Wires the second source-adapter (Gumroad) plus the email delivery
that lets the server fulfill a sale end-to-end without operator
intervention.
Auth model: Gumroad doesn't HMAC the body, so we use their
recommended URL-secret pattern (?secret=...). Wrong/missing secret
returns 404 — no signal to a prober that the endpoint exists.
Webhook flow (server/app/routes/webhooks.py):
1. audit-log the raw payload (gumroad_events row) BEFORE anything
else, so a later failure leaves us replayable
2. parse via GumroadAdapter (server/app/adapters/gumroad.py)
3. mint_from_sale — UNIQUE(source, source_order_id) dedups
duplicate webhook retries
4. send the license email
5. mark gumroad_events.processed = true
Always returns 200 once auth passes. Non-2xx would trigger Gumroad's
3-day retry storm; we'd rather record the failure on the audit row
and replay manually after fixing whatever surfaced.
Product → tier mapping is per-source YAML at
server/config/products.yaml (lru_cached). Adding a SKU = edit yaml,
restart api. Unmapped product_id is an error on the audit row, not
a crash.
EmailService (server/app/email.py): provider-agnostic interface with
Postmark as the first implementation. When POSTMARK_TOKEN is unset
the factory returns LoggingEmailService instead, so the webhook
exercises end-to-end before Postmark is provisioned.
48 unit tests (was 21) including:
- Gumroad secret verify with constant-time compare
- Sale parsing: amount-in-cents, name fallback from email,
test=true tagging, missing-required fields, offer codes
- Product mapping lookups
- Email rendering text + HTML, HTML-escapes user input
- Postmark client via httpx.MockTransport (success and 4xx)
- Webhook end-to-end: secret check, audit log, idempotency on
retry, unmapped product, email failure keeps license
Smoke test (server/scripts/smoke.sh) extended to POST a synthetic
Ping payload, verify the row + audit log, prove wrong-secret is
rejected, prove duplicate sale_id stays one row.
SQLite-test compatibility:
- BigInteger primary key uses with_variant(Integer, "sqlite") since
SQLite only autoincrements INTEGER PRIMARY KEY.
- python-multipart pulled in for FastAPI Form parsing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
44 lines
1.3 KiB
YAML
44 lines
1.3 KiB
YAML
# Smoke-test compose. Stands the API + Postgres up in isolation,
|
|
# exercises a mint, tears everything down (volume included). Never
|
|
# meant for production — for that see docs/SETUP-LICENSE-SERVER.md.
|
|
#
|
|
# Ports map to 127.0.0.1 only so it can run on a host that already
|
|
# binds 5432 / 8090 to something else.
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
environment:
|
|
POSTGRES_DB: dt_test
|
|
POSTGRES_USER: dt_test
|
|
POSTGRES_PASSWORD: test_pw
|
|
ports:
|
|
- "127.0.0.1:15432:5432"
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U dt_test -d dt_test"]
|
|
interval: 2s
|
|
timeout: 2s
|
|
retries: 20
|
|
|
|
api:
|
|
build:
|
|
context: ..
|
|
dockerfile: server/Dockerfile
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
environment:
|
|
DATABASE_URL: postgresql+psycopg://dt_test:test_pw@postgres:5432/dt_test
|
|
DATATOOLS_ADMIN_TOKEN: test-admin-token
|
|
GUMROAD_WEBHOOK_SECRET: test-gumroad-secret
|
|
# No DATATOOLS_LICENSE_PRIVKEY — falls back to the in-tree
|
|
# dev keypair, matching what the desktop dev build expects.
|
|
# No POSTMARK_TOKEN — falls back to LoggingEmailService.
|
|
ports:
|
|
- "127.0.0.1:18090:8000"
|
|
healthcheck:
|
|
test: ["CMD", "curl", "--fail", "--silent", "http://localhost:8000/health"]
|
|
interval: 5s
|
|
timeout: 3s
|
|
retries: 10
|