplateGenerator');

=cut

sub new {
    my ( $Type, %Param ) = @_;

    # allocate new hash for object
    my $Self = {};
    bless( $Self, $Type );

    $Self->{RichText} = $Kernel::OM->Get('Kernel::Config')->Get('Frontend::RichText');

    return $Self;
}

=head2 Salutation()

generate salutation

    my $Salutation = $TemplateGeneratorObject->Salutation(
        TicketID => 123,
        UserID   => 123,
        Data     => $ArticleHashRef,
    );

returns
    Text
    ContentType

=cut

sub Salutation {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TicketID Data UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # Get ticket.
    my %Ticket = $Kernel::OM->Get('Kernel::System::Ticket')->TicketGet(
        TicketID      => $Param{TicketID},
        DynamicFields => 1,
    );

    # Get queue.
    my %Queue = $Kernel::OM->Get('Kernel::System::Queue')->QueueGet(
        ID => $Ticket{QueueID},
    );

    # Get salutation.
    my %Salutation = $Kernel::OM->Get('Kernel::System::Salutation')->SalutationGet(
        ID => $Queue{SalutationID},
    );

    # do text/plain to text/html convert
    if ( $Self->{RichText} && $Salutation{ContentType} =~ /text\/plain/i ) {
        $Salutation{ContentType} = 'text/html';
        $Salutation{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Salutation{Text},
        );
    }

    # do text/html to text/plain convert
    if ( !$Self->{RichText} && $Salutation{ContentType} =~ /text\/html/i ) {
        $Salutation{ContentType} = 'text/plain';
        $Salutation{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Salutation{Text},
        );
    }

    # get list unsupported tags for standard template
    my @ListOfUnSupportedTag = qw(OTOBO_AGENT_SUBJECT OTOBO_AGENT_BODY OTOBO_CUSTOMER_BODY OTOBO_CUSTOMER_SUBJECT);

    my $SalutationText = $Self->_RemoveUnSupportedTag(
        Text                 => $Salutation{Text} || '',
        ListOfUnSupportedTag => \@ListOfUnSupportedTag,
    );

    # replace place holder stuff
    $SalutationText = $Self->_Replace(
        RichText   => $Self->{RichText},
        Text       => $SalutationText,
        TicketData => \%Ticket,
        Data       => $Param{Data},
        UserID     => $Param{UserID},
    );

    # add urls
    if ( $Self->{RichText} ) {
        $SalutationText = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $SalutationText,
        );
    }

    return $SalutationText;
}

=head2 Signature()

generate salutation

    my $Signature = $TemplateGeneratorObject->Signature(
        TicketID => 123,
        UserID   => 123,
        Data     => $ArticleHashRef,
    );

or

    my $Signature = $TemplateGeneratorObject->Signature(
        QueueID => 123,
        UserID  => 123,
        Data    => $ArticleHashRef,
    );

returns
    Text
    ContentType

=cut

sub Signature {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(Data UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # need ticket id or queue id
    if ( !$Param{TicketID} && !$Param{QueueID} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'error',
            Message  => 'Need TicketID or QueueID!'
        );
        return;
    }

    # Get ticket data.
    my %Ticket;
    if ( $Param{TicketID} ) {
        %Ticket = $Kernel::OM->Get('Kernel::System::Ticket')->TicketGet(
            TicketID      => $Param{TicketID},
            DynamicFields => 1,
        );
    }

    # Get queue.
    my %Queue = $Kernel::OM->Get('Kernel::System::Queue')->QueueGet(
        ID => $Ticket{QueueID} || $Param{QueueID},
    );

    # Get signature.
    my %Signature = $Kernel::OM->Get('Kernel::System::Signature')->SignatureGet(
        ID => $Queue{SignatureID},
    );

    # do text/plain to text/html convert
    if ( $Self->{RichText} && $Signature{ContentType} =~ /text\/plain/i ) {
        $Signature{ContentType} = 'text/html';
        $Signature{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Signature{Text},
        );
    }

    # do text/html to text/plain convert
    if ( !$Self->{RichText} && $Signature{ContentType} =~ /text\/html/i ) {
        $Signature{ContentType} = 'text/plain';
        $Signature{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Signature{Text},
        );
    }

    # get list unsupported tags for standard template
    my @ListOfUnSupportedTag = qw(OTOBO_AGENT_SUBJECT OTOBO_AGENT_BODY OTOBO_CUSTOMER_BODY OTOBO_CUSTOMER_SUBJECT);

    my $SignatureText = $Self->_RemoveUnSupportedTag(
        Text                 => $Signature{Text} || '',
        ListOfUnSupportedTag => \@ListOfUnSupportedTag,
    );

    # replace place holder stuff
    $SignatureText = $Self->_Replace(
        RichText   => $Self->{RichText},
        Text       => $SignatureText,
        TicketData => \%Ticket,
        Data       => $Param{Data},
        QueueID    => $Param{QueueID},
        UserID     => $Param{UserID},
    );

    # add urls
    if ( $Self->{RichText} ) {
        $SignatureText = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $SignatureText,
        );
    }

    return $SignatureText;
}

=head2 Sender()

generate sender address (FROM string) for emails

    my $Sender = $TemplateGeneratorObject->Sender(
        QueueID    => 123,
        UserID     => 123,
    );

returns:

    John Doe at Super Support <service@example.com>

and it returns the quoted real name if necessary

    "John Doe, Support" <service@example.tld>

=cut

sub Sender {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw( UserID QueueID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # get sender attributes
    my %Address = $Kernel::OM->Get('Kernel::System::Queue')->GetSystemAddress(
        QueueID => $Param{QueueID},
    );

    # get config object
    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');

    # check config for agent real name
    my $UseAgentRealName = $ConfigObject->Get('Ticket::DefineEmailFrom');
    if ( $UseAgentRealName && $UseAgentRealName =~ /^(AgentName|AgentNameSystemAddressName)$/ ) {

        # get data from current agent
        my %UserData = $Kernel::OM->Get('Kernel::System::User')->GetUserData(
            UserID        => $Param{UserID},
            NoOutOfOffice => 1,
        );

        # set real name with user name
        if ( $UseAgentRealName eq 'AgentName' ) {

            # check for user data
            if ( $UserData{UserFullname} ) {

                # rewrite RealName
                $Address{RealName} = "$UserData{UserFullname}";
            }
        }

        # set real name with user name
        if ( $UseAgentRealName eq 'AgentNameSystemAddressName' ) {

            # check for user data
            if ( $UserData{UserFullname} ) {

                # rewrite RealName
                my $Separator = ' ' . $ConfigObject->Get('Ticket::DefineEmailFromSeparator')
                    || '';
                $Address{RealName} = $UserData{UserFullname} . $Separator . ' ' . $Address{RealName};
            }
        }
    }

    # prepare realname quote
    if ( $Address{RealName} =~ /([.]|,|@|\(|\)|:)/ && $Address{RealName} !~ /^("|')/ ) {
        $Address{RealName} =~ s/"//g;    # remove any quotes that are already present
        $Address{RealName} = '"' . $Address{RealName} . '"';
    }
    my $Sender = "$Address{RealName} <$Address{Email}>";

    return $Sender;
}

=head2 Template()

generate template

    my $Template = $TemplateGeneratorObject->Template(
        TemplateID => 123
        TicketID   => 123,                  # Optional
        Data       => $ArticleHashRef,      # Optional
        UserID     => 123,
    );

Returns:

    $Template =>  'Some text';

=cut

sub Template {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TemplateID UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    my %Template = $Kernel::OM->Get('Kernel::System::StandardTemplate')->StandardTemplateGet(
        ID => $Param{TemplateID},
    );

    # do text/plain to text/html convert
    if (
        $Self->{RichText}
        && $Template{ContentType} =~ /text\/plain/i
        && $Template{Template}
        )
    {
        $Template{ContentType} = 'text/html';
        $Template{Template}    = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Template{Template},
        );
    }

    # do text/html to text/plain convert
    if (
        !$Self->{RichText}
        && $Template{ContentType} =~ /text\/html/i
        && $Template{Template}
        )
    {
        $Template{ContentType} = 'text/plain';
        $Template{Template}    = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Template{Template},
        );
    }

    # Get user language.
    my $Language;
    my %Ticket;
    if ( defined $Param{TicketID} ) {

        # Get ticket data.
        %Ticket = $Kernel::OM->Get('Kernel::System::Ticket')->TicketGet(
            TicketID      => $Param{TicketID},
            DynamicFields => 1,
        );

        # Get recipient.
        my %User = $Kernel::OM->Get('Kernel::System::CustomerUser')->CustomerUserDataGet(
            User => $Ticket{CustomerUserID},
        );
        $Language = $User{UserLanguage};
    }

    # If template type is 'Create' and there is customer user information, treat it as a ticket param in order to
    # correctly replace customer user tags. See bug#14455.
    if ( $Template{TemplateType} eq 'Create' && $Param{CustomerUserID} ) {
        $Ticket{CustomerUserID} = $Param{CustomerUserID};
    }

    # if customer language is not defined, set default language
    $Language //= $Kernel::OM->Get('Kernel::Config')->Get('DefaultLanguage') || 'en';

    # get list unsupported tags for standard template
    my @ListOfUnSupportedTag = qw(OTOBO_AGENT_SUBJECT OTOBO_AGENT_BODY OTOBO_CUSTOMER_BODY OTOBO_CUSTOMER_SUBJECT);

    my %SupportedTypes = (
        Answer  => 1,
        Forward => 1,
        Note    => 1,
    );

    my $TemplateText = $Template{Template} || '';
    my $TemplateType = $Template{TemplateType};

    # Remove unsupported tags only for some template types.
    if ( !$SupportedTypes{ $Template{TemplateType} } ) {
        $TemplateText = $Self->_RemoveUnSupportedTag(
            Text                 => $Template{Template} || '',
            ListOfUnSupportedTag => \@ListOfUnSupportedTag,
        );

        # Reset template type for unsupported tag.
        $TemplateType = '';
    }

    # replace place holder stuff
    $TemplateText = $Self->_Replace(
        RichText   => $Self->{RichText},
        Text       => $TemplateText || '',
        TicketData => \%Ticket,
        Data       => $Param{Data} || {},
        UserID     => $Param{UserID},
        Language   => $Language,
        Template   => $TemplateType,
    );

    if ( $Self->{RichText} ) {
        $TemplateText =~ s/&lt;/</g;
        $TemplateText =~ s/&gt;/>/g;
        $TemplateText =~ s/&quot;/"/g;
        $TemplateText =~ s/&apos;/'/g;
        $TemplateText =~ s/&nbsp;/ /g;
    }

    return $TemplateText;
}

=head2 GenericAgentArticle()

generate internal or external notes

    my $GenericAgentArticle = $TemplateGeneratorObject->GenericAgentArticle(
        Notification    => $NotificationDataHashRef,
        TicketID        => 123,
        UserID          => 123,
        Data            => $ArticleHashRef,             # Optional
    );

=cut

sub GenericAgentArticle {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TicketID Notification UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    my %Template = %{ $Param{Notification} };

    # get ticket object
    my $TicketObject = $Kernel::OM->Get('Kernel::System::Ticket');

    # Get ticket data.
    my %Ticket = $TicketObject->TicketGet(
        TicketID      => $Param{TicketID},
        DynamicFields => 1,
    );

    # do text/plain to text/html convert
    if (
        $Self->{RichText}
        && $Template{ContentType} =~ /text\/plain/i
        && $Template{Body}
        )
    {
        $Template{ContentType} = 'text/html';
        $Template{Body}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Template{Body},
        );
    }

    # do text/html to text/plain convert
    if (
        !$Self->{RichText}
        && $Template{ContentType} =~ /text\/html/i
        && $Template{Body}
        )
    {
        $Template{ContentType} = 'text/plain';
        $Template{Body}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Template{Body},
        );
    }

    # replace place holder stuff
    $Template{Body} = $Self->_Replace(
        RichText   => $Self->{RichText},
        Text       => $Template{Body},
        Recipient  => $Param{Recipient},
        Data       => $Param{Data} || {},
        TicketData => \%Ticket,
        UserID     => $Param{UserID},
    );
    $Template{Subject} = $Self->_Replace(
        RichText   => 0,
        Text       => $Template{Subject},
        Recipient  => $Param{Recipient},
        Data       => $Param{Data} || {},
        TicketData => \%Ticket,
        UserID     => $Param{UserID},
    );

    $Template{Subject} = $TicketObject->TicketSubjectBuild(
        TicketNumber => $Ticket{TicketNumber},
        Subject      => $Template{Subject} || '',
        Type         => 'New',
    );

    # add URLs and verify to be full HTML document
    if ( $Self->{RichText} ) {

        $Template{Body} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $Template{Body},
        );
    }

    return %Template;
}

=head2 Attributes()

generate attributes

    my %Attributes = $TemplateGeneratorObject->Attributes(
        TicketID   => 123,
        ArticleID  => 123,
        ResponseID => 123
        UserID     => 123,
        Action     => 'Forward', # Possible values are Reply and Forward, Reply is default.
    );

returns
    StandardResponse
    Salutation
    Signature

=cut

sub Attributes {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TicketID Data UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # get ticket object
    my $TicketObject = $Kernel::OM->Get('Kernel::System::Ticket');

    # get queue
    my %Ticket = $TicketObject->TicketGet(
        TicketID      => $Param{TicketID},
        DynamicFields => 0,
    );

    # prepare subject ...
    $Param{Data}->{Subject} = $TicketObject->TicketSubjectBuild(
        TicketNumber => $Ticket{TicketNumber},
        Subject      => $Param{Data}->{Subject} || '',
        Action       => $Param{Action}          || '',
    );

    # get sender address
    $Param{Data}->{From} = $Self->Sender(
        QueueID => $Ticket{QueueID},
        UserID  => $Param{UserID},
    );

    return %{ $Param{Data} };
}

=head2 AutoResponse()

generate response

AutoResponse
    TicketID
        Owner
        Responsible
        CUSTOMER_DATA
    ArticleID
        CUSTOMER_SUBJECT
        CUSTOMER_EMAIL
    UserID

    To
    Cc
    Bcc
    Subject
    Body
    ContentType

    my %AutoResponse = $TemplateGeneratorObject->AutoResponse(
        TicketID         => 123,
        OrigHeader       => {},
        AutoResponseType => 'auto reply',
        UserID           => 123,
    );

=cut

sub AutoResponse {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(TicketID AutoResponseType OrigHeader UserID)) {
        if ( !$Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # get ticket object
    my $TicketObject = $Kernel::OM->Get('Kernel::System::Ticket');

    # Get ticket data.
    my %Ticket = $TicketObject->TicketGet(
        TicketID      => $Param{TicketID},
        DynamicFields => 1,
    );

    # get auto default responses
    my %AutoResponse = $Kernel::OM->Get('Kernel::System::AutoResponse')->AutoResponseGetByTypeQueueID(
        QueueID => $Ticket{QueueID},
        Type    => $Param{AutoResponseType},
    );

    return if !%AutoResponse;

    # get old article for quoting
    my $ArticleObject = $Kernel::OM->Get('Kernel::System::Ticket::Article');
    my @ArticleList   = $ArticleObject->ArticleList(
        TicketID   => $Param{TicketID},
        SenderType => 'customer',
        OnlyLast   => 1,
    );

    if ( !@ArticleList ) {
        @ArticleList = $ArticleObject->ArticleList(
            TicketID             => $Param{TicketID},
            IsVisibleForCustomer => 1,
            OnlyLast             => 1,
        );
    }

    if (@ArticleList) {
        my %Article = $ArticleObject->BackendForArticle( %{ $ArticleList[0] } )->ArticleGet( %{ $ArticleList[0] } );

        for (qw(From To Cc Subject Body)) {
            if ( !$Param{OrigHeader}->{$_} ) {
                $Param{OrigHeader}->{$_} = $Article{$_} || '';
            }
            chomp $Param{OrigHeader}->{$_};
        }
    }

    # format body (only if longer than 86 chars)
    if ( $Param{OrigHeader}->{Body} ) {
        if ( length $Param{OrigHeader}->{Body} > 86 ) {
            my @Lines = split /\n/, $Param{OrigHeader}->{Body};
            LINE:
            for my $Line (@Lines) {
                my $LineWrapped = $Line =~ s/(^>.+|.{4,86})(?:\s|\z)/$1\n/gm;

                next LINE if $LineWrapped;

                # if the regex does not match then we need
                # to add the missing new line of the split
                # else we will lose e.g. empty lines of the body.
                # (bug#10679)
                $Line .= "\n";
            }
            $Param{OrigHeader}->{Body} = join '', @Lines;
        }
    }

    # fill up required attributes
    for (qw(Subject Body)) {
        if ( !$Param{OrigHeader}->{$_} ) {
            $Param{OrigHeader}->{$_} = "No $_";
        }
    }

    # get recipient
    my %User = $Kernel::OM->Get('Kernel::System::CustomerUser')->CustomerUserDataGet(
        User => $Ticket{CustomerUserID},
    );

    # get user language
    my $Language = $User{UserLanguage} || $Kernel::OM->Get('Kernel::Config')->Get('DefaultLanguage') || 'en';

    # do text/plain to text/html convert
    if ( $Self->{RichText} && $AutoResponse{ContentType} =~ /text\/plain/i ) {
        $AutoResponse{ContentType} = 'text/html';
        $AutoResponse{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $AutoResponse{Text},
        );
    }

    # do text/html to text/plain convert
    if ( !$Self->{RichText} && $AutoResponse{ContentType} =~ /text\/html/i ) {
        $AutoResponse{ContentType} = 'text/plain';
        $AutoResponse{Text}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $AutoResponse{Text},
        );
    }

    # replace place holder stuff
    $AutoResponse{Text} = $Self->_Replace(
        RichText => $Self->{RichText},
        Text     => $AutoResponse{Text},
        Data     => {
            %{ $Param{OrigHeader} },
            From => $Param{OrigHeader}->{To},
            To   => $Param{OrigHeader}->{From},
        },
        TicketData      => \%Ticket,
        UserID          => $Param{UserID},
        Language        => $Language,
        AddTimezoneInfo => {
            AutoResponse => 1,
        },
    );
    $AutoResponse{Subject} = $Self->_Replace(
        RichText => 0,
        Text     => $AutoResponse{Subject},
        Data     => {
            %{ $Param{OrigHeader} },
            From => $Param{OrigHeader}->{To},
            To   => $Param{OrigHeader}->{From},
        },
        TicketData      => \%Ticket,
        UserID          => $Param{UserID},
        Language        => $Language,
        AddTimezoneInfo => {
            AutoResponse => 1,
        },
    );

    $AutoResponse{Subject} = $TicketObject->TicketSubjectBuild(
        TicketNumber => $Ticket{TicketNumber},
        Subject      => $AutoResponse{Subject},
        Type         => 'New',
        NoCleanup    => 1,
    );

    # get sender attributes based on auto response type
    if ( $AutoResponse{SystemAddressID} ) {

        my %Address = $Kernel::OM->Get('Kernel::System::SystemAddress')->SystemAddressGet(
            ID => $AutoResponse{SystemAddressID},
        );

        $AutoResponse{SenderAddress}  = $Address{Name};
        $AutoResponse{SenderRealname} = $Address{Realname};
    }

    # get sender attributes based on queue
    else {

        my %Address = $Kernel::OM->Get('Kernel::System::Queue')->GetSystemAddress(
            QueueID => $Ticket{QueueID},
        );

        $AutoResponse{SenderAddress}  = $Address{Email};
        $AutoResponse{SenderRealname} = $Address{RealName};
    }

    # add urls and verify to be full html document
    if ( $Self->{RichText} ) {

        $AutoResponse{Text} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $AutoResponse{Text},
        );

        $AutoResponse{Text} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->DocumentComplete(
            Charset => 'utf-8',
            String  => $AutoResponse{Text},
        );
    }

    return %AutoResponse;
}

=head2 NotificationEvent()

replace all OTOBO smart tags in the notification body and subject

    my %NotificationEvent = $TemplateGeneratorObject->NotificationEvent(
        TicketData            => $TicketDataHashRef,
        Recipient             => $UserDataHashRef,          # Agent or Customer data get result
        Notification          => $NotificationDataHashRef,
        CustomerMessageParams => $ArticleHashRef,           # optional
        UserID                => 123,
    );

=cut

sub NotificationEvent {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed (qw(TicketData Notification Recipient UserID)) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!",
            );
            return;
        }
    }

    if ( !IsHashRefWithData( $Param{Notification} ) ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'error',
            Message  => "Notification is invalid!",
        );
        return;
    }

    my %Notification = %{ $Param{Notification} };

    # exchanging original reference prevent it to grow up
    if ( ref $Param{CustomerMessageParams} && ref $Param{CustomerMessageParams} eq 'HASH' ) {
        my %LocalCustomerMessageParams = %{ $Param{CustomerMessageParams} };
        $Param{CustomerMessageParams} = \%LocalCustomerMessageParams;
    }

    my $ArticleObject = $Kernel::OM->Get('Kernel::System::Ticket::Article');

    # Get last article from customer.
    my @CustomerArticles = $ArticleObject->ArticleList(
        TicketID   => $Param{TicketData}->{TicketID},
        SenderType => 'customer',
        OnlyLast   => 1,
    );

    my %CustomerArticle;

    ARTICLE:
    for my $Article (@CustomerArticles) {
        next ARTICLE if !$Article->{ArticleID};

        %CustomerArticle = $ArticleObject->BackendForArticle( %{$Article} )->ArticleGet(
            %{$Article},
            DynamicFields => 0,
        );
    }

    # Get last article from agent.
    my @AgentArticles = $ArticleObject->ArticleList(
        TicketID   => $Param{TicketData}->{TicketID},
        SenderType => 'agent',
        OnlyLast   => 1,
    );

    my %AgentArticle;

    AGENTARTICLE:
    for my $Article (@AgentArticles) {
        next AGENTARTICLE if !$Article->{ArticleID};

        %AgentArticle = $ArticleObject->BackendForArticle( %{$Article} )->ArticleGet(
            %{$Article},
            DynamicFields => 0,
        );

        # Include the transmission status, if article is an email.
        my %CommunicationChannel = $Kernel::OM->Get('Kernel::System::CommunicationChannel')->ChannelGet(
            ChannelID => $Article->{CommunicationChannelID},
        );
        if ( $CommunicationChannel{ChannelName} eq 'Email' ) {
            my $TransmissionStatus = $ArticleObject->BackendForArticle( %{$Article} )->ArticleTransmissionStatus(
                ArticleID => $Article->{ArticleID},
            );
            if ( $TransmissionStatus && $TransmissionStatus->{Message} ) {
                $AgentArticle{TransmissionStatusMessage} = $TransmissionStatus->{Message};
            }
        }
    }

    my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

    ARTICLE:
    for my $ArticleData ( \%CustomerArticle, \%AgentArticle ) {
        next ARTICLE if !$ArticleData->{TicketID};
        next ARTICLE if !$ArticleData->{ArticleID};

        # Get article preview in plain text and store it as Body key.
        $ArticleData->{Body} = $LayoutObject->ArticlePreview(
            TicketID   => $ArticleData->{TicketID},
            ArticleID  => $ArticleData->{ArticleID},
            ResultType => 'plain',
            UserID     => $Param{UserID},
        );

        # get accounted time
        my $AccountedTime = $ArticleObject->ArticleAccountedTimeGet(
            ArticleID => $ArticleData->{ArticleID},
        );

        # set the accounted time as part of the articles information
        $ArticleData->{TimeUnit} = $AccountedTime;
    }

    # Populate the hash 'CustomerMessageParams' with all the customer-article data
    # and overwrite it with 'CustomerMessageParams' passed in the Params (bug #13325).
    $Param{CustomerMessageParams} = {
        %CustomerArticle,
        %{ $Param{CustomerMessageParams} || {} },
    };

    # get system default language
    my $DefaultLanguage = $Kernel::OM->Get('Kernel::Config')->Get('DefaultLanguage') || 'en';

    my $Languages = [ $Param{Recipient}->{UserLanguage}, $DefaultLanguage, 'en' ];

    my $Language;
    LANGUAGE:
    for my $Item ( @{$Languages} ) {
        next LANGUAGE if !$Item;
        next LANGUAGE if !$Notification{Message}->{$Item};

        # set language
        $Language = $Item;
        last LANGUAGE;
    }

    # if no language, then take the first one available
    if ( !$Language ) {
        my @NotificationLanguages = sort keys %{ $Notification{Message} };
        $Language = $NotificationLanguages[0];
    }

    # copy the correct language message attributes to a flat structure
    for my $Attribute (qw(Subject Body ContentType)) {
        $Notification{$Attribute} = $Notification{Message}->{$Language}->{$Attribute};
    }

    # Get customer article fields.
    my %CustomerArticleFields;

    if (%CustomerArticle) {
        %CustomerArticleFields = $LayoutObject->ArticleFields(
            TicketID  => $CustomerArticle{TicketID},
            ArticleID => $CustomerArticle{ArticleID},
            UserID    => $Param{UserID},
        );
    }

    ARTICLE_FIELD:
    for my $ArticleField ( sort keys %CustomerArticleFields ) {
        next ARTICLE_FIELD if !defined $CustomerArticleFields{$ArticleField}->{Value};

        if ( !defined $Param{CustomerMessageParams}->{$ArticleField} ) {
            $Param{CustomerMessageParams}->{$ArticleField} = $CustomerArticleFields{$ArticleField}->{Value};
        }
        chomp $Param{CustomerMessageParams}->{$ArticleField};
    }

    # format body (only if longer the 86 chars)
    if ( $Param{CustomerMessageParams}->{Body} ) {
        if ( length $Param{CustomerMessageParams}->{Body} > 86 ) {
            my @Lines = split /\n/, $Param{CustomerMessageParams}->{Body};
            LINE:
            for my $Line (@Lines) {
                my $LineWrapped = $Line =~ s/(^>.+|.{4,86})(?:\s|\z)/$1\n/gm;

                next LINE if $LineWrapped;

                # if the regex does not match then we need
                # to add the missing new line of the split
                # else we will lose e.g. empty lines of the body.
                # (bug#10679)
                $Line .= "\n";
            }
            $Param{CustomerMessageParams}->{Body} = join '', @Lines;
        }
    }

    # fill up required attributes
    for my $Text (qw(Subject Body)) {
        if ( !$Param{CustomerMessageParams}->{$Text} ) {

            # Set to last customer article attribute if it is empty string.
            # For example, if Body is empty string (not undef!), it is maybe sent from NotificationOwnerUpdate event
            # and overrides last customer article body (in %CustomerArticle) above - see bug#14678.
            $Param{CustomerMessageParams}->{$Text} = $CustomerArticle{$Text} || "No $Text";
        }
    }

    my $Start = '<';
    my $End   = '>';
    if ( $Notification{ContentType} =~ m{text\/html} ) {
        $Start = '&lt;';
        $End   = '&gt;';
    }

    # replace <OTOBO_CUSTOMER_DATA_*> tags early from CustomerMessageParams, the rests will be replaced
    # by ticket customer user
    KEY:
    for my $Key ( sort keys %{ $Param{CustomerMessageParams} || {} } ) {

        next KEY if !$Param{CustomerMessageParams}->{$Key};

        $Notification{Body}    =~ s/${Start}OTOBO_CUSTOMER_DATA_$Key${End}/$Param{CustomerMessageParams}->{$Key}/gi;
        $Notification{Subject} =~ s/<OTOBO_CUSTOMER_DATA_$Key>/$Param{CustomerMessageParams}->{$Key}{$Key}/gi;
    }

    # do text/plain to text/html convert
    if ( $Self->{RichText} && $Notification{ContentType} =~ /text\/plain/i ) {
        $Notification{ContentType} = 'text/html';
        $Notification{Body}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
            String => $Notification{Body},
        );
    }

    # do text/html to text/plain convert
    if ( !$Self->{RichText} && $Notification{ContentType} =~ /text\/html/i ) {
        $Notification{ContentType} = 'text/plain';
        $Notification{Body}        = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToAscii(
            String => $Notification{Body},
        );
    }

    # get notify texts
    for my $Text (qw(Subject Body)) {
        if ( !$Notification{$Text} ) {
            $Notification{$Text} = "No Notification $Text for $Param{Type} found!";
        }
    }

    # replace place holder stuff
    $Notification{Body} = $Self->_Replace(
        RichText        => $Self->{RichText},
        Text            => $Notification{Body},
        Recipient       => $Param{Recipient},
        Data            => $Param{CustomerMessageParams},
        DataAgent       => \%AgentArticle,
        TicketData      => $Param{TicketData},
        UserID          => $Param{UserID},
        Language        => $Language,
        AddTimezoneInfo => {
            NotificationEvent => 1,
        },
    );

    $Notification{Subject} = $Self->_Replace(
        RichText        => 0,
        Text            => $Notification{Subject},
        Recipient       => $Param{Recipient},
        Data            => $Param{CustomerMessageParams},
        DataAgent       => \%AgentArticle,
        TicketData      => $Param{TicketData},
        UserID          => $Param{UserID},
        Language        => $Language,
        AddTimezoneInfo => {
            NotificationEvent => 1,
        },
    );

    # Keep the "original" (unmodified) subject and body for later use.
    $Notification{OriginalSubject} = $Notification{Subject};
    $Notification{OriginalBody}    = $Notification{Body};

    $Notification{Subject} = $Kernel::OM->Get('Kernel::System::Ticket')->TicketSubjectBuild(
        TicketNumber => $Param{TicketData}->{TicketNumber},
        Subject      => $Notification{Subject} || '',
        Type         => 'New',
    );

    # add URLs and verify to be full HTML document
    if ( $Self->{RichText} ) {

        $Notification{Body} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->LinkQuote(
            String => $Notification{Body},
        );
    }

    return %Notification;
}

=begin Internal:

=cut

sub _Replace {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for (qw(Text RichText Data UserID)) {
        if ( !defined $Param{$_} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $_!"
            );
            return;
        }
    }

    # check for mailto links
    # since the subject and body of those mailto links are
    # uri escaped we have to uri unescape them, replace
    # possible placeholders and then re-uri escape them
    $Param{Text} =~ s{
        (href="mailto:[^\?]+\?)([^"]+")
    }
    {
        my $MailToHref        = $1;
        my $MailToHrefContent = $2;

        $MailToHrefContent =~ s{
            ((?:subject|body)=)(.+?)("|&)
        }
        {
            my $SubjectOrBodyPrefix  = $1;
            my $SubjectOrBodyContent = $2;
            my $SubjectOrBodySuffix  = $3;

            my $SubjectOrBodyContentUnescaped = URI::Escape::uri_unescape $SubjectOrBodyContent;

            my $SubjectOrBodyContentReplaced = $Self->_Replace(
                %Param,
                Text     => $SubjectOrBodyContentUnescaped,
                RichText => 0,
            );

            my $SubjectOrBodyContentEscaped = URI::Escape::uri_escape_utf8 $SubjectOrBodyContentReplaced;

            $SubjectOrBodyPrefix . $SubjectOrBodyContentEscaped . $SubjectOrBodySuffix;
        }egx;

        $MailToHref . $MailToHrefContent;
    }egx;

    my $Start = '<';
    my $End   = '>';
    if ( $Param{RichText} ) {
        $Start = '&lt;';
        $End   = '&gt;';
        $Param{Text} =~ s/(\n|\r)//g;
    }

    my %Ticket;
    if ( $Param{TicketData} ) {
        %Ticket = %{ $Param{TicketData} };
    }

    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');

    # Determine recipient's timezone if needed.
    my $RecipientTimeZone;
    if ( $Param{AddTimezoneInfo} ) {
        $RecipientTimeZone = $Kernel::OM->Create('Kernel::System::DateTime')->OTOBOTimeZoneGet();

        my %CustomerUser;
        if ( IsHashRefWithData( \%Ticket ) && $Ticket{CustomerUserID} ) {
            %CustomerUser = $CustomerUserObject->CustomerUserDataGet( User => $Ticket{CustomerUserID} );
        }

        my %UserPreferences;

        if ( $Param{AddTimezoneInfo}->{NotificationEvent} && $Param{Recipient}->{Type} eq 'Agent' ) {
            %UserPreferences = $Kernel::OM->Get('Kernel::System::User')->GetPreferences(
                UserID => $Param{Recipient}->{UserID},
            );
        }
        elsif (
            $Param{AddTimezoneInfo}->{NotificationEvent}
            && $Param{Recipient}->{Type} eq 'Customer'
            && $Param{Recipient}->{UserID}
            )
        {
            %UserPreferences = $CustomerUserObject->GetPreferences(
                UserID => $Param{Recipient}->{UserID},
            );
        }
        elsif (
            $Param{AddTimezoneInfo}->{AutoResponse}
            && $Ticket{CustomerUserID}
            && IsHashRefWithData( \%CustomerUser )
            )
        {
            %UserPreferences = $CustomerUserObject->GetPreferences(
                UserID => $Ticket{CustomerUserID},
            );
        }

        if ( $UserPreferences{UserTimeZone} ) {
            $RecipientTimeZone = $UserPreferences{UserTimeZone};
        }
    }

    # Replace Unix time format tags.
    # If language is defined, they will be converted into a correct format in below IF statement.
    for my $UnixFormatTime (
        qw(RealTillTimeNotUsed EscalationResponseTime EscalationUpdateTime EscalationSolutionTime)
        )
    {
        if ( $Ticket{$UnixFormatTime} ) {
            $Ticket{$UnixFormatTime} = $Kernel::OM->Create(
                'Kernel::System::DateTime',
                ObjectParams => {
                    Epoch => $Ticket{$UnixFormatTime},
                },
            )->ToString();
        }
    }

    # translate ticket values if needed
    if ( $Param{Language} ) {

        my $LanguageObject = Kernel::Language->new(
            UserLanguage => $Param{Language},
        );

        # Translate the different values.
        for my $Field (qw(Type State StateType Lock Priority)) {
            $Ticket{$Field} = $LanguageObject->Translate( $Ticket{$Field} );
        }

        # Transform the date values from the ticket data (but not the dynamic field values).
        ATTRIBUTE:
        for my $Attribute ( sort keys %Ticket ) {
            next ATTRIBUTE if $Attribute =~ m{ \A DynamicField_ }xms;
            next ATTRIBUTE if !$Ticket{$Attribute};

            if ( $Ticket{$Attribute} =~ m{\A(\d\d\d\d)-(\d\d)-(\d\d)\s(\d\d):(\d\d):(\d\d)\z}xi ) {

                # Change time to recipient's timezone if needed
                # and later append timezone information.
                # For more information,
                # see bug#13865 (https://bugs.otrs.org/show_bug.cgi?id=13865)
                # and bug#14270 (https://bugs.otrs.org/show_bug.cgi?id=14270).
                if ($RecipientTimeZone) {
                    my $DateTimeObject = $Kernel::OM->Create(
                        'Kernel::System::DateTime',
                        ObjectParams => {
                            String => $Ticket{$Attribute},
                        },
                    );
                    $DateTimeObject->ToTimeZone( TimeZone => $RecipientTimeZone );
                    $Ticket{$Attribute} = $DateTimeObject->ToString();
                }

                $Ticket{$Attribute} = $LanguageObject->FormatTimeString(
                    $Ticket{$Attribute},
                    'DateFormat',
                    'NoSeconds',
                );

                # Append timezone information if needed.
                if ($RecipientTimeZone) {
                    $Ticket{$Attribute} .= " ($RecipientTimeZone)";
                }
            }
        }

        my $LocalLayoutObject = Kernel::Output::HTML::Layout->new(
            Lang => $Param{Language},
        );

        # Convert tags in seconds to more readable appropriate format if language is defined.
        for my $TimeInSeconds (
            qw(UntilTime EscalationTimeWorkingTime EscalationTime FirstResponseTimeWorkingTime FirstResponseTime UpdateTimeWorkingTime
            UpdateTime SolutionTimeWorkingTime SolutionTime)
            )
        {
            if ( $Ticket{$TimeInSeconds} ) {
                $Ticket{$TimeInSeconds} = $LocalLayoutObject->CustomerAge(
                    Age   => $Ticket{$TimeInSeconds},
                    Space => ' '
                );
            }
        }
    }

    my %Queue;
    if ( $Param{QueueID} ) {
        %Queue = $Kernel::OM->Get('Kernel::System::Queue')->QueueGet(
            ID => $Param{QueueID},
        );
    }

    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');

    # Replace config options.
    my $Tag = $Start . 'OTOBO_CONFIG_';
    $Param{Text} =~ s{$Tag(.+?)$End}{
        my $Key   = $1;
        my $Value = $ConfigObject->Get($Key) // '';

        # Mask sensitive config options.
        my $Replace = $Self->_MaskSensitiveValue(
            Key      => $Key,
            Value    => $Value,
            IsConfig => 1,
        );

        $Replace;
    }egx;

    # cleanup
    $Param{Text} =~ s/$Tag.+?$End/-/gi;

    my %Recipient = %{ $Param{Recipient} || {} };

    # get user object
    my $UserObject = $Kernel::OM->Get('Kernel::System::User');

    if ( !%Recipient && $Param{RecipientID} ) {

        %Recipient = $UserObject->GetUserData(
            UserID        => $Param{RecipientID},
            NoOutOfOffice => 1,
        );
    }

    my $HashGlobalReplace = sub {
        my ( $Tag, %H ) = @_;

        # Generate one single matching string for all keys to save performance.
        my $Keys = join '|', map {quotemeta} grep { defined $H{$_} } keys %H;

        # Set all keys as lowercase to be able to match case insensitive,
        #   e. g. <OTOBO_CUSTOMER_From> and <OTOBO_CUSTOMER_FROM>.
        #   Also mask any values containing sensitive data.
        %H = map {
            lc $_ => $Self->_MaskSensitiveValue(
                Key   => $_,
                Value => $H{$_},
            )
        } sort keys %H;

        # If tag is 'OTOBO_CUSTOMER_' add the body alias 'email/note' to be replaced.
        if ( $Tag =~ m/OTOBO_(CUSTOMER|AGENT)_/ ) {
            KEY:
            for my $Key (qw( email note )) {
                my $Value = $H{$Key};
                next KEY if defined($Value);

                $H{$Key} = $H{'body'};
                $Keys .= '|' . ucfirst $Key;
            }
        }

        $Param{Text} =~ s/(?:$Tag)($Keys)$End/$H{ lc $1 }/ieg;
    };

    # get recipient data and replace it with <OTOBO_...
    $Tag = $Start . 'OTOBO_';

    # include more readable tag <OTOBO_NOTIFICATION_RECIPIENT
    my $RecipientTag = $Start . 'OTOBO_NOTIFICATION_RECIPIENT_';

    if (%Recipient) {

        # HTML quoting of content
        if ( $Param{RichText} ) {
            ATTRIBUTE:
            for my $Attribute ( sort keys %Recipient ) {
                next ATTRIBUTE if !$Recipient{$Attribute};
                $Recipient{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $Recipient{$Attribute},
                );
            }
        }

        $HashGlobalReplace->( "$Tag|$RecipientTag", %Recipient );
    }

    # cleanup
    $Param{Text} =~ s/$RecipientTag.+?$End/-/gi;

    # get owner data and replace it with <OTOBO_OWNER_...
    $Tag = $Start . 'OTOBO_OWNER_';

    # include more readable version <OTOBO_TICKET_OWNER
    my $OwnerTag = $Start . 'OTOBO_TICKET_OWNER_';

    if ( $Ticket{OwnerID} ) {

        my %Owner = $UserObject->GetUserData(
            UserID        => $Ticket{OwnerID},
            NoOutOfOffice => 1,
        );

        # html quoting of content
        if ( $Param{RichText} ) {

            ATTRIBUTE:
            for my $Attribute ( sort keys %Owner ) {
                next ATTRIBUTE if !$Owner{$Attribute};
                $Owner{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $Owner{$Attribute},
                );
            }
        }

        $HashGlobalReplace->( "$Tag|$OwnerTag", %Owner );
    }

    # cleanup
    $Param{Text} =~ s/$Tag.+?$End/-/gi;
    $Param{Text} =~ s/$OwnerTag.+?$End/-/gi;

    # get owner data and replace it with <OTOBO_RESPONSIBLE_...
    $Tag = $Start . 'OTOBO_RESPONSIBLE_';

    # include more readable version <OTOBO_TICKET_RESPONSIBLE
    my $ResponsibleTag = $Start . 'OTOBO_TICKET_RESPONSIBLE_';

    if ( $Ticket{ResponsibleID} ) {
        my %Responsible = $UserObject->GetUserData(
            UserID        => $Ticket{ResponsibleID},
            NoOutOfOffice => 1,
        );

        # HTML quoting of content
        if ( $Param{RichText} ) {

            ATTRIBUTE:
            for my $Attribute ( sort keys %Responsible ) {
                next ATTRIBUTE if !$Responsible{$Attribute};
                $Responsible{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $Responsible{$Attribute},
                );
            }
        }

        $HashGlobalReplace->( "$Tag|$ResponsibleTag", %Responsible );
    }

    # cleanup
    $Param{Text} =~ s/$Tag.+?$End/-/gi;
    $Param{Text} =~ s/$ResponsibleTag.+?$End/-/gi;

    $Tag = $Start . 'OTOBO_Agent_';
    my $Tag2        = $Start . 'OTOBO_CURRENT_';
    my %CurrentUser = $UserObject->GetUserData(
        UserID        => $Param{UserID},
        NoOutOfOffice => 1,
    );

    # HTML quoting of content
    if ( $Param{RichText} ) {

        ATTRIBUTE:
        for my $Attribute ( sort keys %CurrentUser ) {
            next ATTRIBUTE if !$CurrentUser{$Attribute};
            $CurrentUser{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                String => $CurrentUser{$Attribute},
            );
        }
    }

    $HashGlobalReplace->( "$Tag|$Tag2", %CurrentUser );

    # replace other needed stuff
    $Param{Text} =~ s/$Start OTOBO_FIRST_NAME $End/$CurrentUser{UserFirstname}/gxms;
    $Param{Text} =~ s/$Start OTOBO_LAST_NAME $End/$CurrentUser{UserLastname}/gxms;

    # cleanup
    $Param{Text} =~ s/$Tag2.+?$End/-/gi;

# Rother OSS / OneTimeAuthenticationLink
    # Replace config options.
    $Tag = $Start . 'OTOBO_OTACustomerTicketLink';
    $Param{Text} =~ s{$Tag$End}{
        my $Replace = $Kernel::OM->Get('Kernel::System::CustomerAuth::OneTimeAuthLink')->TicketLink(
            TicketNumber => $Ticket{TicketNumber},
            User         => $Ticket{CustomerUserID},
        );

        $Replace;
    }egx;
# EO OneTimeAuthenticationLink

    # ticket data
    $Tag = $Start . 'OTOBO_TICKET_';

    # html quoting of content
    if ( $Param{RichText} ) {

        ATTRIBUTE:
        for my $Attribute ( sort keys %Ticket ) {
            next ATTRIBUTE if !$Ticket{$Attribute};
            $Ticket{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                String => $Ticket{$Attribute},
            );
        }
    }

    # Dropdown, Checkbox and MultipleSelect DynamicFields, can store values (keys) that are
    # different from the the values to display
    # <OTOBO_TICKET_DynamicField_NameX> returns the stored key
    # <OTOBO_TICKET_DynamicField_NameX_Value> returns the display value

    my %DynamicFields;

    # For systems with many Dynamic fields we do not want to load them all unless needed
    # Find what Dynamic Field Values are requested
    while ( $Param{Text} =~ m/$Tag DynamicField_(\S+?)(_Value)? $End/gixms ) {
        $DynamicFields{$1} = 1;
    }

    # to store all the required DynamicField display values
    my %DynamicFieldDisplayValues;

    # get dynamic field objects
    my $DynamicFieldObject        = $Kernel::OM->Get('Kernel::System::DynamicField');
    my $DynamicFieldBackendObject = $Kernel::OM->Get('Kernel::System::DynamicField::Backend');

    # get the dynamic fields for ticket object
    my $DynamicFieldList = $DynamicFieldObject->DynamicFieldListGet(
        Valid      => 1,
        ObjectType => ['Ticket'],
    ) || [];

    # cycle through the activated Dynamic Fields for this screen
    DYNAMICFIELD:
    for my $DynamicFieldConfig ( @{$DynamicFieldList} ) {

        next DYNAMICFIELD if !IsHashRefWithData($DynamicFieldConfig);

        # we only load the ones requested
        next DYNAMICFIELD if !$DynamicFields{ $DynamicFieldConfig->{Name} };

        my $LanguageObject;

        # translate values if needed
        if ( $Param{Language} ) {
            $LanguageObject = Kernel::Language->new(
                UserLanguage => $Param{Language},
            );
        }

        my $DateTimeObject;

        # Change DateTime DF value for ticket if needed.
        if (
            defined $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
            && $DynamicFieldConfig->{FieldType} eq 'DateTime'
            && $RecipientTimeZone
            )
        {
            $DateTimeObject = $Kernel::OM->Create(
                'Kernel::System::DateTime',
                ObjectParams => {
                    String => $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} },
                },
            );
            $DateTimeObject->ToTimeZone( TimeZone => $RecipientTimeZone );
            $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} } = $DateTimeObject->ToString();
        }

        # get the display value for each dynamic field
        my $DisplayValue = $DynamicFieldBackendObject->ValueLookup(
            DynamicFieldConfig => $DynamicFieldConfig,
            Key                => $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} },
            LanguageObject     => $LanguageObject,
        );

        # get the readable value (value) for each dynamic field
        my $DisplayValueStrg = $DynamicFieldBackendObject->ReadableValueRender(
            DynamicFieldConfig => $DynamicFieldConfig,
            Value              => $DisplayValue,
        );

        # fill the DynamicFielsDisplayValues
        if ($DisplayValueStrg) {
            $DynamicFieldDisplayValues{ 'DynamicField_' . $DynamicFieldConfig->{Name} . '_Value' } = $DisplayValueStrg->{Value};

            # Add timezone info if needed.
            if (
                defined $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
                && length $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
                && $DynamicFieldConfig->{FieldType} eq 'DateTime'
                && $RecipientTimeZone
                )
            {
                $DynamicFieldDisplayValues{ 'DynamicField_' . $DynamicFieldConfig->{Name} . '_Value' }
                    .= " ($RecipientTimeZone)";
            }
        }

        # get the readable value (key) for each dynamic field
        my $ValueStrg = $DynamicFieldBackendObject->ReadableValueRender(
            DynamicFieldConfig => $DynamicFieldConfig,
            Value              => $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} },
        );

        # replace ticket content with the value from ReadableValueRender (if any)
        if ( IsHashRefWithData($ValueStrg) ) {
            $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} } = $ValueStrg->{Value};

            # Add timezone info if needed.
            if (
                defined $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
                && length $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} }
                && $DynamicFieldConfig->{FieldType} eq 'DateTime'
                && $RecipientTimeZone
                )
            {
                $Ticket{ 'DynamicField_' . $DynamicFieldConfig->{Name} } .= " ($RecipientTimeZone)";
            }
        }
    }

    # replace it
    $HashGlobalReplace->( $Tag, %Ticket, %DynamicFieldDisplayValues );

    # COMPAT
    $Param{Text} =~ s/$Start OTOBO_TICKET_ID $End/$Ticket{TicketID}/gixms;
    $Param{Text} =~ s/$Start OTOBO_TICKET_NUMBER $End/$Ticket{TicketNumber}/gixms;
    if ( $Ticket{TicketID} ) {
        $Param{Text} =~ s/$Start OTOBO_QUEUE $End/$Ticket{Queue}/gixms;
    }
    if ( $Param{QueueID} ) {
        $Param{Text} =~ s/$Start OTOBO_TICKET_QUEUE $End/$Queue{Name}/gixms;
    }

    # cleanup
    $Param{Text} =~ s/$Tag.+?$End/-/gi;

    # Follow-up for bug#10825.
    # Set data for replacing of specific tags in Templates:
    # - OTOBO_AGENT_SUBJECT, OTOBO_AGENT_BODY - subject/body of the CURRENT/LATEST agent article
    # - OTOBO_CUSTOMER_SUBJECT, OTOBO_CUSTOMER_BODY - subject/body of the CURRENT/LATEST customer article
    # - OTOBO_AGENT_SUBJECT[n]    - first n characters of the subject of the CURRENT/LATEST agent article
    # - OTOBO_AGENT_BODY[n]       - first n lines of the body of the CURRENT/LATEST agent article
    # - OTOBO_CUSTOMER_SUBJECT[n] - first n characters of the subject of the CURRENT/LATEST customer article
    # - OTOBO_CUSTOMER_BODY[n]    - first n lines of the body of the CURRENT/LATEST customer article
    #
    # For Note template we need the last article.
    # For Answer, $Param{Data} has selected or last article data, depends whether ArticleID is sent or not.
    # For Forward, $Param{Data} has the following article data:
    # - if ArticleID is sent, data is from selected article.
    # - if ArticleID is not sent, data is from last customer/agent/any article.
    if ( $Param{Template} && $Ticket{TicketID} ) {
        my $ArticleObject = $Kernel::OM->Get('Kernel::System::Ticket::Article');

        if ( $Param{Template} eq 'Note' ) {

            # Get last article from agent.
            my @AgentArticles = $ArticleObject->ArticleList(
                TicketID   => $Param{TicketData}->{TicketID},
                SenderType => 'agent',
                OnlyLast   => 1,
            );

            my %AgentArticle = $ArticleObject->BackendForArticle( %{ $AgentArticles[0] } )->ArticleGet(
                %{ $AgentArticles[0] },
                DynamicFields => 0,
            );

            # Get last article from customer.
            my @CustomerArticles = $ArticleObject->ArticleList(
                TicketID   => $Param{TicketData}->{TicketID},
                SenderType => 'customer',
                OnlyLast   => 1,
            );

            my %CustomerArticle = $ArticleObject->BackendForArticle( %{ $CustomerArticles[0] } )->ArticleGet(
                %{ $CustomerArticles[0] },
                DynamicFields => 0,
            );

            $Param{DataAgent}->{Subject} = $AgentArticle{Subject};
            $Param{DataAgent}->{Body}    = $AgentArticle{Body};
            $Param{Data}->{Subject}      = $CustomerArticle{Subject};
            $Param{Data}->{Body}         = $CustomerArticle{Body};
        }
        elsif ( $Param{Template} eq 'Answer' || $Param{Template} eq 'Forward' ) {

            # If $Param{Data} has agent article data, we will set subject and body in $Param{DataAgent}
            # to values from $Param{Data} in order to right replacing of OTOBO_AGENT_SUBJECT/BODY tags.
            if ( $Param{Data}->{SenderType} && $Param{Data}->{SenderType} eq 'agent' ) {
                $Param{DataAgent}->{Subject} = $Param{Data}->{Subject};
                $Param{DataAgent}->{Body}    = $Param{Data}->{Body};
            }
        }
    }

    # get customer and agent params and replace it with <OTOBO_CUSTOMER_... or <OTOBO_AGENT_...
    my %ArticleData = (
        'OTOBO_CUSTOMER_' => $Param{Data}      || {},
        'OTOBO_AGENT_'    => $Param{DataAgent} || {},
    );

    # use a list to get customer first
    for my $DataType (qw(OTOBO_CUSTOMER_ OTOBO_AGENT_)) {
        my %Data = %{ $ArticleData{$DataType} };

        # HTML quoting of content
        if ( $Param{RichText} ) {

            ATTRIBUTE:
            for my $Attribute ( sort keys %Data ) {
                next ATTRIBUTE if !$Data{$Attribute};

                $Data{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $Data{$Attribute},
                );
            }
        }

        if (%Data) {

            # replace <OTOBO_CUSTOMER_*> and <OTOBO_AGENT_*> tags
            $Tag = $Start . $DataType;
            $HashGlobalReplace->( $Tag, %Data );

            # prepare body (insert old email) <OTOBO_CUSTOMER_EMAIL[n]>, <OTOBO_CUSTOMER_NOTE[n]>
            #   <OTOBO_CUSTOMER_BODY[n]>, <OTOBO_AGENT_EMAIL[n]>..., <OTOBO_COMMENT>

            # Changed this to a 'while' to allow the same key/tag multiple times and different number of lines.
            while (
                $Param{Text} =~ /$Start(?:$DataType(EMAIL|NOTE|BODY)\[(.+?)\])$End/
                ||
                $Param{Text} =~ /$Start(?:OTOBO_COMMENT(\[(.+?)\])?)$End/
                )
            {

                my $Line       = $2 || 2500;
                my $NewOldBody = '';
                my @Body       = split( /\n/, $Data{Body} );

                for my $Counter ( 0 .. $Line - 1 ) {

                    # 2002-06-14 patch of Pablo Ruiz Garcia
                    # http://lists.otobo.org/pipermail/dev/2002-June/000012.html
                    if ( $#Body >= $Counter ) {

                        # add no quote char, do it later by using DocumentCleanup()
                        if ( $Param{RichText} ) {
                            $NewOldBody .= $Body[$Counter];
                        }

                        # add "> " as quote char
                        else {
                            $NewOldBody .= "> $Body[$Counter]";
                        }

                        # add new line
                        if ( $Counter < ( $Line - 1 ) ) {
                            $NewOldBody .= "\n";
                        }
                    }
                    $Counter++;
                }

                chomp $NewOldBody;

                # HTML quoting of content
                if ( $Param{RichText} && $NewOldBody ) {

                    # remove trailing new lines
                    for ( 1 .. 10 ) {
                        $NewOldBody =~ s/(<br\/>)\s{0,20}$//gs;
                    }

                    # add quote
                    $NewOldBody = "<blockquote type=\"cite\">$NewOldBody</blockquote>";
                    $NewOldBody = $Kernel::OM->Get('Kernel::System::HTMLUtils')->DocumentCleanup(
                        String => $NewOldBody,
                    );
                }

                # replace tag
                $Param{Text}
                    =~ s/$Start(?:(?:$DataType(EMAIL|NOTE|BODY)\[(.+?)\]|(?:OTOBO_COMMENT(\[(.+?)\])?)))$End/$NewOldBody/;
            }

            # replace <OTOBO_CUSTOMER_SUBJECT[]>  and  <OTOBO_AGENT_SUBJECT[]> tags
            $Tag = "$Start$DataType" . 'SUBJECT';
            if ( $Param{Text} =~ /$Tag\[(.+?)\]$End/g ) {

                my $SubjectChar = $1;
                my $Subject     = $Kernel::OM->Get('Kernel::System::Ticket')->TicketSubjectClean(
                    TicketNumber => $Ticket{TicketNumber},
                    Subject      => $Data{Subject},
                );

                $Subject =~ s/^(.{$SubjectChar}).*$/$1 [...]/;
                $Param{Text} =~ s/$Tag\[.+?\]$End/$Subject/g;
            }

            if ( $DataType eq 'OTOBO_CUSTOMER_' ) {

                # Get <OTOBO_EMAIL_DATE[]> from body and replace with received date.
                # This tag will be able to use with supported OTOBO time zones
                #   ( e.g. <OTOBO_EMAIL_DATE[Europe/Berlin]>, <OTOBO_EMAIL_DATE[Asia/Tokyo]>,
                #   <OTOBO_EMAIL_DATE[America/Denver]> , ...).
                # If you use tag without time in simple format as <OTOBO_EMAIL_DATE>,
                #  time will be transformed into OTOBO SystemTimeZone.
                $Tag = $Start . 'OTOBO_EMAIL_DATE';

                my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');
                my $SystemTimeZone = $DateTimeObject->OTOBOTimeZoneGet();
                while ( $Param{Text} =~ /$Tag\[(.+?)\]$End/g ) {
                    my $TimeZone      = $1;
                    my $TimeZoneValid = $DateTimeObject->IsTimeZoneValid( TimeZone => $TimeZone );
                    if ($TimeZoneValid) {
                        $DateTimeObject->ToTimeZone( TimeZone => $TimeZone );
                    }
                    else {
                        $TimeZone = $SystemTimeZone;
                    }

                    my $EmailDate = $DateTimeObject->Format( Format => '%A, %B %e, %Y at %T ' );
                    $EmailDate .= "($TimeZone)";
                    $Param{Text} =~ s/$Tag\[$1\]$End/$EmailDate/g;
                }

                if ( $Param{Text} =~ /$Tag$End/g ) {
                    my $TimeZone = $SystemTimeZone;
                    $DateTimeObject->ToTimeZone( TimeZone => $TimeZone );

                    my $EmailDate = $DateTimeObject->Format( Format => '%A, %B %e, %Y at %T ' );
                    $EmailDate .= "($TimeZone)";
                    $Param{Text} =~ s/$Tag$End/$EmailDate/g;
                }
            }
        }

        if ( $DataType eq 'OTOBO_CUSTOMER_' ) {

            # get and prepare realname
            $Tag = $Start . 'OTOBO_CUSTOMER_REALNAME';
            if ( $Param{Text} =~ /$Tag$End/i ) {

                my $From;

                if ( $Ticket{CustomerUserID} ) {

                    $From = $CustomerUserObject->CustomerName(
                        UserLogin => $Ticket{CustomerUserID}
                    );
                }

                # try to get the real name directly from the data
                $From //= $Recipient{Realname};

                # get real name based on reply-to
                if ( !$From && $Data{ReplyTo} ) {

                    $From = $Data{ReplyTo};

                    # remove email addresses
                    $From =~ s/&lt;.*&gt;|<.*>|\(.*\)|\"|&quot;|;|,//g;

                    # remove leading/trailing spaces
                    $From =~ s/^\s+//g;
                    $From =~ s/\s+$//g;
                }

                # generate real name based on sender line
                if ( !$From ) {
                    $From = $Data{To} || '';

                    # remove email addresses
                    $From =~ s/&lt;.*&gt;|<.*>|\(.*\)|\"|&quot;|;|,//g;

                    # remove leading/trailing spaces
                    $From =~ s/^\s+//g;
                    $From =~ s/\s+$//g;
                }

                # replace <OTOBO_CUSTOMER_REALNAME> with from
                $Param{Text} =~ s/$Tag$End/$From/g;
            }
        }
    }

    # get customer data and replace it with <OTOBO_CUSTOMER_DATA_...
    $Tag  = $Start . 'OTOBO_CUSTOMER_';
    $Tag2 = $Start . 'OTOBO_CUSTOMER_DATA_';

    if ( $Ticket{CustomerUserID} || $Param{Data}->{CustomerUserID} ) {

        my $CustomerUserID = $Param{Data}->{CustomerUserID} || $Ticket{CustomerUserID};

        my %CustomerUser = $CustomerUserObject->CustomerUserDataGet(
            User => $CustomerUserID,
        );

        # HTML quoting of content
        if ( $Param{RichText} ) {

            ATTRIBUTE:
            for my $Attribute ( sort keys %CustomerUser ) {
                next ATTRIBUTE if !$CustomerUser{$Attribute};
                $CustomerUser{$Attribute} = $Kernel::OM->Get('Kernel::System::HTMLUtils')->ToHTML(
                    String => $CustomerUser{$Attribute},
                );
            }
        }

        # replace it
        $HashGlobalReplace->( "$Tag|$Tag2", %CustomerUser );
    }

    # cleanup all not needed <OTOBO_CUSTOMER_DATA_ tags
    $Param{Text} =~ s/(?:$Tag|$Tag2).+?$End/-/gi;

    # cleanup all not needed <OTOBO_AGENT_ tags
    $Tag = $Start . 'OTOBO_AGENT_';
    $Param{Text} =~ s/$Tag.+?$End/-/gi;

    return $Param{Text};
}

=head2 _RemoveUnSupportedTag()

cleanup all not supported tags

    my $Text = $TemplateGeneratorObject->_RemoveUnSupportedTag(
        Text => $SomeTextWithTags,
        ListOfUnSupportedTag => \@ListOfUnSupportedTag,
    );

=cut

sub _RemoveUnSupportedTag {

    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Item (qw(Text ListOfUnSupportedTag)) {
        if ( !defined $Param{$Item} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Item!"
            );
            return;
        }
    }

    my $Start = '<';
    my $End   = '>';
    if ( $Self->{RichText} ) {
        $Start = '&lt;';
        $End   = '&gt;';
        $Param{Text} =~ s/(\n|\r)//g;
    }

    # Cleanup all not supported tags with and without number, e.g. OTOBO_CUSTOMER_BODY and OTOBO_CUSTOMER_BODY[n].
    # See https://bugs.otrs.org/show_bug.cgi?id=14369 and https://bugs.otrs.org/show_bug.cgi?id=10825.
    my $NotSupportedTag = $Start . "(?:" . join( "|", @{ $Param{ListOfUnSupportedTag} } ) . ")(\\[.*?\\])?" . $End;
    $Param{Text} =~ s/$NotSupportedTag/-/gi;

    return $Param{Text};

}

=head2 _MaskSensitiveValue()

Mask sensitive value, i.e. a password, a security token, etc.

    my $MaskedValue = $Self->_MaskSensitiveValue(
        Key      => 'DatabasePassword', # (required) Name of the field/key.
        Value    => 'secretvalue',      # (optional) Value to potentially mask.
        IsConfig => 1,                  # (optional) Whether the value is a config option, default: 0.
    );

Returns masked value, in case the key is matched:

   $MaskedValue = 'xxx';

=cut

sub _MaskSensitiveValue {
    my ( $Self, %Param ) = @_;

    return '' if !$Param{Key} || !defined $Param{Value};

    # Skip masking sensitive values for Dynamic Fields.
    return $Param{Value} if $Param{Key} =~ qr{ dynamicfield }xi;

    # Match general key names, i.e. from the user preferences.
    my $Match = qr{ config|secret|passw|userpw|auth|token }xi;

    # Match forbidden config keys.
    if ( $Param{IsConfig} ) {
        $Match = qr{ (?:password|pw) \d* $ }smxi;
    }

    return $Param{Value} if $Param{Key} !~ $Match;

    return 'xxx';
}

=end Internal:

=cut

1;

# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2022 Rother OSS GmbH, https://otobo.de/
# --
# $origin: otobo - 101d09455d8b257aaa0fa99a56dc5188e90580f5 - Kernel/System/Web/InterfaceCustomer.pm
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::Web::InterfaceCustomer;

use v5.24;
use strict;
use warnings;
use namespace::autoclean;
use utf8;

# core modules
use Time::HiRes qw();

# CPAN modules

# OTOBO modules
use Kernel::System::VariableCheck qw(IsArrayRefWithData IsHashRefWithData);
use Kernel::Language qw(Translatable);
use Kernel::System::DateTime;

our @ObjectDependencies = (
    'Kernel::Config',
    'Kernel::Output::HTML::Layout',
    'Kernel::System::AuthSession',
    'Kernel::System::Cache',
    'Kernel::System::CustomerAuth',
    'Kernel::System::CustomerGroup',
    'Kernel::System::CustomerUser',
    'Kernel::System::DB',
    'Kernel::System::Email',
    'Kernel::System::Log',
    'Kernel::System::Main',
    'Kernel::System::Scheduler',
    'Kernel::System::DateTime',
    'Kernel::System::Web::Request',
    'Kernel::System::Web::Response',
    'Kernel::System::Valid',
);

=head1 NAME

Kernel::System::Web::InterfaceCustomer - the customer web interface

=head1 SYNOPSIS

    use Kernel::System::Web::InterfaceCustomer;

    # a Plack request handler
    my $App = sub {
        my $Env = shift;

        my $Interface = Kernel::System::Web::InterfaceCustomer->new(
            # Debug => 1
            PSGIEnv    => $Env,
        );

        # generate content (actually headers are generated as a side effect)
        my $Content = $Interface->Content();

        # assuming all went well and HTML was generated
        return [
            '200',
            [ 'Content-Type' => 'text/html' ],
            $Content
        ];
    };

=head1 DESCRIPTION

This module generates the HTTP response for F<customer.pl>.
This class is meant to be used within a Plack request handler.
See F<bin/psgi-bin/otobo.psgi> for the real live usage.

=head1 PUBLIC INTERFACE

=head2 new()

create the web interface object for F<customer.pl>.

=cut

sub new {
    my ( $Type, %Param ) = @_;

    # start with an empty hash for the new object
    my $Self = bless {}, $Type;

    # set debug level
    $Self->{Debug} = $Param{Debug} || 0;

    # performance log based on high resolution timestamps
    $Self->{PerformanceLogStart} = Time::HiRes::time();

    # register object params
    $Kernel::OM->ObjectParamAdd(
        'Kernel::System::Log' => {
            LogPrefix => $Kernel::OM->Get('Kernel::Config')->Get('CGILogPrefix') || 'Customer',
        },
        'Kernel::System::Web::Request' => {
            PSGIEnv => $Param{PSGIEnv} || 0,
        },
    );

    # debug info
    if ( $Self->{Debug} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'debug',
            Message  => 'Global handle started...',
        );
    }

    return $Self;
}

=head2 Content()

execute the object.
Set headers in Kernels::System::Web::Request singleton as side effect.

    my $Content = $Interface->Content();

=cut

sub Content {    ## no critic qw(Subroutines::RequireFinalReturn)
    my $Self = shift;

    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
    my $ParamObject  = $Kernel::OM->Get('Kernel::System::Web::Request');

    # Check if https forcing is active, and redirect if needed.
    if ( $ConfigObject->Get('HTTPSForceRedirect') ) {

        # Allow HTTPS to be 'on' in a case insensitive way.
        # In OTOBO 10.0.1 it had to be lowercase 'on'.
        my $HTTPS = $ParamObject->HTTPS('HTTPS') // '';
        if ( lc $HTTPS ne 'on' ) {
            my $Host         = $ParamObject->HTTP('HOST') || $ConfigObject->Get('FQDN');
            my $RequestURI   = $ParamObject->RequestURI();
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            $LayoutObject->Redirect( ExtURL => "https://$Host$RequestURI" );    # throw a Kernel::System::Web::Exception exception
        }
    }

    # get common framework params
    my %Param;
    $Param{SessionName} = $ConfigObject->Get('CustomerPanelSessionName')         || 'CSID';
    $Param{SessionID}   = $ParamObject->GetParam( Param => $Param{SessionName} ) || '';

    # drop old session id (if exists)
    my $QueryString = $ParamObject->QueryString() || '';
    $QueryString =~ s/(\?|&|;|)$Param{SessionName}(=&|=;|=.+?&|=.+?$)/;/g;

    # define framework params
    {
        my %FrameworkParams = (
            Lang         => '',
            Action       => '',
            Subaction    => '',
            RequestedURL => $QueryString,
        );
        for my $Key ( sort keys %FrameworkParams ) {
            $Param{$Key} = $ParamObject->GetParam( Param => $Key ) || $FrameworkParams{$Key};
        }
    }

    # validate language
    if ( $Param{Lang} && $Param{Lang} !~ m{\A[a-z]{2}(?:_[A-Z]{2})?\z}xms ) {
        delete $Param{Lang};
    }

    # Check if the browser sends the SessionID cookie and set the SessionID-cookie
    # as SessionID! GET or POST SessionID have the lowest priority.
    if ( $ConfigObject->Get('SessionUseCookie') ) {
        $Param{SessionIDCookie} = $ParamObject->GetCookie( Key => $Param{SessionName} );
        if ( $Param{SessionIDCookie} ) {
            $Param{SessionID} = $Param{SessionIDCookie};
        }
    }

    $Kernel::OM->ObjectParamAdd(
        'Kernel::Output::HTML::Layout' => {
            Lang => $Param{Lang},
        },
        'Kernel::Language' => {
            UserLanguage => $Param{Lang}
        },
    );

    # Restrict Cookie to HTTPS if it is used.
    my $CookieSecureAttribute = $ConfigObject->Get('HttpType') eq 'https' ? 1 : undef;

    my $DBCanConnect = $Kernel::OM->Get('Kernel::System::DB')->Connect();

    if ( !$DBCanConnect || $ParamObject->Error() ) {
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
        if ( !$DBCanConnect ) {
            $LayoutObject->CustomerFatalError(
                Comment => Translatable('Please contact the administrator.'),
            );    # throws a Kernel::System::Web::Exception
        }
        if ( $ParamObject->Error() ) {
            $LayoutObject->CustomerFatalError(
                Message => $ParamObject->Error(),
                Comment => Translatable('Please contact the administrator.'),
            );    # throws a Kernel::System::Web::Exception
        }
    }

    # get common application and add-on application params
    my %CommonObjectParam = %{ $ConfigObject->Get('CustomerFrontend::CommonParam') };
    for my $Key ( sort keys %CommonObjectParam ) {
        $Param{$Key} = $ParamObject->GetParam( Param => $Key ) || $CommonObjectParam{$Key};
    }

    # security check Action Param (replace non-word chars)
    $Param{Action} =~ s/\W//g;

    my $SessionObject = $Kernel::OM->Get('Kernel::System::AuthSession');
    my $UserObject    = $Kernel::OM->Get('Kernel::System::CustomerUser');

    # check request type
    if ( $Param{Action} eq 'PreLogin' ) {
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
        $Param{RequestedURL} ||= 'Action=CustomerDashboard';

        # login screen
        return $LayoutObject->CustomerLogin(
            Title => 'Login',
            Mode  => 'PreLogin',
            %Param,
        );
    }
    elsif ( $Param{Action} eq 'Login' ) {

        # get params
        my $PostUser = $ParamObject->GetParam( Param => 'User' ) || '';

        my $PreventBruteForceConfig = $ConfigObject->Get('SimpleBruteForceProtection::GeneralSettings');

        # if simplebruteforceconfig is valid
        if ( $PreventBruteForceConfig && $PostUser ) {

            # check if the login is banned
            my $CacheObject   = $Kernel::OM->Get('Kernel::System::Cache');
            my $CheckHashUser = $CacheObject->Get(
                Type => 'BannedLoginsCustomer',
                Key  => $PostUser,
            );

            # check if Cache CheckHashUser exists
            if ($CheckHashUser) {
                my %BanStatus = $Self->_CheckAndRemoveFromBannedList(
                    PostUser                => $PostUser,
                    PreventBruteForceConfig => $PreventBruteForceConfig,
                );

                if ( $BanStatus{Banned} ) {

                    # output error message
                    my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

                    return $LayoutObject->CustomerLogin(
                        %Param,
                        Title   => 'Login',
                        Message => $LayoutObject->{LanguageObject}->Translate(
                            'Too many failed login attempts, please retry in %s s.',
                            $BanStatus{ResidualTime}
                        ),
                        LoginFailed => 1,
                        MessageType => 'Error',
                        User        => $PostUser,
                    );
                }
            }
        }

        my $PostPw = $ParamObject->GetParam(
            Param => 'Password',
            Raw   => 1
        ) || '';
        my $PostTwoFactorToken = $ParamObject->GetParam(
            Param => 'TwoFactorToken',
            Raw   => 1
        ) || '';

        # create AuthObject
        my $AuthObject = $Kernel::OM->Get('Kernel::System::CustomerAuth');

# Rother OSS / OneTimeAuthenticationLink
        my %ExtendedAuthParams;
        for my $Name ( $AuthObject->ExtendedParamNames() ) {
            $ExtendedAuthParams{$Name} = $ParamObject->GetParam(
                Param => $Name,
                Raw   => 1
            ) || '';
        }
# EO OneTimeAuthenticationLink

        # check submitted data
        my $User = $AuthObject->Auth(
            User           => $PostUser,
            Pw             => $PostPw,
            TwoFactorToken => $PostTwoFactorToken,
# Rother OSS / OneTimeAuthenticationLink
            %ExtendedAuthParams,
# EO OneTimeAuthenticationLink
        );

        # additional tasks / info
        my $PostAuth = $AuthObject->PostAuth();

        if ($PostAuth) {
            $Param{RequestedURL} = $PostAuth->{RequestedURL} // $Param{RequestedURL};
        }

        # login is invalid
        if ( !$User ) {

            my $Expires = '+' . $ConfigObject->Get('SessionMaxTime') . 's';
            if ( !$ConfigObject->Get('SessionUseCookieAfterBrowserClose') ) {
                $Expires = '';
            }

            # tentatively set an useless cookie, for checking cookie support
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
            $LayoutObject->SetCookie(
                Key      => 'OTOBOBrowserHasCookie',
                Value    => 1,
                Expires  => $Expires,
                Path     => $ConfigObject->Get('ScriptAlias'),
                Secure   => $CookieSecureAttribute,
                HTTPOnly => 1,
            );

            # redirect to alternate login
            if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {
                $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );

                # throw a Kernel::System::Web::Exception that redirects
                $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL') . "?Reason=LoginFailed&RequestedURL=$Param{RequestedURL}",
                );
            }

# Rother OSS / OneTimeAuthenticationLink
#            if ($PreventBruteForceConfig) {
            if ( $PostUser && $PreventBruteForceConfig ) {
# EO OneTimeAuthenticationLink

                # prevent brute force
                my $Banned = $Self->_StoreFailedLogins(
                    PostUser                => $PostUser,
                    PreventBruteForceConfig => $PreventBruteForceConfig,
                );

                if ($Banned) {
                    return $LayoutObject->CustomerLogin(
                        %Param,
                        Title   => 'Login',
                        Message => $LayoutObject->{LanguageObject}->Translate(
                            'Too many failed login attempts, please retry in %s s.',
                            $PreventBruteForceConfig->{BanDuration}
                        ),
                        LoginFailed => 1,
                        MessageType => 'Error',
                        User        => $PostUser,
                    );
                }
            }

            # show normal login
            return $LayoutObject->CustomerLogin(
                Title   => 'Login',
                Message => $Kernel::OM->Get('Kernel::System::Log')->GetLogEntry(
                    Type => 'Info',
                    What => 'Message',
                    )
                    || $AuthObject->GetLastErrorMessage()
                    || Translatable('Login failed! Your user name or password was entered incorrectly.'),
                LoginFailed => 1,
                User        => $PostUser,
                %Param,
            );
        }

        # login is successful
        my %UserData = $UserObject->CustomerUserDataGet(
            User  => $User,
            Valid => 1,
        );

        # check if the browser supports cookies
        if ( $ParamObject->GetCookie( Key => 'OTOBOBrowserHasCookie' ) ) {
            $Kernel::OM->ObjectParamAdd(
                'Kernel::Output::HTML::Layout' => {
                    BrowserHasCookie => 1,
                },
            );
        }

        # check needed data
        if ( !$UserData{UserID} || !$UserData{UserLogin} ) {

            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # redirect to alternate login
            if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {

                # throw a Kernel::System::Web::Exception that redirects
                $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL') . '?Reason=SystemError',
                );
            }

            # show need user data error message
            return $LayoutObject->CustomerLogin(
                Title   => 'Error',
                Message =>
                    Translatable(
                        'Authentication succeeded, but no customer record is found in the customer backend. Please contact the administrator.'
                    ),
                %Param,
            );
        }

        # create datetime object
        my $SessionDTObject = $Kernel::OM->Create('Kernel::System::DateTime');

        # Remove certain user attributes that are not needed to be stored in the session.
        #   - SMIME Certificate could be in binary format, if session backend in DB (default)
        #   it wont be possible to be saved in certain databases (see bug#14405).
        my %UserSessionData = %UserData;
        delete $UserSessionData{UserSMIMECertificate};

        # create new session id
        my $NewSessionID = $SessionObject->CreateSessionID(
            %UserSessionData,
            UserLastRequest => $SessionDTObject->ToEpoch(),
            UserType        => 'Customer',
            SessionSource   => 'CustomerInterface',
        );

        # show error message if no session id has been created
        if ( !$NewSessionID ) {

            # get error message
            my $Error = $SessionObject->SessionIDErrorMessage() || '';

            # output error message
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            return $LayoutObject->CustomerLogin(
                Title   => 'Login',
                Message => $Error,
                %Param,
            );
        }

        # execution in 20 seconds
        my $ExecutionTimeObj = $SessionDTObject->Clone();
        $ExecutionTimeObj->Add( Seconds => 20 );
        my $ExecutionTime = $ExecutionTimeObj->ToString();

        # add a asynchronous executor scheduler task to count the concurrent user
        $Kernel::OM->Get('Kernel::System::Scheduler')->TaskAdd(
            ExecutionTime            => $ExecutionTime,
            Type                     => 'AsynchronousExecutor',
            Name                     => 'PluginAsynchronous::ConcurrentUser',
            MaximumParallelInstances => 1,
            Data                     => {
                Object   => 'Kernel::System::SupportDataCollector::PluginAsynchronous::OTOBO::ConcurrentUsers',
                Function => 'RunAsynchronous',
            },
        );

        my $UserTimeZone = $Self->_UserTimeZoneGet(%UserData);

        $SessionObject->UpdateSessionID(
            SessionID => $NewSessionID,
            Key       => 'UserTimeZone',
            Value     => $UserTimeZone,
        );

        # check if the time zone offset reported by the user's browser differs from that
        # of the OTOBO user's time zone offset
        my $DateTimeObject = $Kernel::OM->Create(
            'Kernel::System::DateTime',
            ObjectParams => {
                TimeZone => $UserTimeZone,
            },
        );
        my $OTOBOUserTimeZoneOffset = $DateTimeObject->Format( Format => '%{offset}' ) / 60;
        my $BrowserTimeZoneOffset   = ( $ParamObject->GetParam( Param => 'TimeZoneOffset' ) || 0 ) * -1;

        # TimeZoneOffsetDifference contains the difference of the time zone offset between
        # the user's OTOBO time zone setting and the one reported by the user's browser.
        # If there is a difference it can be evaluated later to e. g. show a message
        # for the user to check his OTOBO time zone setting.
        my $UserTimeZoneOffsetDifference = abs( $OTOBOUserTimeZoneOffset - $BrowserTimeZoneOffset );
        $SessionObject->UpdateSessionID(
            SessionID => $NewSessionID,
            Key       => 'UserTimeZoneOffsetDifference',
            Value     => $UserTimeZoneOffsetDifference,
        );

        # create a new LayoutObject with SessionIDCookie
        my $Expires = '+' . $ConfigObject->Get('SessionMaxTime') . 's';
        if ( !$ConfigObject->Get('SessionUseCookieAfterBrowserClose') ) {
            $Expires = '';
        }

        $Kernel::OM->ObjectParamAdd(
            'Kernel::Output::HTML::Layout' => {
                SetCookies => {
                    SessionIDCookie => $ParamObject->SetCookie(
                        Key      => $Param{SessionName},
                        Value    => $NewSessionID,
                        Expires  => $Expires,
                        Path     => $ConfigObject->Get('ScriptAlias'),
                        Secure   => $CookieSecureAttribute,
                        HTTPOnly => 1,
                    ),

                    # delete the OTOBOBrowserHasCookie cookie
                    OTOBOBrowserHasCookie => $ParamObject->SetCookie(
                        Key      => 'OTOBOBrowserHasCookie',
                        Value    => '',
                        Expires  => '-1y',
                        Path     => $ConfigObject->Get('ScriptAlias'),
                        Secure   => $CookieSecureAttribute,
                        HTTPOnly => 1,
                    ),
                },
                SessionID   => $NewSessionID,
                SessionName => $Param{SessionName},
            },
        );

        # redirect with new session id and old params
        # prepare old redirect URL -- do not redirect to Login or Logout (loop)!
        if ( $Param{RequestedURL} =~ /Action=(Logout|Login|LostPassword|PreLogin)/ ) {
            $Param{RequestedURL} = '';
        }

        # redirect with new session id
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        $LayoutObject->Redirect(
            OP    => $Param{RequestedURL},
            Login => 1,
        );    # throws a Kernel::System::Web::Exception
    }

    # logout
    elsif ( $Param{Action} eq 'Logout' ) {

        # check session id
        if ( !$SessionObject->CheckSessionID( SessionID => $Param{SessionID} ) ) {

            # new layout object
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # redirect to alternate login
            if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {
                $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );

                $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                        . "?Reason=InvalidSessionID;RequestedURL=$Param{RequestedURL}",
                );    # throws a Kernel::System::Web::Exception
            }

            # show login screen
            return $LayoutObject->CustomerLogin(
                Title   => 'Logout',
                Message => Translatable('Session invalid. Please log in again.'),
                %Param,
            );
        }

        # get session data
        my %UserData = $SessionObject->GetSessionIDData(
            SessionID => $Param{SessionID},
        );

        $UserData{UserTimeZone} = $Self->_UserTimeZoneGet(%UserData);

        # create a new LayoutObject with '%Param' and '%UserData'
        $Kernel::OM->ObjectParamAdd(
            'Kernel::Output::HTML::Layout' => {
                SetCookies => {

                    # delete the OTOBO session cookie
                    SessionIDCookie => $ParamObject->SetCookie(
                        Key      => $Param{SessionName},
                        Value    => '',
                        Expires  => '-1y',
                        Path     => $ConfigObject->Get('ScriptAlias'),
                        Secure   => $CookieSecureAttribute,
                        HTTPOnly => 1,
                    ),
                },
                %Param,
                %UserData,
            },
        );

        $Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # remove session id
        if ( !$SessionObject->RemoveSessionID( SessionID => $Param{SessionID} ) ) {
            $LayoutObject->CustomerFatalError(
                Comment => Translatable('Please contact the administrator.')
            );    # throws a Kernel::System::Web::Exception
        }

        # redirect to alternate login
        if ( $ConfigObject->Get('CustomerPanelLogoutURL') ) {
            $LayoutObject->Redirect(
                ExtURL => $ConfigObject->Get('CustomerPanelLogoutURL'),
            );    # throws a Kernel::System::Web::Exception
        }

        # try auth module specific logout
        my $LogoutInfo = $Kernel::OM->Get('Kernel::System::CustomerAuth')->Logout();
        if ( $LogoutInfo && $LogoutInfo->{LogoutURL} ) {
            $LayoutObject->Redirect(
                ExtURL => $LogoutInfo->{LogoutURL},
            );    # throws a Kernel::System::Web::Exception
        }

        # show logout screen
        return $LayoutObject->CustomerLogin(
            Title       => 'Logout',
            Message     => $LayoutObject->{LanguageObject}->Translate('Logout successful.'),
            MessageType => 'Success',
            %Param,
        );
    }

    # lost password
    elsif ( $Param{Action} eq 'CustomerLostPassword' ) {

        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # check feature
        if ( !$ConfigObject->Get('CustomerPanelLostPassword') ) {

            # show normal login
            return $LayoutObject->CustomerLogin(
                Title   => 'Login',
                Message => Translatable('Feature not active!'),
            );
        }

        # get params
        my $User  = $ParamObject->GetParam( Param => 'User' )  || '';
        my $Token = $ParamObject->GetParam( Param => 'Token' ) || '';

        # get user login by token
        if ( !$User && $Token ) {

            # Prevent extracting password reset token character-by-character via wildcard injection
            # The wild card characters "%" and "_" could be used to match arbitrary character.
            if ( $Token !~ m{\A (?: [a-zA-Z] | \d )+ \z}xms ) {

                # Security: pretend that password reset instructions were actually sent to
                #   make sure that users cannot find out valid usernames by
                #   just trying and checking the result message.
                return $LayoutObject->Login(
                    Title       => 'Login',
                    Message     => Translatable('Sent password reset instructions. Please check your email.'),
                    MessageType => 'Success',
                    %Param,
                );
            }

            my %UserList = $UserObject->SearchPreferences(
                Key   => 'UserToken',
                Value => $Token,
            );
            USER_ID:
            for my $UserID ( sort keys %UserList ) {
                my %UserData = $UserObject->CustomerUserDataGet(
                    User  => $UserID,
                    Valid => 1,
                );
                if (%UserData) {
                    $User = $UserData{UserLogin};

                    last USER_ID;
                }
            }
        }

        # get user data
        my %UserData = $UserObject->CustomerUserDataGet(
            User => $User,
        );

        # verify customer user is valid when requesting password reset
        my @ValidIDs    = $Kernel::OM->Get('Kernel::System::Valid')->ValidIDsGet();
        my $UserIsValid = grep { $UserData{ValidID} && $UserData{ValidID} == $_ } @ValidIDs;
        if ( !$UserData{UserID} || !$UserIsValid ) {

            # Security: pretend that password reset instructions were actually sent to
            #   make sure that users cannot find out valid usernames by
            #   just trying and checking the result message.
            return $LayoutObject->CustomerLogin(
                Title       => 'Login',
                Message     => Translatable('Sent password reset instructions. Please check your email.'),
                MessageType => 'Success',
            );
        }

        # create email object
        my $EmailObject = $Kernel::OM->Get('Kernel::System::Email');

        # send password reset token
        if ( !$Token ) {

            # generate token
            $UserData{Token} = $UserObject->TokenGenerate(
                UserID => $UserData{UserID},
            );

            # send token notify email with link
            my $Body = $ConfigObject->Get('CustomerPanelBodyLostPasswordToken')
                || 'ERROR: CustomerPanelBodyLostPasswordToken is missing!';
            my $Subject = $ConfigObject->Get('CustomerPanelSubjectLostPasswordToken')
                || 'ERROR: CustomerPanelSubjectLostPasswordToken is missing!';
            for ( sort keys %UserData ) {
                $Body =~ s/<OTOBO_$_>/$UserData{$_}/gi;
            }
            my $Sent = $EmailObject->Send(
                To       => $UserData{UserEmail},
                Subject  => $Subject,
                Charset  => $LayoutObject->{UserCharset},
                MimeType => 'text/plain',
                Body     => $Body
            );
            if ( !$Sent->{Success} ) {
                $LayoutObject->FatalError(
                    Comment => Translatable('Please contact the administrator.'),
                );    # throws a Kernel::System::Web::Exception
            }

            return $LayoutObject->CustomerLogin(
                Title       => 'Login',
                Message     => Translatable('Sent password reset instructions. Please check your email.'),
                MessageType => 'Success',
                %Param,
            );
        }

        # reset password
        # check if token is valid
        my $TokenValid = $UserObject->TokenCheck(
            Token  => $Token,
            UserID => $UserData{UserID},
        );

        if ( !$TokenValid ) {
            return $LayoutObject->CustomerLogin(
                Title   => 'Login',
                Message => Translatable('Invalid Token!'),
                %Param,
            );
        }

        # get new password
        $UserData{NewPW} = $UserObject->GenerateRandomPassword();

        # update new password
        my $Success = $UserObject->SetPassword(
            UserLogin => $User,
            PW        => $UserData{NewPW}
        );

        if ( !$Success ) {
            return $LayoutObject->CustomerLogin(
                Title   => 'Login',
                Message => Translatable('Reset password unsuccessful. Please contact the administrator.'),
                User    => $User,
            );
        }

        # send notify email
        my $Body = $ConfigObject->Get('CustomerPanelBodyLostPassword')
            || 'New Password is: <OTOBO_NEWPW>';
        my $Subject = $ConfigObject->Get('CustomerPanelSubjectLostPassword')
            || 'New Password!';
        for ( sort keys %UserData ) {
            $Body =~ s/<OTOBO_$_>/$UserData{$_}/gi;
        }
        my $Sent = $EmailObject->Send(
            To       => $UserData{UserEmail},
            Subject  => $Subject,
            Charset  => $LayoutObject->{UserCharset},
            MimeType => 'text/plain',
            Body     => $Body
        );

        if ( !$Sent->{Success} ) {
            $LayoutObject->CustomerFatalError(
                Comment => Translatable('Please contact the administrator.'),
            );    # throws a Kernel::System::Web::Exception
        }
        my $Message = $LayoutObject->{LanguageObject}->Translate(
            'Sent new password to %s. Please check your email.',
            $UserData{UserEmail},
        );

        return $LayoutObject->CustomerLogin(
            Title       => 'Login',
            Message     => $Message,
            User        => $User,
            MessageType => 'Success',
        );
    }

    # create new customer account
    elsif ( $Param{Action} eq 'CustomerCreateAccount' ) {

        # new layout object
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

        # check feature
        if ( !$ConfigObject->Get('CustomerPanelCreateAccount') ) {

            # show normal login
            return $LayoutObject->CustomerLogin(
                Title   => 'Login',
                Message => Translatable('Feature not active!'),
            );
        }

        # get params
        my %GetParams;
        for my $Entry ( @{ $ConfigObject->Get('CustomerUser')->{Map} } ) {
            $GetParams{ $Entry->[0] } = $ParamObject->GetParam( Param => $Entry->[1] )
                || '';
        }
        $GetParams{ValidID} = 1;

        # check needed params
        if ( !$GetParams{UserCustomerID} ) {
            $GetParams{UserCustomerID} = $GetParams{UserEmail};
        }
        if ( !$GetParams{UserLogin} ) {
            $GetParams{UserLogin} = $GetParams{UserEmail};
        }

        # get new password
        $GetParams{UserPassword} = $UserObject->GenerateRandomPassword();

        # get user data
        my %UserData = $UserObject->CustomerUserDataGet( User => $GetParams{UserLogin} );
        if ( $UserData{UserID} || !$GetParams{UserLogin} ) {

            # send data to JS
            $LayoutObject->AddJSData(
                Key   => 'SignupError',
                Value => 1,
            );

            return $LayoutObject->CustomerLogin(
                Title         => 'Login',
                Message       => Translatable('This e-mail address already exists. Please log in or reset your password.'),
                UserTitle     => $GetParams{UserTitle},
                UserFirstname => $GetParams{UserFirstname},
                UserLastname  => $GetParams{UserLastname},
                UserEmail     => $GetParams{UserEmail},
            );
        }

        # check for mail address restrictions
        my @Whitelist = @{
            $ConfigObject->Get('CustomerPanelCreateAccount::MailRestrictions::Whitelist') // []
        };
        my @Blacklist = @{
            $ConfigObject->Get('CustomerPanelCreateAccount::MailRestrictions::Blacklist') // []
        };

        my $WhitelistMatched;
        for my $WhitelistEntry (@Whitelist) {
            my $Regex = eval {qr/$WhitelistEntry/i};
            if ($@) {
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'error',
                    Message  =>
                        $LayoutObject->{LanguageObject}->Translate(
                            'The customer panel mail address whitelist contains the invalid regular expression $WhitelistEntry, please check and correct it.'
                        ),
                );
            }
            elsif ( $GetParams{UserEmail} =~ $Regex ) {
                $WhitelistMatched++;
            }
        }
        my $BlacklistMatched;
        for my $BlacklistEntry (@Blacklist) {
            my $Regex = eval {qr/$BlacklistEntry/i};
            if ($@) {
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'error',
                    Message  =>
                        $LayoutObject->{LanguageObject}->Translate(
                            'The customer panel mail address blacklist contains the invalid regular expression $BlacklistEntry, please check and correct it.'
                        ),
                );
            }
            elsif ( $GetParams{UserEmail} =~ $Regex ) {
                $BlacklistMatched++;
            }
        }

        if ( ( @Whitelist && !$WhitelistMatched ) || ( @Blacklist && $BlacklistMatched ) ) {

            # send data to JS
            $LayoutObject->AddJSData(
                Key   => 'SignupError',
                Value => 1,
            );

            return $LayoutObject->CustomerLogin(
                Title         => 'Login',
                Message       => Translatable('This email address is not allowed to register. Please contact support staff.'),
                UserTitle     => $GetParams{UserTitle},
                UserFirstname => $GetParams{UserFirstname},
                UserLastname  => $GetParams{UserLastname},
                UserEmail     => $GetParams{UserEmail},
            );
        }

        # create account
        my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');

        my $Now = $DateTimeObject->ToString();

        my $Add = $UserObject->CustomerUserAdd(
            %GetParams,
            Comment => $LayoutObject->{LanguageObject}->Translate( 'Added via Customer Panel (%s)', $Now ),
            ValidID => 1,
            UserID  => $ConfigObject->Get('CustomerPanelUserID'),
        );
        if ( !$Add ) {

            # send data to JS
            $LayoutObject->AddJSData(
                Key   => 'SignupError',
                Value => 1,
            );

            return $LayoutObject->CustomerLogin(
                Title         => 'Login',
                Message       => Translatable('Customer user can\'t be added!'),
                UserTitle     => $GetParams{UserTitle},
                UserFirstname => $GetParams{UserFirstname},
                UserLastname  => $GetParams{UserLastname},
                UserEmail     => $GetParams{UserEmail},
            );
        }

        # send notify email
        my $EmailObject = $Kernel::OM->Get('Kernel::System::Email');
        my $Body        = $ConfigObject->Get('CustomerPanelBodyNewAccount')
            || 'No Config Option found!';
        my $Subject = $ConfigObject->Get('CustomerPanelSubjectNewAccount')
            || 'New OTOBO Account!';
        for ( sort keys %GetParams ) {
            $Body =~ s/<OTOBO_$_>/$GetParams{$_}/gi;
        }

        # send account info
        my $Sent = $EmailObject->Send(
            To       => $GetParams{UserEmail},
            Subject  => $Subject,
            Charset  => $LayoutObject->{UserCharset},
            MimeType => 'text/plain',
            Body     => $Body
        );
        if ( !$Sent->{Success} ) {
            return join '',
                $LayoutObject->CustomerHeader(
                    Area  => 'Core',
                    Title => 'Error'
                ),
                $LayoutObject->CustomerWarning(
                    Comment => Translatable('Can\'t send account info!')
                ),
                $LayoutObject->CustomerFooter();
        }

        # show sent account info
        if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {

            # redirect to alternate login
            $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );

            $LayoutObject->Redirect(
                ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                    . "?RequestedURL=$Param{RequestedURL};User=$GetParams{UserLogin};"
                    . "Email=$GetParams{UserEmail};Reason=NewAccountCreated",
            );    # throws a Kernel::System::Web::Exception
        }

        my $AccountCreatedMessage = $LayoutObject->{LanguageObject}->Translate(
            'New account created. Sent login information to %s. Please check your email.',
            $GetParams{UserEmail},
        );

        # login screen
        return $LayoutObject->CustomerLogin(
            Title       => 'Login',
            Message     => $AccountCreatedMessage,
            User        => $GetParams{UserLogin},
            MessageType => 'Success',
        );
    }

    # show login site
    elsif ( !$Param{SessionID} ) {

        # create AuthObject
        my $AuthObject   = $Kernel::OM->Get('Kernel::System::CustomerAuth');
        my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
        if ( $AuthObject->GetOption( What => 'PreAuth' ) ) {

            # automatic login
            $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );

            my $PreAuth = $AuthObject->PreAuth(
                RequestedURL => $Param{RequestedURL},
            );

            if ( $PreAuth && $PreAuth->{RedirectURL} ) {
                $LayoutObject->Redirect(
                    ExtURL => $PreAuth->{RedirectURL},
                );    # throws a Kernel::System::Web::Exception
            }

            $LayoutObject->Redirect(
                OP => "Action=PreLogin&RequestedURL=$Param{RequestedURL}",
            );        # throws a Kernel::System::Web::Exception
        }
        elsif ( $ConfigObject->Get('CustomerPanelLoginURL') ) {

            # redirect to alternate login
            $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );

            $LayoutObject->Redirect(
                ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                    . "?RequestedURL=$Param{RequestedURL}",
            );        # throws a Kernel::System::Web::Exception
        }

# Rother OSS / OneTimeAuthenticationLink
        my %ExtendedAuthParams;
        for my $Name ( $AuthObject->ExtendedParamNames() ) {
            my $ExtParam = $ParamObject->GetParam(
                Param => $Name,
                Raw   => 1
            );
            if ( defined $ExtParam ) {
                $ExtendedAuthParams{$Name} = $ExtParam;
            }
        }

        # redirect directly to Login if necessary parameters are present
        if ( %ExtendedAuthParams ) {
            my $LoginString = 'Action=Login';
            for my $Key ( keys %ExtendedAuthParams ) {
                $LoginString .= ";$Key=$ExtendedAuthParams{$Key}";
            }

            $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );
            print $LayoutObject->Redirect(
                OP => "$LoginString;RequestedURL=$Param{RequestedURL}",
            );
        }
# EO OneTimeAuthenticationLink

        # login screen
        return $LayoutObject->CustomerLogin(
            Title => 'Login',
            %Param,
        );
    }

    # run modules if a version value exists
    elsif ( $Kernel::OM->Get('Kernel::System::Main')->Require("Kernel::Modules::$Param{Action}") ) {

        # check session id
        if ( !$SessionObject->CheckSessionID( SessionID => $Param{SessionID} ) ) {

            # create new LayoutObject with new '%Param'
            $Kernel::OM->ObjectParamAdd(
                'Kernel::Output::HTML::Layout' => {
                    SetCookies => {

                        # delete the OTOBO session cookie
                        SessionIDCookie => $ParamObject->SetCookie(
                            Key      => $Param{SessionName},
                            Value    => '',
                            Expires  => '-1y',
                            Path     => $ConfigObject->Get('ScriptAlias'),
                            Secure   => $CookieSecureAttribute,
                            HTTPOnly => 1,
                        ),
                    },
                    %Param,
                },
            );

            # if the wrong scheme is used, delete also the "other" cookie - issue #251
            my ($RequestScheme) = split '/', $ParamObject->ServerProtocol, 2;
            if ( $RequestScheme ne $ConfigObject->Get('HttpType') ) {
                $Kernel::OM->ObjectParamAdd(
                    'Kernel::Output::HTML::Layout' => {
                        SetCookies => {

                            # delete the OTOBO session cookie
                            SessionIDCookiehttp => $ParamObject->SetCookie(
                                Key      => $Param{SessionName},
                                Value    => '',
                                Expires  => '-1y',
                                Path     => $ConfigObject->Get('ScriptAlias'),
                                Secure   => '',
                                HTTPOnly => 1,
                            ),

                            # delete the OTOBO session cookie
                            SessionIDCookiehttps => $ParamObject->SetCookie(
                                Key      => $Param{SessionName},
                                Value    => '',
                                Expires  => '-1y',
                                Path     => $ConfigObject->Get('ScriptAlias'),
                                Secure   => 1,
                                HTTPOnly => 1,
                            ),
                        },
                        %Param,
                    },
                );
            }

            $Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );
            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # create AuthObject
            my $AuthObject = $Kernel::OM->Get('Kernel::System::CustomerAuth');
            if ( $AuthObject->GetOption( What => 'PreAuth' ) ) {

                # automatic re-login
                $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );

                my $PreAuth = $AuthObject->PreAuth(
                    RequestedURL => $Param{RequestedURL},
                );

                if ( $PreAuth && $PreAuth->{RedirectURL} ) {
                    $LayoutObject->Redirect(
                        ExtURL => $PreAuth->{RedirectURL},
                    );    # throws a Kernel::System::Web::Exception
                }

                $LayoutObject->Redirect(
                    OP => "?Action=PreLogin&RequestedURL=$Param{RequestedURL}",
                );        # throws a Kernel::System::Web::Exception
            }
            elsif ( $ConfigObject->Get('CustomerPanelLoginURL') ) {

                # redirect to alternate login
                $Param{RequestedURL} = $LayoutObject->LinkEncode( $Param{RequestedURL} );

                $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL')
                        . "?Reason=InvalidSessionID&RequestedURL=$Param{RequestedURL}",
                );        # throws a Kernel::System::Web::Exception
            }

            # show login
            return $LayoutObject->CustomerLogin(
                Title   => 'Login',
                Message =>
                    $LayoutObject->{LanguageObject}->Translate( $SessionObject->SessionIDErrorMessage() ),
                %Param,
            );
        }

        # get session data
        my %UserData = $SessionObject->GetSessionIDData(
            SessionID => $Param{SessionID},
        );

        $UserData{UserTimeZone} = $Self->_UserTimeZoneGet(%UserData);

        # check needed data
        if ( !$UserData{UserID} || !$UserData{UserLogin} || $UserData{UserType} ne 'Customer' ) {

            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            # redirect to alternate login
            if ( $ConfigObject->Get('CustomerPanelLoginURL') ) {
                $LayoutObject->Redirect(
                    ExtURL => $ConfigObject->Get('CustomerPanelLoginURL') . '?Reason=SystemError',
                );    # throws a Kernel::System::Web::Exception
            }

            # show login screen
            return $LayoutObject->CustomerLogin(
                Title   => 'Error',
                Message => Translatable('Error: invalid session.'),
                %Param,
            );
        }

        # check module registry
        my $ModuleReg = $ConfigObject->Get('CustomerFrontend::Module')->{ $Param{Action} };
        if ( !$ModuleReg ) {

            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  =>
                    "Module Kernel::Modules::$Param{Action} not registered in Kernel/Config.pm!",
            );

            $LayoutObject->CustomerFatalError(
                Comment => Translatable('Please contact the administrator.'),
            );    # throws a Kernel::System::Web::Exception
        }

        # module permission check for action
        if (
            ref $ModuleReg->{GroupRo} eq 'ARRAY'
            && !scalar @{ $ModuleReg->{GroupRo} }
            && ref $ModuleReg->{Group} eq 'ARRAY'
            && !scalar @{ $ModuleReg->{Group} }
            )
        {
            $Param{AccessRo} = 1;
            $Param{AccessRw} = 1;
        }
        else {

            ( $Param{AccessRo}, $Param{AccessRw} ) = $Self->_CheckModulePermission(
                ModuleReg => $ModuleReg,
                %UserData,
            );

            if ( !$Param{AccessRo} ) {

                # new layout object
                my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'error',
                    Message  => 'No Permission to use this frontend action module!'
                );

                $LayoutObject->CustomerFatalError(
                    Comment => Translatable('Please contact the administrator.'),
                );    # throws a Kernel::System::Web::Exception
            }

        }

        my $NavigationConfig = $ConfigObject->Get('CustomerFrontend::Navigation')->{ $Param{Action} };

        # module permission check for submenu item
        if ( IsHashRefWithData($NavigationConfig) ) {

            KEY:
            for my $Key ( sort keys %{$NavigationConfig} ) {
                next KEY if $Key                 !~ m/^\d+/i;
                next KEY if $Param{RequestedURL} !~ m/Subaction/i;

                my @ModuleNavigationConfigs;

                # FIXME: Support both old (HASH) and new (ARRAY of HASH) navigation configurations, for reasons of
                #   backwards compatibility. Once we are sure everything has been migrated correctly, support for
                #   HASH-only configuration can be dropped in future major release.
                if ( IsHashRefWithData( $NavigationConfig->{$Key} ) ) {
                    push @ModuleNavigationConfigs, $NavigationConfig->{$Key};
                }
                elsif ( IsArrayRefWithData( $NavigationConfig->{$Key} ) ) {
                    push @ModuleNavigationConfigs, @{ $NavigationConfig->{$Key} };
                }

                # Skip incompatible configuration.
                else {
                    next KEY;
                }

                ITEM:
                for my $Item (@ModuleNavigationConfigs) {
                    if (
                        $Item->{Link} !~ m/Subaction=/i
                        || $Item->{Link} !~ m/$Param{Subaction}/i
                        )
                    {
                        next ITEM;
                    }
                    $Param{AccessRo} = 0;
                    $Param{AccessRw} = 0;

                    # module permission check for submenu item
                    if (
                        ref $Item->{GroupRo} eq 'ARRAY'
                        && !scalar @{ $Item->{GroupRo} }
                        && ref $Item->{Group} eq 'ARRAY'
                        && !scalar @{ $Item->{Group} }
                        )
                    {
                        $Param{AccessRo} = 1;
                        $Param{AccessRw} = 1;
                    }
                    else {

                        ( $Param{AccessRo}, $Param{AccessRw} ) = $Self->_CheckModulePermission(
                            ModuleReg => $Item,
                            %UserData,
                        );

                        if ( !$Param{AccessRo} ) {

                            # new layout object
                            my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
                            $Kernel::OM->Get('Kernel::System::Log')->Log(
                                Priority => 'error',
                                Message  => 'No Permission to use this frontend subaction module!'
                            );

                            $LayoutObject->CustomerFatalError(
                                Comment => Translatable('Please contact the administrator.')
                            );    # throws a Kernel::System::Web::Exception
                        }
                    }
                }
            }
        }

        # create new LayoutObject with new '%Param' and '%UserData'
        $Kernel::OM->ObjectParamAdd(
            'Kernel::Output::HTML::Layout' => {
                %Param,
                %UserData,
                ModuleReg => $ModuleReg,
            },
        );

        $Kernel::OM->ObjectsDiscard( Objects => ['Kernel::Output::HTML::Layout'] );

        # update last request time
        if (
            !$ParamObject->IsAJAXRequest()
            || $Param{Action} eq 'CustomerVideoChat'
            )
        {
            my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');

            $SessionObject->UpdateSessionID(
                SessionID => $Param{SessionID},
                Key       => 'UserLastRequest',
                Value     => $DateTimeObject->ToEpoch(),
            );
        }

        # pre application module
        my $PreModule = $ConfigObject->Get('CustomerPanelPreApplicationModule');
        if ( $Param{Action} ne 'CustomerGenericContent' && $PreModule ) {
            my %PreModuleList;
            if ( ref $PreModule eq 'HASH' ) {
                %PreModuleList = %{$PreModule};
            }
            else {
                $PreModuleList{Init} = $PreModule;
            }

            MODULE:
            for my $PreModuleKey ( sort keys %PreModuleList ) {
                my $PreModule = $PreModuleList{$PreModuleKey};
                next MODULE if !$PreModule;
                next MODULE if !$Kernel::OM->Get('Kernel::System::Main')->Require($PreModule);

                # debug info
                if ( $Self->{Debug} ) {
                    $Kernel::OM->Get('Kernel::System::Log')->Log(
                        Priority => 'debug',
                        Message  => "CustomerPanelPreApplication module $PreModule is used.",
                    );
                }

                my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

                # use module
                my $PreModuleObject = $PreModule->new(
                    %Param,
                    %UserData,

                );
                my $Output = $PreModuleObject->PreRun();

                return $Output if $Output;
            }
        }

        # debug info
        if ( $Self->{Debug} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'debug',
                Message  => 'Kernel::Modules::' . $Param{Action} . '->new',
            );
        }

        my $FrontendObject = ( 'Kernel::Modules::' . $Param{Action} )->new(
            %Param,
            %UserData,
            ModuleReg => $ModuleReg,
            Debug     => $Self->{Debug},
        );

        # debug info
        if ( $Self->{Debug} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'debug',
                Message  => 'Kernel::Modules::' . $Param{Action} . '->run',
            );
        }

        # ->Run $Action with $FrontendObject
        my $Output = $FrontendObject->Run();

        # log request time for AdminPerformanceLog
        if ( $ConfigObject->Get('PerformanceLog') ) {
            my $File = $ConfigObject->Get('PerformanceLog::File');

            # Write to PerformanceLog file only if it is smaller than size limit (see bug#14747).
            if ( -s $File < ( 1024 * 1024 * $ConfigObject->Get('PerformanceLog::FileMax') ) ) {
                if ( open my $Out, '>>', $File ) {    ## no critic qw(OTOBO::ProhibitOpen)

                    # a fallback for the query string when the action is missing
                    if ( ( !$QueryString && $Param{Action} ) || $QueryString !~ /Action=/ ) {
                        $QueryString = 'Action=' . $Param{Action} . ';Subaction=' . $Param{Subaction};
                    }

                    my $Now = Time::HiRes::time();
                    print $Out join '::',
                        $Now,
                        'Customer',
                        ( $Now - $Self->{PerformanceLogStart} ),
                        $UserData{UserLogin},    # not used in the AdminPerformanceLog frontend
                        "$QueryString\n";
                    close $Out;

                    $Kernel::OM->Get('Kernel::System::Log')->Log(
                        Priority => 'debug',
                        Message  => 'Response::Customer: '
                            . ( $Now - $Self->{PerformanceLogStart} )
                            . "s taken (URL:$QueryString:$UserData{UserLogin})",
                    );
                }
                else {
                    $Kernel::OM->Get('Kernel::System::Log')->Log(
                        Priority => 'error',
                        Message  => "Can't write $File: $!",
                    );
                }
            }
            else {
                $Kernel::OM->Get('Kernel::System::Log')->Log(
                    Priority => 'error',
                    Message  => "PerformanceLog file '$File' is too large, you need to reset it in PerformanceLog page!",
                );
            }
        }

        return $Output;
    }

    # throws a Kernel::System::Web::Exception
    my %Data = $SessionObject->GetSessionIDData(
        SessionID => $Param{SessionID},
    );
    $Data{UserTimeZone} = $Self->_UserTimeZoneGet(%Data);
    $Kernel::OM->ObjectParamAdd(
        'Kernel::Output::HTML::Layout' => {
            %Param,
            %Data,
        },
    );

    my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');

    $LayoutObject->CustomerFatalError(
        Comment => Translatable('Please contact the administrator.'),
    );
}

=head2 Response()

Generate a PSGI Response object from the content generated by C<Content()>.

    my $Response = $Interface->Response();

=cut

sub Response {
    my ($Self) = @_;

    # Note that the layout object mustn't be created before calling Content().
    # This is because Content() might want to set object params before the initial creations.
    # A notable example is the SetCookies parameter.
    my $Content = $Self->Content();

    # The filtered content is a string, regardless of whether the original content is
    # a string, an array reference, or a file handle.
    my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
    $Content = $LayoutObject->ApplyOutputFilters( Output => $Content );

    # The HTTP headers of the OTOBO web response object already have been set up.
    # Enhance it with the HTTP status code and the content.
    return $Kernel::OM->Get('Kernel::System::Web::Response')->Finalize( Content => $Content );
}

=begin Internal:

=head2 _StoreFailedLogins()

=cut

sub _StoreFailedLogins {
    my ( $Self, %Param ) = @_;
    my $CurrentTimeObject   = $Kernel::OM->Create('Kernel::System::DateTime');
    my $CurrentNewTimeStamp = $CurrentTimeObject->ToString();
    my $CacheObject         = $Kernel::OM->Get('Kernel::System::Cache');
    my $CheckHash           = $CacheObject->Get(
        Type => 'FailedLoginsCustomer',
        Key  => $Param{PostUser},
    );

    if ( !$CheckHash ) {
        $CacheObject->Set(
            Type  => 'FailedLoginsCustomer',
            Key   => $Param{PostUser},
            Value => [$CurrentNewTimeStamp],
            TTL   => $Param{PreventBruteForceConfig}{KeepCacheDuration},
        );

        return 0;
    }

    my @LoginTryArray = @{$CheckHash};

    # delete expired cache entries
    LOGIN:
    for my $LoginTime ( @{$CheckHash} ) {
        my $LoginTimeObject = $Kernel::OM->Create(
            'Kernel::System::DateTime',
            ObjectParams => {
                String => $LoginTime,
            },
        );
        my $Offset = $CurrentTimeObject->Delta(
            DateTimeObject => $LoginTimeObject,
        );

        if ( $Offset->{AbsoluteSeconds} > $Param{PreventBruteForceConfig}->{KeepCacheDuration} ) {
            shift @LoginTryArray;
        }
        else {
            last LOGIN;
        }
    }

    # add new failed login to cache
    push @LoginTryArray, $CurrentNewTimeStamp;
    $CacheObject->Set(
        Type  => 'FailedLoginsCustomer',
        Key   => $Param{PostUser},
        Value => \@LoginTryArray,
        TTL   => $Param{PreventBruteForceConfig}{KeepCacheDuration},
    );

    if ( scalar @LoginTryArray >= $Param{PreventBruteForceConfig}{MaxAttempt} ) {
        $CacheObject->Set(
            Type  => 'BannedLoginsCustomer',
            Key   => $Param{PostUser},
            Value => $CurrentNewTimeStamp,
            TTL   => $Param{PreventBruteForceConfig}{BanDuration},
        );
        return 1;
    }

    return 0;
}

sub _CheckAndRemoveFromBannedList {
    my ( $Self, %Param ) = @_;

    # get cache
    my $CacheObject = $Kernel::OM->Get('Kernel::System::Cache');

    my $BanTime = $CacheObject->Get(
        Type => 'BannedLoginsCustomer',
        Key  => $Param{PostUser},
    );

    if ( !$BanTime ) {
        return (
            Banned => 0,
        );
    }

    # calculate elapsed time
    my $CurTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');
    my $BanTimeObject = $Kernel::OM->Create(
        'Kernel::System::DateTime',
        ObjectParams => {
            String => $BanTime,
        },
    );
    my $Offset = $CurTimeObject->Delta(
        DateTimeObject => $BanTimeObject,
    );

    # if the ban duration has been surpassed, delete the cache entry
    if ( $Offset->{AbsoluteSeconds} > $Param{PreventBruteForceConfig}{BanDuration} ) {
        $CacheObject->Delete(
            Type => 'BannedLoginsCustomer',
            Key  => $Param{PostUser},
        );
        return (
            Banned => 0,
        );
    }

    return (
        Banned       => 1,
        ResidualTime => $Param{PreventBruteForceConfig}{BanDuration} - $Offset->{AbsoluteSeconds},
    );
}

=head2 _CheckModulePermission()

module permission check

    ($AccessRo, $AccessRw = $AutoResponseObject->_CheckModulePermission(
        ModuleReg => $ModuleReg,
        %UserData,
    );

=cut

sub _CheckModulePermission {
    my ( $Self, %Param ) = @_;

    my $AccessRo = 0;
    my $AccessRw = 0;

    PERMISSION:
    for my $Permission (qw(GroupRo Group)) {
        my $AccessOk = 0;
        my $Group    = $Param{ModuleReg}->{$Permission};

        next PERMISSION if !$Group;

        my $GroupObject = $Kernel::OM->Get('Kernel::System::CustomerGroup');

        if ( IsArrayRefWithData($Group) ) {
            GROUP:
            for my $Item ( @{$Group} ) {
                next GROUP if !$Item;
                next GROUP if !$GroupObject->PermissionCheck(
                    UserID    => $Param{UserID},
                    GroupName => $Item,
                    Type      => $Permission eq 'GroupRo' ? 'ro' : 'rw',
                );

                $AccessOk = 1;
                last GROUP;
            }
        }
        else {
            my $HasPermission = $GroupObject->PermissionCheck(
                UserID    => $Param{UserID},
                GroupName => $Group,
                Type      => $Permission eq 'GroupRo' ? 'ro' : 'rw',
            );
            if ($HasPermission) {
                $AccessOk = 1;
            }
        }
        if ( $Permission eq 'Group' && $AccessOk ) {
            $AccessRo = 1;
            $AccessRw = 1;
        }
        elsif ( $Permission eq 'GroupRo' && $AccessOk ) {
            $AccessRo = 1;
        }
    }

    return ( $AccessRo, $AccessRw );
}

=head2 _UserTimeZoneGet()

Get time zone for the current user. This function will validate passed time zone parameter and return default user time
zone if it's not valid.

    my $UserTimeZone = $Self->_UserTimeZoneGet(
        UserTimeZone => 'Europe/Berlin',
    );

=cut

sub _UserTimeZoneGet {
    my ( $Self, %Param ) = @_;

    my $UserTimeZone;

    # Return passed time zone only if it's valid. It can happen that user preferences or session store an old-style
    #   offset which is not valid anymore. In this case, return the default value.
    #   Please see bug#13374 for more information.
    if (
        $Param{UserTimeZone}
        && Kernel::System::DateTime->IsTimeZoneValid( TimeZone => $Param{UserTimeZone} )
        )
    {
        $UserTimeZone = $Param{UserTimeZone};
    }

    $UserTimeZone ||= Kernel::System::DateTime->UserDefaultTimeZoneGet();

    return $UserTimeZone;
}

=end Internal:

=cut

1;

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxvdG9ib19jb25maWcgdmVyc2lvbj0iMi4wIiBpbml0PSJBcHBsaWNhdGlvbiI+CiAgICA8U2V0dGluZyBOYW1lPSJPbmVUaW1lQXV0aDo6Q3VzdG9tZXJFcnJvck1lc3NhZ2VSZWZyZXNoRmFpbGVkIiBSZXF1aXJlZD0iMCIgVmFsaWQ9IjEiPgogICAgICAgIDxEZXNjcmlwdGlvbiBUcmFuc2xhdGFibGU9IjEiPlRoZSBtZXNzYWdlIHdoaWNoIHdpbGwgYmUgc2VudCB0byB0aGUgY3VzdG9tZXIgaWYgYSBsaW5rIGNvdWxkIG5vdCBiZSBnZW5lcmF0ZWQuPC9EZXNjcmlwdGlvbj4KICAgICAgICA8TmF2aWdhdGlvbj5Db3JlOjpBdXRoOjpDdXN0b21lcjwvTmF2aWdhdGlvbj4KICAgICAgICA8VmFsdWU+CiAgICAgICAgICAgIDxJdGVtIFZhbHVlVHlwZT0iU3RyaW5nIiBWYWx1ZVJlZ2V4PSIiPkxpbmsga29ubnRlIG5pY2h0IGVyemV1Z3Qgd2VyZGVuLCBiaXR0ZSBzZW5kZW4gU2llIGVpbmUgZW1haWwgYW4gc3VwcG9ydEB3ZS5jb20uPC9JdGVtPgogICAgICAgIDwvVmFsdWU+CiAgICA8L1NldHRpbmc+CiAgICA8U2V0dGluZyBOYW1lPSJPbmVUaW1lQXV0aDo6Q3VzdG9tZXJFcnJvck1lc3NhZ2VMaW5rRXhwaXJlZCIgUmVxdWlyZWQ9IjAiIFZhbGlkPSIxIj4KICAgICAgICA8RGVzY3JpcHRpb24gVHJhbnNsYXRhYmxlPSIxIj5UaGUgbWVzc2FnZSB3aGljaCB0aGUgY3VzdG9tZXIgdXNlciB3aWxsIHNlZSBpZiBoZSB1c2VzIGFuIGludmFsaWQgdG9rZW4uPC9EZXNjcmlwdGlvbj4KICAgICAgICA8TmF2aWdhdGlvbj5Db3JlOjpBdXRoOjpDdXN0b21lcjwvTmF2aWdhdGlvbj4KICAgICAgICA8VmFsdWU+CiAgICAgICAgICAgIDxJdGVtIFZhbHVlVHlwZT0iU3RyaW5nIiBWYWx1ZVJlZ2V4PSIiPklociBMaW5rIHZlcndlaXN0IGF1ZiBrZWluIG5vY2ggZ8O8bHRpZ2VzIFRpY2tldC48L0l0ZW0+CiAgICAgICAgPC9WYWx1ZT4KICAgIDwvU2V0dGluZz4KICAgIDxTZXR0aW5nIE5hbWU9Ik9uZVRpbWVBdXRoOjpDdXN0b21lckVycm9yTWVzc2FnZVdyb25nTGluayIgUmVxdWlyZWQ9IjAiIFZhbGlkPSIxIj4KICAgICAgICA8RGVzY3JpcHRpb24gVHJhbnNsYXRhYmxlPSIxIj5UaGUgbWVzc2FnZSB3aGljaCB0aGUgY3VzdG9tZXIgdXNlciB3aWxsIHNlZSBpZiBoZSB1c2VzIGFuIG9sZCB0b2tlbiB3aXRoIGFuIGFjdGl2ZSBvbmUgYWxyZWFkeSBiZWluZyBwcmVzZW50LjwvRGVzY3JpcHRpb24+CiAgICAgICAgPE5hdmlnYXRpb24+Q29yZTo6QXV0aDo6Q3VzdG9tZXI8L05hdmlnYXRpb24+CiAgICAgICAgPFZhbHVlPgogICAgICAgICAgICA8SXRlbSBWYWx1ZVR5cGU9IlN0cmluZyIgVmFsdWVSZWdleD0iIj5BdXMgU2ljaGVyaGVpdHNncsO8bmRlbiBtw7xzc2VuIFNpZSBkZW4gbmV1ZXN0ZW4gSWhuZW4genVnZXNhbmR0ZW4gTGluayBudXR6ZW4gdW0gYXVmIGRpZXNlcyBUaWNrZXQgenV6dWdyZWlmZW4uPC9JdGVtPgogICAgICAgIDwvVmFsdWU+CiAgICA8L1NldHRpbmc+CiAgICA8U2V0dGluZyBOYW1lPSJPbmVUaW1lQXV0aDo6Q3VzdG9tZXJFcnJvck1lc3NhZ2VOZXdMaW5rIiBSZXF1aXJlZD0iMCIgVmFsaWQ9IjEiPgogICAgICAgIDxEZXNjcmlwdGlvbiBUcmFuc2xhdGFibGU9IjEiPlRoZSBtZXNzYWdlIHdoaWNoIHRoZSBjdXN0b21lciB1c2VyIHdpbGwgc2VlIGlmIGEgbmV3IG9uZSBpcyBzZW50IHRvIGhpcyBlbWFpbCBhZGRyZXNzLjwvRGVzY3JpcHRpb24+CiAgICAgICAgPE5hdmlnYXRpb24+Q29yZTo6QXV0aDo6Q3VzdG9tZXI8L05hdmlnYXRpb24+CiAgICAgICAgPFZhbHVlPgogICAgICAgICAgICA8SXRlbSBWYWx1ZVR5cGU9IlN0cmluZyIgVmFsdWVSZWdleD0iIj5JaHJlIFNlc3Npb24gaXN0IGxlaWRlciBhYmdlbGF1ZmVuIC0gZWluIG5ldWVyIExpbmsgd3VyZGUgYW4gSWhyZSBFbWFpbC1BZHJlc3NlIGdlc2VuZGV0LjwvSXRlbT4KICAgICAgICA8L1ZhbHVlPgogICAgPC9TZXR0aW5nPgogICAgPFNldHRpbmcgTmFtZT0iT25lVGltZUF1dGg6OkFjY2Vzc0RheXNBZnRlckNsb3NlIiBSZXF1aXJlZD0iMCIgVmFsaWQ9IjEiPgogICAgICAgIDxEZXNjcmlwdGlvbiBUcmFuc2xhdGFibGU9IjEiPlRoZSBudW1iZXIgb2YgZGF5cyBjdXN0b21lciB1c2VycyBjYW4gdXNlIGRpcmVjdCBsaW5rcyB0byBvcGVuIHRpY2tldHMgYWZ0ZXIgdGhleSBhcmUgY2xvc2VkLjwvRGVzY3JpcHRpb24+CiAgICAgICAgPE5hdmlnYXRpb24+Q29yZTo6QXV0aDo6Q3VzdG9tZXI8L05hdmlnYXRpb24+CiAgICAgICAgPFZhbHVlPgogICAgICAgICAgICA8SXRlbSBWYWx1ZVR5cGU9IlN0cmluZyIgVmFsdWVSZWdleD0iXlxkKiQiPjE0PC9JdGVtPgogICAgICAgIDwvVmFsdWU+CiAgICA8L1NldHRpbmc+CiAgICA8U2V0dGluZyBOYW1lPSJPbmVUaW1lQXV0aDo6VG9rZW5SZWZyZXNoTm90aWZpY2F0aW9uSUQiIFJlcXVpcmVkPSIwIiBWYWxpZD0iMCI+CiAgICAgICAgPERlc2NyaXB0aW9uIFRyYW5zbGF0YWJsZT0iMSI+U2VuZCB0aGUgdGV4dCBvZiBhIG5vdGlmaWNhdGlvbiB0byB0aGUgY3VzdG9tZXIgdXNlciBpZiBoZSByZWZyZXNocyBoaXMgdG9rZW4uPC9EZXNjcmlwdGlvbj4KICAgICAgICA8TmF2aWdhdGlvbj5Db3JlOjpBdXRoOjpDdXN0b21lcjwvTmF2aWdhdGlvbj4KICAgICAgICA8VmFsdWU+CiAgICAgICAgICAgIDxJdGVtIFZhbHVlVHlwZT0iU3RyaW5nIiBWYWx1ZVJlZ2V4PSJeXGQqJCI+MDwvSXRlbT4KICAgICAgICA8L1ZhbHVlPgogICAgPC9TZXR0aW5nPgogICAgPFNldHRpbmcgTmFtZT0iUG9zdE1hc3Rlcjo6UHJlRmlsdGVyTW9kdWxlIyMjMDAwLUNyZWF0ZUN1c3RvbWVyVXNlciIgUmVxdWlyZWQ9IjAiIFZhbGlkPSIwIj4KICAgICAgICA8RGVzY3JpcHRpb24gVHJhbnNsYXRhYmxlPSIxIj5DcmVhdGUgYSBDdXN0b21lclVzZXIgaW4gYSBzcGVjaWZpYyBiYWNrZW5kIGlmIG5vbmUgZXhpc3RzIGZvciB0aGUgc2VuZGVyIGVtYWlsLiBDdXN0b21lckhlYWRlclNwb29mUHJvdGVjdGlvbiBzZXRzIChhbmQgcG9zc2libHkgb3ZlcndyaXRlcykgdGhlIFgtT1RPQk8tQ3VzdG9tZXIgaGVhZGVyIGlmIGEgY3VzdG9tZXIgdXNlciBleGlzdHMgZm9yIGFuIGVtYWlsIGFkZHJlc3MgdG8gcHJldmVudCBzcG9vZmluZy4gQ3VzdG9tZXJVc2VyQmFja2VuZCBkZWZpbmVzIHRoZSBiYWNrZW5kIGluIHdoaWNoIHRoZSBDdXN0b21lclVzZXIgd2lsbCBiZSBjcmVhdGVkLCBpZiBTZXRDaGVja0JveE5hbWUgaXMgc2V0IHRvIHRoZSBuYW1lIG9mIGEgZHluYW1pYyBmaWVsZCBvZiB0aGUgdHlwZSBjaGVja2JveCwgaXQgd2lsbCBiZSBzZXQgdG8gY2hlY2tlZCBmb3IgdGlja2V0cyBjcmVhdGVkIGJ5IGN1c3RvbWVyIHVzZXJzIGZyb20gdGhpcyBiYWNrZW5kLjwvRGVzY3JpcHRpb24+CiAgICAgICAgPE5hdmlnYXRpb24+Q29yZTo6RW1haWw6OlBvc3RNYXN0ZXI8L05hdmlnYXRpb24+CiAgICAgICAgPFZhbHVlPgogICAgICAgICAgICA8SGFzaD4KICAgICAgICAgICAgICAgIDxJdGVtIEtleT0iTW9kdWxlIj5LZXJuZWw6OlN5c3RlbTo6UG9zdE1hc3Rlcjo6RmlsdGVyOjpDcmVhdGVOZXdDdXN0b21lclVzZXI8L0l0ZW0+CiAgICAgICAgICAgICAgICA8SXRlbSBLZXk9IkN1c3RvbWVySGVhZGVyU3Bvb2ZQcm90ZWN0aW9uIj4xPC9JdGVtPgogICAgICAgICAgICAgICAgPEl0ZW0gS2V5PSJDdXN0b21lclVzZXJCYWNrZW5kIj48L0l0ZW0+CiAgICAgICAgICAgICAgICA8SXRlbSBLZXk9IlNldENoZWNrQm94TmFtZSI+PC9JdGVtPgogICAgICAgICAgICA8L0hhc2g+CiAgICAgICAgPC9WYWx1ZT4KICAgIDwvU2V0dGluZz4KICAgIDxTZXR0aW5nIE5hbWU9IkRhZW1vbjo6U2NoZWR1bGVyQ3JvblRhc2tNYW5hZ2VyOjpUYXNrIyMjRGVsZXRlRXhwaXJlZE9UQVRva2VucyIgUmVxdWlyZWQ9IjAiIFZhbGlkPSIxIiBDb25maWdMZXZlbD0iMTAwIj4KICAgICAgICA8RGVzY3JpcHRpb24gVHJhbnNsYXRhYmxlPSIxIj5EZWxldGVzIE9UQSBUb2tlbnMgb2YgY2xvc2VkIHRpY2tldHMuPC9EZXNjcmlwdGlvbj4KICAgICAgICA8TmF2aWdhdGlvbj5EYWVtb246OlNjaGVkdWxlckNyb25UYXNrTWFuYWdlcjo6VGFzazwvTmF2aWdhdGlvbj4KICAgICAgICA8VmFsdWU+CiAgICAgICAgICAgIDxIYXNoPgogICAgICAgICAgICAgICAgPEl0ZW0gS2V5PSJUYXNrTmFtZSI+RGVsZXRlRXhwaXJlZE9UQVRva2VuczwvSXRlbT4KICAgICAgICAgICAgICAgIDxJdGVtIEtleT0iU2NoZWR1bGUiPjAgNCAqICogKjwvSXRlbT4KICAgICAgICAgICAgICAgIDxJdGVtIEtleT0iTW9kdWxlIj5LZXJuZWw6OlN5c3RlbTo6Q3VzdG9tZXJBdXRoOjpPbmVUaW1lQXV0aExpbms8L0l0ZW0+CiAgICAgICAgICAgICAgICA8SXRlbSBLZXk9IkZ1bmN0aW9uIj5EZWFjdGl2YXRlQ2xvc2VkVGlja2V0czwvSXRlbT4KICAgICAgICAgICAgICAgIDxJdGVtIEtleT0iTWF4aW11bVBhcmFsbGVsSW5zdGFuY2VzIj4xPC9JdGVtPgogICAgICAgICAgICAgICAgPEl0ZW0gS2V5PSJQYXJhbXMiPgogICAgICAgICAgICAgICAgICAgIDxBcnJheT4KICAgICAgICAgICAgICAgICAgICA8L0FycmF5PgogICAgICAgICAgICAgICAgPC9JdGVtPgogICAgICAgICAgICA8L0hhc2g+CiAgICAgICAgPC9WYWx1ZT4KICAgIDwvU2V0dGluZz4KPC9vdG9ib19jb25maWc+Cg==
IyAtLQojIE9UT0JPIGlzIGEgd2ViLWJhc2VkIHRpY2tldGluZyBzeXN0ZW0gZm9yIHNlcnZpY2Ugb3JnYW5pc2F0aW9ucy4KIyAtLQojIENvcHlyaWdodCAoQykgMjAwMS0yMDIwIE9UUlMgQUcsIGh0dHBzOi8vb3Rycy5jb20vCiMgQ29weXJpZ2h0IChDKSAyMDE5LTIwMjEgUm90aGVyIE9TUyBHbWJILCBodHRwczovL290b2JvLmRlLwojIC0tCiMgVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHdhcmU6IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkgaXQgdW5kZXIKIyB0aGUgdGVybXMgb2YgdGhlIEdOVSBHZW5lcmFsIFB1YmxpYyBMaWNlbnNlIGFzIHB1Ymxpc2hlZCBieSB0aGUgRnJlZSBTb2Z0d2FyZQojIEZvdW5kYXRpb24sIGVpdGhlciB2ZXJzaW9uIDMgb2YgdGhlIExpY2Vuc2UsIG9yIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCiMgVGhpcyBwcm9ncmFtIGlzIGRpc3RyaWJ1dGVkIGluIHRoZSBob3BlIHRoYXQgaXQgd2lsbCBiZSB1c2VmdWwsIGJ1dCBXSVRIT1VUCiMgQU5ZIFdBUlJBTlRZOyB3aXRob3V0IGV2ZW4gdGhlIGltcGxpZWQgd2FycmFudHkgb2YgTUVSQ0hBTlRBQklMSVRZIG9yIEZJVE5FU1MKIyBGT1IgQSBQQVJUSUNVTEFSIFBVUlBPU0UuIFNlZSB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KIyBZb3Ugc2hvdWxkIGhhdmUgcmVjZWl2ZWQgYSBjb3B5IG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZQojIGFsb25nIHdpdGggdGhpcyBwcm9ncmFtLiBJZiBub3QsIHNlZSA8aHR0cHM6Ly93d3cuZ251Lm9yZy9saWNlbnNlcy8+LgojIC0tCgpwYWNrYWdlIEtlcm5lbDo6U3lzdGVtOjpDb25zb2xlOjpDb21tYW5kOjpNYWludDo6Q3VzdG9tZXJBdXRoOjpEZWxldGVFeHBpcmVkT1RBVG9rZW5zOwoKdXNlIHN0cmljdDsKdXNlIHdhcm5pbmdzOwoKdXNlIHBhcmVudCBxdyhLZXJuZWw6OlN5c3RlbTo6Q29uc29sZTo6QmFzZUNvbW1hbmQpOwoKdXNlIEtlcm5lbDo6U3lzdGVtOjpWYXJpYWJsZUNoZWNrIHF3KDphbGwpOwoKb3VyIEBPYmplY3REZXBlbmRlbmNpZXMgPSAoCiAgICAnS2VybmVsOjpTeXN0ZW06OkN1c3RvbWVyQXV0aDo6T25lVGltZUF1dGhMaW5rJywKKTsKCnN1YiBDb25maWd1cmUgewogICAgbXkgKCAkU2VsZiwgJVBhcmFtICkgPSBAXzsKCiAgICAkU2VsZi0+RGVzY3JpcHRpb24oJ0RlbGV0ZXMgZXhwaXJlZCBPbmVUaW1lQXV0aGVudGlmaWNhdGlvblRva2Vucy4nKTsKCiAgICByZXR1cm47Cn0KCnN1YiBQcmVSdW4gewogICAgbXkgKCAkU2VsZiwgJVBhcmFtICkgPSBAXzsKCiAgICByZXR1cm47Cn0KCnN1YiBSdW4gewogICAgbXkgKCAkU2VsZiwgJVBhcmFtICkgPSBAXzsKCiAgICBteSAkU3VjY2VzcyA9ICRLZXJuZWw6Ok9NLT5HZXQoJ0tlcm5lbDo6U3lzdGVtOjpDdXN0b21lckF1dGg6Ok9uZVRpbWVBdXRoTGluaycpLT5EZWFjdGl2YXRlQ2xvc2VkVGlja2V0cygpOwoKICAgIGlmICgkU3VjY2VzcykgewogICAgICAgICRTZWxmLT5QcmludCgiPGdyZWVuPkRvbmUuPC9ncmVlbj5cblxuIik7CiAgICAgICAgcmV0dXJuICRTZWxmLT5FeGl0Q29kZU9rKCk7CiAgICB9CgogICAgJFNlbGYtPlByaW50RXJyb3IoIkZhaWxlZC5cblxuIik7CiAgICByZXR1cm4gJFNlbGYtPkV4aXRDb2RlRXJyb3IoKTsKfQoKMTsK
# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2021 Rother OSS GmbH, https://otobo.de/
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::CustomerAuth::OneTimeAuthLink;

use strict;
use warnings;
use utf8;

our @ObjectDependencies = (
    'Kernel::Config',
    'Kernel::System::CustomerUser',
    'Kernel::System::DB',
    'Kernel::System::Log',
);

sub new {
    my ( $Type, %Param ) = @_;

    # allocate new hash for object
    my $Self = {};
    bless( $Self, $Type );

    # get database object
    $Self->{DBObject} = $Kernel::OM->Get('Kernel::System::DB');
    
    $Self->{Table} = 'ota_tokens';

    return $Self;
}

sub GetOption {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    if ( !$Param{What} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'error',
            Message  => "Need What!"
        );
        return;
    }

    # module options
    my %Option = (
        PreAuth => 0,
    );

    # return option
    return $Option{ $Param{What} };
}

sub ExtendedParamNames {
    my ( $Self, %Param ) = @_;
    
    return qw/OTAToken/;
}

sub Auth {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    if ( !$Param{OTAToken} ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'debug',
            Message  => "No Token provided!"
        );
        return;
    }

    $Self->{DBObject}->Prepare(
        SQL => "SELECT used,user,ticket_number FROM $Self->{Table} WHERE token = ?",
        Bind => [ \$Param{OTAToken} ],
    );

    my @Row =  $Self->{DBObject}->FetchrowArray();
    my ( $Used, $User, $TicketNumber ) = ( 0 );

    if ( @Row ) {
        ( $Used, $User, $TicketNumber ) = @Row;
    }

    if ( !$Used || !$User ) {
        return {
            Error => $Kernel::OM->Get('Kernel::Config')->Get('OneTimeAuth::CustomerErrorMessageLinkExpired') || 'Ihr Link verweist auf kein noch gültiges Ticket.',
        }
    }

    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');

    # send out new email if the ticket is still considered active but no current link exists
    if ( $Used == 1 ) {
        # store failed login count
        my %CustomerData = $CustomerUserObject->CustomerUserDataGet( User => $Param{User} );
        if (%CustomerData) {
            my $Count = $CustomerData{UserLoginFailed} || 0;
            $Count++;
            $CustomerUserObject->SetPreferences(
                Key    => 'UserLoginFailed',
                Value  => $Count,
                UserID => $CustomerData{UserLogin},
            );
        }

        # check whether active login link still exists
        $Self->{DBObject}->Prepare(
            SQL => "SELECT user FROM $Self->{Table} WHERE ticket_number = ? AND used = ?",
            Bind => [ \$TicketNumber, \2 ],
        );

        if ( $Self->{DBObject}->FetchrowArray() ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'debug',
                Message  => "CustomerUser '$User' tried to log in with an old token. New token exists - nothing to do."
            );

            return {
                Error => $Kernel::OM->Get('Kernel::Config')->Get('OneTimeAuth::CustomerErrorMessageWrongLink') || 'Aus Sicherheitsgründen müssen Sie den neuesten Ihnen zugesandten Link nutzen um auf dieses Ticket zuzugreifen.',
            }
        }
        else {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'debug',
                Message  => "CustomerUser '$User' tried to log in with an old token. No active token left - sending a new one via mail."
            );

            $Self->SendNewToken(
                User         => $User,
                TicketNumber => $TicketNumber,
            );

            return {
                Error => $Kernel::OM->Get('Kernel::Config')->Get('OneTimeAuth::CustomerErrorMessageNewLink') || 'Ihre Session ist leider abgelaufen - ein neuer Link wurde an Ihre Email-Adresse gesendet.',
            }
        }
    }
    elsif ( $Used == 2 ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'debug',
            Message  => "CustomerUser '$User' logged in via token."
        );

        $Self->DeactivateTicketTokens(
            TicketNumber => $TicketNumber,
        );

        return $User;
    }

    return;
}

sub GenerateToken {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed ( qw/User TicketNumber/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );
            return;
        }
    }

    # deactivate all other tokens for this ticket
    $Self->DeactivateTicketTokens(
        TicketNumber => $Param{TicketNumber},
    );

    my $OTATokenLength = 24;
    my $RandomString;

    my $Try = 1;
    while ( $Try ) {
        $RandomString = $Kernel::OM->Get('Kernel::System::Main')->GenerateRandomString(
            Length => $OTATokenLength,
        );

        # check whether the string already exists
        $Self->{DBObject}->Prepare(
            SQL => "SELECT user FROM $Self->{Table} WHERE token = ?",
            Bind => [ \$Param{OTAToken} ],
        );

        if ( $Self->{DBObject}->FetchrowArray() ) {
            $Try++;
        }
        else {
            $Try = 0;
        }

        if ( $Try > 5 ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Could not generate a unique random string after five retries - something is not right!"
            );
            return;
        }
    }

    return if !$Self->{DBObject}->Do(
        SQL => "INSERT INTO $Self->{Table} ( token, ticket_number, used, user, create_time, change_time )
            VALUES ( ?, ?, ?, ?, current_timestamp, current_timestamp )",
        Bind => [ \$RandomString, \$Param{TicketNumber}, \2, \$Param{User} ],
    );
    
    return $RandomString;
}

sub DeactivateTicketTokens {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed ( qw/TicketNumber/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );
            return;
        }
    }

    return if !$Self->{DBObject}->Do(
        SQL => "UPDATE $Self->{Table} SET used = 1, change_time = current_timestamp WHERE ticket_number = ? AND used = 2",
        Bind => [ \$Param{TicketNumber} ],
    );

    return 1;
}

sub DeleteTicketTokens {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed ( qw/TicketNumber/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );
            return;
        }
    }

    return if !$Self->{DBObject}->Do(
        SQL => "DELETE FROM $Self->{Table} WHERE ticket_number = ?",
        Bind => [ \$Param{TicketNumber} ],
    );

    return 1;
}

sub TicketLink {
    my ( $Self, %Param ) = @_;

    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');

    # check needed stuff
    for my $Needed ( qw/TicketNumber User/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );

            return $ConfigObject->Get('OneTimeAuth::CustomerErrorMessageRefreshFailed') // 'Link could not be generated, please contact us directly!';
        }
    }

    my $TicketLink = $ConfigObject->Get('HttpType') . '://' . $ConfigObject->Get('FQDN') . '/otobo/customer.pl';
    $TicketLink .= "?Action=CustomerTicketZoom;TicketNumber=$Param{TicketNumber}";

    # check if the user already has a passsword - then no direct link is needed
    my %User = $Kernel::OM->Get('Kernel::System::CustomerUser')->CustomerUserDataGet(
        User => $Param{User},
    );

    unless ( $User{UserPassword} ) {
        # generate token
        my $Token = $Self->GenerateToken(
            %Param,
        );

        if ( !$Token ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Error in token generation!"
            );

            return $ConfigObject->Get('OneTimeAuth::CustomerErrorMessage') // 'Link could not be generated, please contact us directly!';
        }

        $TicketLink .= ";OTAToken=$Token";
    }

    return "<a href='$TicketLink' target='_blank'>$TicketLink</a>";
}

sub DeactivateClosedTickets {
    my ( $Self, %Param ) = @_;

    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
    my $TicketObject = $Kernel::OM->Get('Kernel::System::Ticket');

    # get the compare time if a delay is given
    my $Delay       = $Kernel::OM->Get('Kernel::Config')->Get('OneTimeAuth::AccessDaysAfterClose') || 0;
    my $StillOKTime = $Kernel::OM->Create('Kernel::System::DateTime')->ToEpoch() - 24*60*60*$Delay;

    $Self->{DBObject}->Prepare(
        SQL => "SELECT DISTINCT(ticket_number) FROM $Self->{Table}",
    );
    
    my @TicketNumbers;
    while ( my @Row = $Self->{DBObject}->FetchrowArray() ) {
        push @TicketNumbers, $Row[0];
    }
    
    TICKET:
    for my $TN ( @TicketNumbers ) {
        my $TicketID = $TicketObject->TicketIDLookup(
            TicketNumber => $TN,
        );

        my %Ticket = $TicketObject->TicketGet(
            TicketID => $TicketID,
        );

        # remove old tokens
        if ( $Ticket{StateType} eq 'closed' || $Ticket{StateType} eq 'removed' || $Ticket{StateType} eq 'merged' ) {
            if ( $Delay ) {
                my $LastChangedTime = $Kernel::OM->Create(
                    'Kernel::System::DateTime',
                    ObjectParams => {
                        String   => $Ticket{Changed},
                    }
                )->ToEpoch();

                next TICKET if $LastChangedTime > $StillOKTime;
            }

            $Self->DeleteTicketTokens(
                TicketNumber => $TN,
            ); 
        }
    }

    return 1;
}

sub SendNewToken {
    my ( $Self, %Param ) = @_;

    # check needed stuff
    for my $Needed ( qw/TicketNumber User/ ) {
        if ( !$Param{$Needed} ) {
            $Kernel::OM->Get('Kernel::System::Log')->Log(
                Priority => 'error',
                Message  => "Need $Needed!"
            );

            return;
        }
    }

    my $ConfigObject       = $Kernel::OM->Get('Kernel::Config');
    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');
    my $TicketObject       = $Kernel::OM->Get('Kernel::System::Ticket');

    my $TicketID = $TicketObject->TicketIDLookup(
        TicketNumber => $Param{TicketNumber},
    );
    my %Ticket = $TicketObject->TicketGet(
        TicketID => $TicketID,
    );
    my %User = $Kernel::OM->Get('Kernel::System::CustomerUser')->CustomerUserDataGet(
        User => $Param{User},
    );

    my $TemplateGenerator = $Kernel::OM->Get('Kernel::System::TemplateGenerator');
    my $Sender            = $TemplateGenerator->Sender(
        QueueID => $Ticket{QueueID},
        UserID  => 1,
    );

    my $NotificationID = $ConfigObject->Get('OneTimeAuth::TokenRefreshNotificationID');

    my ( $Body, $Subject );

    if ( $NotificationID ) {
        my %Notification = $Kernel::OM->Get('Kernel::System::NotificationEvent')->NotificationGet(
            ID => $NotificationID,
        );

        my %Languages = map { $_ => $_ } @{ $Notification{Data}{LanguageID} };
        my $Language  = $Languages{de} || $Languages{en} || $Notification{Data}{LanguageID}[0];

        # replace place holder stuff
        $Body = $TemplateGenerator->_Replace(
            RichText        => $ConfigObject->Get('Frontend::RichText'),
            Text            => $Notification{Message}{$Language}{Body},
            Data            => {},
            TicketData      => \%Ticket,
            UserID          => 1,
        );

        $Subject = $TemplateGenerator->_Replace(
            RichText        => 0,
            Text            => $Notification{Message}{$Language}{Subject},
            Data            => {},
            TicketData      => \%Ticket,
            UserID          => 1,
        );
    }

    else {
        my $TicketLink = $Self->TicketLink( %Param );

        $Subject = "Neuer Authentifizierungslink für Ticket#$Ticket{TicketNumber}";
        $Body    = "Guten Tag<br/>Ihr aktueller Link um auf Ticket#$Ticket{TicketNumber} zugreifen zu können lautet:<br/>$TicketLink";
    }


    my $EmailObject = $Kernel::OM->Get('Kernel::System::Email');
    my $Sent = $EmailObject->Send(
        From     => $Sender,
        To       => $User{UserEmail},
        Subject  => $Subject,
        Charset  => 'utf-8',
        MimeType => 'text/html',
        Body     => $Body,
    );

    if ( !$Sent ) {
        $Kernel::OM->Get('Kernel::System::Log')->Log(
            Priority => 'error',
            Message  => "Could not send new token to $Param{User} for Ticket#$Param{TicketNumber}!"
        );

        return;
    }

    return 1;
}

1;

# --
# OTOBO is a web-based ticketing system for service organisations.
# --
# Copyright (C) 2001-2020 OTRS AG, https://otrs.com/
# Copyright (C) 2019-2021 Rother OSS GmbH, https://otobo.de/
# --
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# --

package Kernel::System::PostMaster::Filter::CreateNewCustomerUser;

use strict;
use warnings;

use Kernel::System::VariableCheck qw(:all);

our @ObjectDependencies = (
    'Kernel::System::CustomerUser',
    'Kernel::System::Log',
);

sub new {
    my ( $Type, %Param ) = @_;

    # allocate new hash for object
    my $Self = {};
    bless( $Self, $Type );

    # get parser object
    $Self->{ParserObject} = $Param{ParserObject} || die "Got no ParserObject!";

    # Get communication log object.
    $Self->{CommunicationLogObject} = $Param{CommunicationLogObject} || die "Got no CommunicationLogObject!";

    return $Self;
}

sub Run {
    my ( $Self, %Param ) = @_;

    # only needed for new tickets
    return 1 if $Param{TicketID};

    # check needed stuff
    for (qw(GetParam JobConfig)) {
        if ( !$Param{$_} ) {
            $Self->{CommunicationLogObject}->ObjectLog(
                ObjectLogType => 'Message',
                Priority      => 'Error',
                Key           => 'Kernel::System::PostMaster::Filter::CreateNewCustomerUser',
                Value         => "Need $_!",
            );
            return;
        }
    }

    my @EmailAddressOnField = $Self->{ParserObject}->SplitAddressLine(
        Line => $Self->{ParserObject}->GetParam( WHAT => 'From' ),
    );

    my $IncomingMailAddress;

    for my $EmailAddress (@EmailAddressOnField) {
        $IncomingMailAddress = $Self->{ParserObject}->GetEmailAddress(
            Email => $EmailAddress,
        );
    }

    return 1 if !$IncomingMailAddress;

    my $CustomerUserObject = $Kernel::OM->Get('Kernel::System::CustomerUser');

    my %List = $CustomerUserObject->CustomerSearch(
        PostMasterSearch => lc( $IncomingMailAddress ),
        Valid            => 0,
    );

    # user already exists
    if ( %List ) {

        # return if no X-OTOBO-CustomerUser spoofing is possible/dangerous
        return 1 if !$Param{JobConfig}{CustomerHeaderSpoofProtection} && !$Param{JobConfig}{SetCheckBoxName};

        my %CustomerData;
        LOGIN:
        for my $UserLogin ( sort keys %List ) {
            my %CustomerUser = $CustomerUserObject->CustomerUserDataGet(
                User => $UserLogin,
            );
            
            if ( $CustomerUser{ValidID} == 1 ) {
                %CustomerData = %CustomerUser;
                last LOGIN;
            }
        }

        # if user exists but is not valid, do nothing
        return 1 if !%CustomerData;

        if ( $Param{JobConfig}{SetCheckBoxName} && $CustomerData{Source} eq ( $Param{JobConfig}{CustomerUserBackend} || 'CustomerUser' ) ) {
            $Param{GetParam}{ 'X-OTOBO-DynamicField-' . $Param{JobConfig}{SetCheckBoxName} } = 1;
        }

        return 1 if !$Param{JobConfig}{CustomerHeaderSpoofProtection};

        # take CustomerID from customer backend lookup or from from field
        if ( $CustomerData{UserLogin} ) {
            $Param{GetParam}{'X-OTOBO-CustomerUser'} = $CustomerData{UserLogin};

            # notice that UserLogin is from customer source backend
            $Self->{CommunicationLogObject}->ObjectLog(
                ObjectLogType => 'Message',
                Priority      => 'Notice',
                Key           => 'Kernel::System::PostMaster::Filter::CreateNewCustomerUser',
                Value         => "Take UserLogin ($CustomerData{UserLogin}) from "
                    . "customer source backend based on ($IncomingMailAddress).",
            );
        }
        if ( $CustomerData{UserCustomerID} ) {
            $Param{GetParam}{'X-OTOBO-CustomerNo'} = $CustomerData{UserCustomerID};

            # notice that UserCustomerID is from customer source backend
            $Self->{CommunicationLogObject}->ObjectLog(
                ObjectLogType => 'Message',
                Priority      => 'Notice',
                Key           => 'Kernel::System::PostMaster::Filter::CreateNewCustomerUser',
                Value         => "Take UserCustomerID ($CustomerData{UserCustomerID})"
                    . " from customer source backend based on ($IncomingMailAddress).",
            );
        }
    }

    # user does not yet exist - create it!
    else {
        my $UserLogin = lc( $IncomingMailAddress );
        
        my $Success = $CustomerUserObject->CustomerUserAdd(
            Source         => $Param{JobConfig}{CustomerUserBackend} || 'CustomerUser',
            UserFirstname  => ' ',
            UserLastname   => ' ',
            UserCustomerID => $UserLogin,
            UserLogin      => $UserLogin,
            UserEmail      => $UserLogin,
            ValidID        => 1,
            UserID         => 1,
        );

        if ( $Success ) {
            # notice that UserLogin is from customer source backend
            $Self->{CommunicationLogObject}->ObjectLog(
                ObjectLogType => 'Message',
                Priority      => 'Notice',
                Key           => 'Kernel::System::PostMaster::Filter::CreateNewCustomerUser',
                Value         => "Create and set new UserLogin ($UserLogin).",
            );

            $Param{GetParam}{'X-OTOBO-CustomerUser'} = $UserLogin;
            $Param{GetParam}{'X-OTOBO-CustomerNo'}   = $UserLogin;

            if ( $Param{JobConfig}{SetCheckBoxName} ) {
                $Param{GetParam}{ 'X-OTOBO-DynamicField-' . $Param{JobConfig}{SetCheckBoxName} } = 1;
            }

            # set preferences
            $CustomerUserObject->SetPreferences(
                UserID => $UserLogin,
                Key    => 'UserTimeZone',
                Value  => 'Europe/Berlin',
            );
            $CustomerUserObject->SetPreferences(
                UserID => $UserLogin,
                Key    => 'UserShowTickets',
                Value  => '25',
            );
            $CustomerUserObject->SetPreferences(
                UserID => $UserLogin,
                Key    => 'UserRefreshTime',
                Value  => '0',
            );
        }
    }

    return 1;
}

1;
