Files
datatools-dev/server/app/models.py
Michael 2bbaba954b feat(server): Gumroad webhook receiver + Postmark email (PR 2)
Wires the second source-adapter (Gumroad) plus the email delivery
that lets the server fulfill a sale end-to-end without operator
intervention.

Auth model: Gumroad doesn't HMAC the body, so we use their
recommended URL-secret pattern (?secret=...). Wrong/missing secret
returns 404 — no signal to a prober that the endpoint exists.

Webhook flow (server/app/routes/webhooks.py):
  1. audit-log the raw payload (gumroad_events row) BEFORE anything
     else, so a later failure leaves us replayable
  2. parse via GumroadAdapter (server/app/adapters/gumroad.py)
  3. mint_from_sale — UNIQUE(source, source_order_id) dedups
     duplicate webhook retries
  4. send the license email
  5. mark gumroad_events.processed = true

Always returns 200 once auth passes. Non-2xx would trigger Gumroad's
3-day retry storm; we'd rather record the failure on the audit row
and replay manually after fixing whatever surfaced.

Product → tier mapping is per-source YAML at
server/config/products.yaml (lru_cached). Adding a SKU = edit yaml,
restart api. Unmapped product_id is an error on the audit row, not
a crash.

EmailService (server/app/email.py): provider-agnostic interface with
Postmark as the first implementation. When POSTMARK_TOKEN is unset
the factory returns LoggingEmailService instead, so the webhook
exercises end-to-end before Postmark is provisioned.

48 unit tests (was 21) including:
- Gumroad secret verify with constant-time compare
- Sale parsing: amount-in-cents, name fallback from email,
  test=true tagging, missing-required fields, offer codes
- Product mapping lookups
- Email rendering text + HTML, HTML-escapes user input
- Postmark client via httpx.MockTransport (success and 4xx)
- Webhook end-to-end: secret check, audit log, idempotency on
  retry, unmapped product, email failure keeps license

Smoke test (server/scripts/smoke.sh) extended to POST a synthetic
Ping payload, verify the row + audit log, prove wrong-secret is
rejected, prove duplicate sale_id stays one row.

SQLite-test compatibility:
- BigInteger primary key uses with_variant(Integer, "sqlite") since
  SQLite only autoincrements INTEGER PRIMARY KEY.
- python-multipart pulled in for FastAPI Form parsing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 01:33:43 +00:00

98 lines
3.8 KiB
Python

"""ORM models for the licenses + gumroad_events tables.
Schema mirrors ``docs/LICENSE-SERVER.md``, generalized so any
``source`` can populate it. The ``(source, source_order_id)``
composite uniqueness key gives idempotent webhook retries — a
storefront firing the same sale twice maps to the same row.
"""
from __future__ import annotations
from datetime import datetime
from typing import Optional
from sqlalchemy import (
JSON,
BigInteger,
DateTime,
Index,
Integer,
Numeric,
String,
UniqueConstraint,
func,
text,
)
from sqlalchemy.dialects.postgresql import JSONB
from sqlalchemy.orm import Mapped, mapped_column
# JSONB on Postgres (indexable, queryable), plain JSON elsewhere
# (SQLite for tests). Same Python interface either way.
_JSON_TYPE = JSON().with_variant(JSONB(), "postgresql")
# SQLite only auto-increments INTEGER PRIMARY KEY (not BIGINT).
# Postgres can autoincrement either, so the variant keeps the
# production migration on BigInteger while tests use Integer.
_PK_TYPE = BigInteger().with_variant(Integer(), "sqlite")
from app.db import Base
class License(Base):
__tablename__ = "licenses"
license_key: Mapped[str] = mapped_column(String, primary_key=True)
name: Mapped[str] = mapped_column(String, nullable=False)
email: Mapped[str] = mapped_column(String, nullable=False)
tier: Mapped[str] = mapped_column(String, nullable=False)
issued_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False)
expires_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False)
blob: Mapped[str] = mapped_column(String, nullable=False)
source: Mapped[str] = mapped_column(String, nullable=False)
source_order_id: Mapped[Optional[str]] = mapped_column(String, nullable=True)
promotion: Mapped[Optional[str]] = mapped_column(String, nullable=True)
amount_paid: Mapped[Optional[float]] = mapped_column(Numeric(10, 2), nullable=True)
currency: Mapped[Optional[str]] = mapped_column(String(3), nullable=True, server_default=text("'USD'"))
revoked_at: Mapped[Optional[datetime]] = mapped_column(DateTime(timezone=True), nullable=True)
notes: Mapped[Optional[str]] = mapped_column(String, nullable=True)
created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())
updated_at: Mapped[datetime] = mapped_column(
DateTime(timezone=True),
nullable=False,
server_default=func.now(),
onupdate=func.now(),
)
__table_args__ = (
UniqueConstraint("source", "source_order_id", name="uq_licenses_source_order"),
Index("ix_licenses_email_lower", func.lower(text("email"))),
Index("ix_licenses_expires_active", "expires_at", postgresql_where=text("revoked_at IS NULL")),
)
class GumroadEvent(Base):
"""Append-only audit log of every webhook delivery.
Stored regardless of processing outcome so we can replay failed
events, investigate disputes, and reconstruct the customer
record if the ``licenses`` table is ever corrupted.
"""
__tablename__ = "gumroad_events"
id: Mapped[int] = mapped_column(_PK_TYPE, primary_key=True, autoincrement=True)
received_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())
event_type: Mapped[str] = mapped_column(String, nullable=False)
order_id: Mapped[Optional[str]] = mapped_column(String, nullable=True)
raw_payload: Mapped[dict] = mapped_column(_JSON_TYPE, nullable=False)
processed: Mapped[bool] = mapped_column(server_default=text("false"), nullable=False)
error: Mapped[Optional[str]] = mapped_column(String, nullable=True)
__table_args__ = (
Index("ix_gumroad_events_order_id", "order_id"),
Index("ix_gumroad_events_unprocessed", "received_at", postgresql_where=text("processed = false")),
)