feat(core): add system-wide feedback endpoint for Aurora integration

[ArtieReus]

Summary

Adds a new system-level API endpoint /system/feedback to collect user feedback from Aurora and Elektra applications. The endpoint requires authentication and API token authorization, then sends feedback via email using the existing CoreApplicationMailer infrastructure.

Changes Made

• Added FeedbackController with authentication and API token validation
• Added FeedbackMailer extending CoreApplicationMailer for email delivery
• Created HTML email template for feedback notifications
• Added POST /system/feedback route in the /system scope
• Implemented two-layer security: SSO authentication + shared API token

Related Issues

• Issue: N/A (internal requirement for Aurora integration)

API Usage

Endpoint: POST /system/feedback

Headers:

Content-Type: application/json
X-Feedback-API-Token: <secret-token>

Request Body:

{
  "feedback": {
    "feedback_message": "User feedback text here",
    "user_metadata": {
      "page_url": "https://...",
      "source": "aurora",
      "browser": "Chrome 120"
    }
  }
}

Success Response (200):

{
  "status": "success",
  "message": "Feedback submitted successfully"
}

Error Response (401):

{
  "status": "error",
  "message": "Unauthorized: Invalid or missing API token"
}

Configuration Required

Environment Variable (Production):

FEEDBACK_API_TOKEN=<shared-secret-token>  # Same token in both Aurora and Elektra

Generate Token:

ruby -rsecurerandom -e 'puts SecureRandom.hex(32)'

Optional Config:

# config/environments/production.rb
config.feedback_recipient_email = 'feedback@sap.com'

Security

• ✅ Requires SSO authentication (logged-in users only)
• ✅ Requires API token authorization (restricts to authorized apps)
• ✅ Uses ActiveSupport::SecurityUtils.secure_compare (timing-attack resistant)
• ✅ Logs unauthorized access attempts with IP and referer
• ✅ Token validation optional in development for easier testing

Screenshots (if applicable)

N/A - Backend API endpoint only

Checklist

• I have performed a self-review of my code.
• I have commented my code, particularly in hard-to-understand areas.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• I have made corresponding changes to the documentation (if applicable).
• My changes generate no new warnings or errors.

Notes

• The endpoint is designed for cross-application use (Aurora → Elektra)
• User information (email, name, ID, domain) is automatically extracted from authenticated session
• In development mode, API token validation is skipped if FEEDBACK_API_TOKEN is not set
• Follows same pattern as other system endpoints (/system/health, /system/notifications)