Wires the second source-adapter (Gumroad) plus the email delivery
that lets the server fulfill a sale end-to-end without operator
intervention.
Auth model: Gumroad doesn't HMAC the body, so we use their
recommended URL-secret pattern (?secret=...). Wrong/missing secret
returns 404 — no signal to a prober that the endpoint exists.
Webhook flow (server/app/routes/webhooks.py):
1. audit-log the raw payload (gumroad_events row) BEFORE anything
else, so a later failure leaves us replayable
2. parse via GumroadAdapter (server/app/adapters/gumroad.py)
3. mint_from_sale — UNIQUE(source, source_order_id) dedups
duplicate webhook retries
4. send the license email
5. mark gumroad_events.processed = true
Always returns 200 once auth passes. Non-2xx would trigger Gumroad's
3-day retry storm; we'd rather record the failure on the audit row
and replay manually after fixing whatever surfaced.
Product → tier mapping is per-source YAML at
server/config/products.yaml (lru_cached). Adding a SKU = edit yaml,
restart api. Unmapped product_id is an error on the audit row, not
a crash.
EmailService (server/app/email.py): provider-agnostic interface with
Postmark as the first implementation. When POSTMARK_TOKEN is unset
the factory returns LoggingEmailService instead, so the webhook
exercises end-to-end before Postmark is provisioned.
48 unit tests (was 21) including:
- Gumroad secret verify with constant-time compare
- Sale parsing: amount-in-cents, name fallback from email,
test=true tagging, missing-required fields, offer codes
- Product mapping lookups
- Email rendering text + HTML, HTML-escapes user input
- Postmark client via httpx.MockTransport (success and 4xx)
- Webhook end-to-end: secret check, audit log, idempotency on
retry, unmapped product, email failure keeps license
Smoke test (server/scripts/smoke.sh) extended to POST a synthetic
Ping payload, verify the row + audit log, prove wrong-secret is
rejected, prove duplicate sale_id stays one row.
SQLite-test compatibility:
- BigInteger primary key uses with_variant(Integer, "sqlite") since
SQLite only autoincrements INTEGER PRIMARY KEY.
- python-multipart pulled in for FastAPI Form parsing.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
104 lines
3.0 KiB
Python
104 lines
3.0 KiB
Python
"""EmailService — Postmark client + dev-mode logging fallback."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
from unittest.mock import patch
|
|
|
|
import httpx
|
|
import pytest
|
|
|
|
from app.email import (
|
|
EmailDeliveryError,
|
|
LicenseEmail,
|
|
LoggingEmailService,
|
|
PostmarkEmailService,
|
|
_render_html,
|
|
_render_text,
|
|
get_email_service,
|
|
)
|
|
|
|
|
|
def _msg() -> LicenseEmail:
|
|
return LicenseEmail(
|
|
to_name="Jane Doe",
|
|
to_email="jane@example.com",
|
|
tier="core",
|
|
license_key="DT1-CORE-aaaa-bbbb",
|
|
expires_at_iso="2027-05-14T01:00:00Z",
|
|
blob="DTLIC2:placeholder",
|
|
)
|
|
|
|
|
|
def test_render_text_contains_essentials():
|
|
body = _render_text(_msg())
|
|
assert "Jane Doe" in body
|
|
assert "DTLIC2:placeholder" in body
|
|
assert "DT1-CORE-aaaa-bbbb" in body
|
|
assert "core" in body
|
|
assert "2027-05-14" in body
|
|
|
|
|
|
def test_render_html_escapes_user_input():
|
|
msg = LicenseEmail(
|
|
to_name="<script>alert(1)</script>",
|
|
to_email="x@y.com",
|
|
tier="core",
|
|
license_key="K",
|
|
expires_at_iso="2030-01-01T00:00:00Z",
|
|
blob="DTLIC2:x",
|
|
)
|
|
html = _render_html(msg)
|
|
assert "<script>" not in html
|
|
assert "<script>" in html
|
|
|
|
|
|
def test_logging_service_writes_to_log(caplog):
|
|
caplog.set_level(logging.INFO)
|
|
svc = LoggingEmailService()
|
|
result = svc.send_license(_msg())
|
|
assert result == "logged"
|
|
log_text = "\n".join(r.message for r in caplog.records)
|
|
assert "would send" in log_text
|
|
assert "jane@example.com" in log_text
|
|
assert "DTLIC2:placeholder" in log_text
|
|
|
|
|
|
def test_factory_returns_logging_when_no_token(monkeypatch):
|
|
monkeypatch.delenv("POSTMARK_TOKEN", raising=False)
|
|
monkeypatch.delenv("POSTMARK_TOKEN_FILE", raising=False)
|
|
from app.config import get_settings
|
|
get_settings.cache_clear()
|
|
svc = get_email_service()
|
|
assert isinstance(svc, LoggingEmailService)
|
|
|
|
|
|
def test_postmark_send_success():
|
|
svc = PostmarkEmailService("test-token", sender="from@example.com")
|
|
|
|
def handler(request: httpx.Request) -> httpx.Response:
|
|
body = request.read().decode()
|
|
assert "from@example.com" in body
|
|
assert "jane@example.com" in body
|
|
assert "DTLIC2:placeholder" in body
|
|
return httpx.Response(200, json={"MessageID": "pm-12345"})
|
|
|
|
transport = httpx.MockTransport(handler)
|
|
_real_client = httpx.Client
|
|
with patch("app.email.httpx.Client", lambda **kw: _real_client(transport=transport, **kw)):
|
|
msg_id = svc.send_license(_msg())
|
|
assert msg_id == "pm-12345"
|
|
|
|
|
|
def test_postmark_send_raises_on_failure():
|
|
svc = PostmarkEmailService("test-token", sender="from@example.com")
|
|
|
|
def handler(request: httpx.Request) -> httpx.Response:
|
|
return httpx.Response(422, json={"Message": "Invalid sender"})
|
|
|
|
transport = httpx.MockTransport(handler)
|
|
_real_client = httpx.Client
|
|
with patch("app.email.httpx.Client", lambda **kw: _real_client(transport=transport, **kw)):
|
|
with pytest.raises(EmailDeliveryError, match="422"):
|
|
svc.send_license(_msg())
|