feat(server): Gumroad webhook receiver + Postmark email (PR 2)
Wires the second source-adapter (Gumroad) plus the email delivery
that lets the server fulfill a sale end-to-end without operator
intervention.
Auth model: Gumroad doesn't HMAC the body, so we use their
recommended URL-secret pattern (?secret=...). Wrong/missing secret
returns 404 — no signal to a prober that the endpoint exists.
Webhook flow (server/app/routes/webhooks.py):
1. audit-log the raw payload (gumroad_events row) BEFORE anything
else, so a later failure leaves us replayable
2. parse via GumroadAdapter (server/app/adapters/gumroad.py)
3. mint_from_sale — UNIQUE(source, source_order_id) dedups
duplicate webhook retries
4. send the license email
5. mark gumroad_events.processed = true
Always returns 200 once auth passes. Non-2xx would trigger Gumroad's
3-day retry storm; we'd rather record the failure on the audit row
and replay manually after fixing whatever surfaced.
Product → tier mapping is per-source YAML at
server/config/products.yaml (lru_cached). Adding a SKU = edit yaml,
restart api. Unmapped product_id is an error on the audit row, not
a crash.
EmailService (server/app/email.py): provider-agnostic interface with
Postmark as the first implementation. When POSTMARK_TOKEN is unset
the factory returns LoggingEmailService instead, so the webhook
exercises end-to-end before Postmark is provisioned.
48 unit tests (was 21) including:
- Gumroad secret verify with constant-time compare
- Sale parsing: amount-in-cents, name fallback from email,
test=true tagging, missing-required fields, offer codes
- Product mapping lookups
- Email rendering text + HTML, HTML-escapes user input
- Postmark client via httpx.MockTransport (success and 4xx)
- Webhook end-to-end: secret check, audit log, idempotency on
retry, unmapped product, email failure keeps license
Smoke test (server/scripts/smoke.sh) extended to POST a synthetic
Ping payload, verify the row + audit log, prove wrong-secret is
rejected, prove duplicate sale_id stays one row.
SQLite-test compatibility:
- BigInteger primary key uses with_variant(Integer, "sqlite") since
SQLite only autoincrements INTEGER PRIMARY KEY.
- python-multipart pulled in for FastAPI Form parsing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
71
server/app/products.py
Normal file
71
server/app/products.py
Normal file
@@ -0,0 +1,71 @@
|
||||
"""Storefront product → license tier mapping.
|
||||
|
||||
The mapping lives in ``server/config/products.yaml`` (gitignored
|
||||
for secrets it isn't — it's a routine catalog file) so adding a
|
||||
new SKU is one yaml edit plus a container restart. The lookup is
|
||||
``(source, product_id) -> (tier, years)``.
|
||||
|
||||
Cached at module import. The runtime cost of reloading on every
|
||||
webhook would be trivial, but caching keeps the hot path
|
||||
allocation-free and makes the "edit yaml, restart api" idiom
|
||||
explicit — operators always know exactly when their changes go
|
||||
live.
|
||||
"""
|
||||
|
||||
from __future__ import annotations
|
||||
|
||||
from dataclasses import dataclass
|
||||
from functools import lru_cache
|
||||
from pathlib import Path
|
||||
from typing import Optional
|
||||
|
||||
import yaml
|
||||
|
||||
|
||||
@dataclass(frozen=True)
|
||||
class ProductMapping:
|
||||
tier: str
|
||||
years: int
|
||||
|
||||
|
||||
def _config_path() -> Path:
|
||||
"""Resolve the products config.
|
||||
|
||||
Container layout puts the config at ``/app/config/products.yaml``
|
||||
(the Dockerfile COPYs ``server/config`` to ``/app/config``).
|
||||
For local pytest runs we walk up from this file to ``server/``.
|
||||
"""
|
||||
in_container = Path("/app/config/products.yaml")
|
||||
if in_container.exists():
|
||||
return in_container
|
||||
return Path(__file__).resolve().parent.parent / "config" / "products.yaml"
|
||||
|
||||
|
||||
@lru_cache(maxsize=1)
|
||||
def _table() -> dict[tuple[str, str], ProductMapping]:
|
||||
raw = yaml.safe_load(_config_path().read_text(encoding="utf-8")) or {}
|
||||
table: dict[tuple[str, str], ProductMapping] = {}
|
||||
for source, entries in raw.items():
|
||||
for entry in entries or []:
|
||||
key = (source, str(entry["product_id"]))
|
||||
table[key] = ProductMapping(
|
||||
tier=entry["tier"],
|
||||
years=int(entry.get("years", 1)),
|
||||
)
|
||||
return table
|
||||
|
||||
|
||||
def lookup(source: str, product_id: str) -> Optional[ProductMapping]:
|
||||
"""Return the mapping for *(source, product_id)*, or None if unmapped.
|
||||
|
||||
Returning None (rather than raising) lets the webhook layer
|
||||
decide whether to surface the failure as an audit row vs a
|
||||
user-visible error — we want unmapped sales to be logged, not
|
||||
to crash the handler and trigger Gumroad retry storms.
|
||||
"""
|
||||
return _table().get((source, product_id))
|
||||
|
||||
|
||||
def reload_for_tests() -> None:
|
||||
"""Drop the cache. Tests that mutate the yaml call this."""
|
||||
_table.cache_clear()
|
||||
Reference in New Issue
Block a user