berrypod/test/berrypod_web/controllers/webhook_controller_test.exs

defmodule BerrypodWeb.WebhookControllerTest do
  use BerrypodWeb.ConnCase

  import Berrypod.ProductsFixtures

  @webhook_secret "test_webhook_secret_123"

  setup do
    _conn =
      provider_connection_fixture(%{
        provider_type: "printify",
        config: %{"shop_id" => "12345", "webhook_secret" => @webhook_secret}
      })

    :ok
  end

  describe "POST /webhooks/printify" do
    test "returns 401 without signature", %{conn: conn} do
      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> post(~p"/webhooks/printify", %{type: "product:updated"})

      assert json_response(conn, 401)["error"] == "Invalid signature"
    end

    test "returns 401 with invalid signature", %{conn: conn} do
      body = Jason.encode!(%{type: "product:updated", resource: %{id: "123"}})

      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pfy-signature", "sha256=invalid")
        |> post(~p"/webhooks/printify", body)

      assert json_response(conn, 401)["error"] == "Invalid signature"
    end

    test "accepts valid signature and returns 200", %{conn: conn} do
      body = Jason.encode!(%{type: "product:updated", resource: %{id: "123", shop_id: "12345"}})
      signature = compute_signature(body, @webhook_secret)

      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pfy-signature", "sha256=#{signature}")
        |> post(~p"/webhooks/printify", body)

      assert json_response(conn, 200)["status"] == "ok"
    end

    test "handles product:updated event", %{conn: conn} do
      body = Jason.encode!(%{type: "product:updated", resource: %{id: "123", shop_id: "12345"}})
      signature = compute_signature(body, @webhook_secret)

      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pfy-signature", "sha256=#{signature}")
        |> post(~p"/webhooks/printify", body)

      # Should return 200 even if job processing fails (inline mode tries to execute)
      assert json_response(conn, 200)["status"] == "ok"
    end

    test "handles product:deleted event", %{conn: conn} do
      body = Jason.encode!(%{type: "product:deleted", resource: %{id: "456"}})
      signature = compute_signature(body, @webhook_secret)

      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pfy-signature", "sha256=#{signature}")
        |> post(~p"/webhooks/printify", body)

      assert json_response(conn, 200)["status"] == "ok"
    end

    test "returns 401 when no webhook secret configured", %{conn: conn} do
      # Remove the provider connection to simulate no secret
      Berrypod.Repo.delete_all(Berrypod.Products.ProviderConnection)

      body = Jason.encode!(%{type: "product:updated", resource: %{id: "123"}})
      signature = compute_signature(body, @webhook_secret)

      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pfy-signature", "sha256=#{signature}")
        |> post(~p"/webhooks/printify", body)

      assert json_response(conn, 401)["error"] == "Invalid signature"
    end
  end

  defp compute_signature(body, secret) do
    :crypto.mac(:hmac, :sha256, secret, body)
    |> Base.encode16(case: :lower)
  end

  describe "POST /webhooks/printful" do
    @printful_secret "printful_test_secret_456"

    setup do
      _conn =
        provider_connection_fixture(%{
          provider_type: "printful",
          config: %{"store_id" => "99999", "webhook_secret" => @printful_secret}
        })

      :ok
    end

    test "returns 401 without token", %{conn: conn} do
      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> post(~p"/webhooks/printful", %{type: "product_updated"})

      assert json_response(conn, 401)["error"] == "Invalid token"
    end

    test "returns 401 with wrong token", %{conn: conn} do
      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pf-webhook-token", "wrong_token")
        |> post(~p"/webhooks/printful", %{type: "product_updated"})

      assert json_response(conn, 401)["error"] == "Invalid token"
    end

    test "accepts valid token via header", %{conn: conn} do
      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pf-webhook-token", @printful_secret)
        |> post(~p"/webhooks/printful", %{type: "product_updated", data: %{}})

      assert json_response(conn, 200)["status"] == "ok"
    end

    test "accepts valid token via query param", %{conn: conn} do
      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> post(~p"/webhooks/printful?token=#{@printful_secret}", %{
          type: "product_updated",
          data: %{}
        })

      assert json_response(conn, 200)["status"] == "ok"
    end

    test "handles unknown event gracefully", %{conn: conn} do
      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pf-webhook-token", @printful_secret)
        |> post(~p"/webhooks/printful", %{type: "unknown_event", data: %{}})

      assert json_response(conn, 200)["status"] == "ok"
    end

    test "returns 401 when no webhook secret configured", %{conn: conn} do
      Berrypod.Repo.delete_all(Berrypod.Products.ProviderConnection)

      conn =
        conn
        |> put_req_header("content-type", "application/json")
        |> put_req_header("x-pf-webhook-token", @printful_secret)
        |> post(~p"/webhooks/printful", %{type: "product_updated"})

      assert json_response(conn, 401)["error"] == "Invalid token"
    end
  end
end
rename project from SimpleshopTheme to Berrypod All modules, configs, paths, and references updated. 836 tests pass, zero warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-18 21:23:15 +00:00			`defmodule BerrypodWeb.WebhookControllerTest do`
			`use BerrypodWeb.ConnCase`
feat: add Printify webhook endpoint for real-time product updates - Add /webhooks/printify endpoint with HMAC-SHA256 signature verification - Add Webhooks context to handle product:updated, product:deleted events - Add ProductDeleteWorker for async product deletion - Add webhook API methods to Printify client (create, list, delete) - Add register_webhooks/2 to Printify provider - Add mix register_webhooks task for one-time webhook registration - Cache raw request body in endpoint for signature verification Usage: 1. Generate webhook secret: openssl rand -hex 20 2. Add to provider connection config as "webhook_secret" 3. Register with Printify: mix register_webhooks https://yourshop.com/webhooks/printify Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 22:41:15 +00:00
rename project from SimpleshopTheme to Berrypod All modules, configs, paths, and references updated. 836 tests pass, zero warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-18 21:23:15 +00:00			`import Berrypod.ProductsFixtures`
feat: add Printify webhook endpoint for real-time product updates - Add /webhooks/printify endpoint with HMAC-SHA256 signature verification - Add Webhooks context to handle product:updated, product:deleted events - Add ProductDeleteWorker for async product deletion - Add webhook API methods to Printify client (create, list, delete) - Add register_webhooks/2 to Printify provider - Add mix register_webhooks task for one-time webhook registration - Cache raw request body in endpoint for signature verification Usage: 1. Generate webhook secret: openssl rand -hex 20 2. Add to provider connection config as "webhook_secret" 3. Register with Printify: mix register_webhooks https://yourshop.com/webhooks/printify Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 22:41:15 +00:00
			`@webhook_secret "test_webhook_secret_123"`

			`setup do`
			`_conn =`
			`provider_connection_fixture(%{`
			`provider_type: "printify",`
			`config: %{"shop_id" => "12345", "webhook_secret" => @webhook_secret}`
			`})`

			`:ok`
			`end`

			`describe "POST /webhooks/printify" do`
			`test "returns 401 without signature", %{conn: conn} do`
			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> post(~p"/webhooks/printify", %{type: "product:updated"})`

			`assert json_response(conn, 401)["error"] == "Invalid signature"`
			`end`

			`test "returns 401 with invalid signature", %{conn: conn} do`
			`body = Jason.encode!(%{type: "product:updated", resource: %{id: "123"}})`

			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pfy-signature", "sha256=invalid")`
			`\|> post(~p"/webhooks/printify", body)`

			`assert json_response(conn, 401)["error"] == "Invalid signature"`
			`end`

			`test "accepts valid signature and returns 200", %{conn: conn} do`
			`body = Jason.encode!(%{type: "product:updated", resource: %{id: "123", shop_id: "12345"}})`
			`signature = compute_signature(body, @webhook_secret)`

			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pfy-signature", "sha256=#{signature}")`
			`\|> post(~p"/webhooks/printify", body)`

			`assert json_response(conn, 200)["status"] == "ok"`
			`end`

			`test "handles product:updated event", %{conn: conn} do`
			`body = Jason.encode!(%{type: "product:updated", resource: %{id: "123", shop_id: "12345"}})`
			`signature = compute_signature(body, @webhook_secret)`

			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pfy-signature", "sha256=#{signature}")`
			`\|> post(~p"/webhooks/printify", body)`

			`# Should return 200 even if job processing fails (inline mode tries to execute)`
			`assert json_response(conn, 200)["status"] == "ok"`
			`end`

			`test "handles product:deleted event", %{conn: conn} do`
			`body = Jason.encode!(%{type: "product:deleted", resource: %{id: "456"}})`
			`signature = compute_signature(body, @webhook_secret)`

			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pfy-signature", "sha256=#{signature}")`
			`\|> post(~p"/webhooks/printify", body)`

			`assert json_response(conn, 200)["status"] == "ok"`
			`end`

			`test "returns 401 when no webhook secret configured", %{conn: conn} do`
			`# Remove the provider connection to simulate no secret`
rename project from SimpleshopTheme to Berrypod All modules, configs, paths, and references updated. 836 tests pass, zero warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-18 21:23:15 +00:00			`Berrypod.Repo.delete_all(Berrypod.Products.ProviderConnection)`
feat: add Printify webhook endpoint for real-time product updates - Add /webhooks/printify endpoint with HMAC-SHA256 signature verification - Add Webhooks context to handle product:updated, product:deleted events - Add ProductDeleteWorker for async product deletion - Add webhook API methods to Printify client (create, list, delete) - Add register_webhooks/2 to Printify provider - Add mix register_webhooks task for one-time webhook registration - Cache raw request body in endpoint for signature verification Usage: 1. Generate webhook secret: openssl rand -hex 20 2. Add to provider connection config as "webhook_secret" 3. Register with Printify: mix register_webhooks https://yourshop.com/webhooks/printify Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 22:41:15 +00:00
			`body = Jason.encode!(%{type: "product:updated", resource: %{id: "123"}})`
			`signature = compute_signature(body, @webhook_secret)`

			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pfy-signature", "sha256=#{signature}")`
			`\|> post(~p"/webhooks/printify", body)`

			`assert json_response(conn, 401)["error"] == "Invalid signature"`
			`end`
			`end`

			`defp compute_signature(body, secret) do`
			`:crypto.mac(:hmac, :sha256, secret, body)`
			`\|> Base.encode16(case: :lower)`
			`end`
add Printful webhook endpoint with token verification New POST /webhooks/printful route with VerifyPrintfulWebhook plug (shared secret token via header or query param). Handles package_shipped, order_failed, order_canceled, product_updated, product_synced, and product_deleted events. Webhook registration via Printful v2 API with token appended to URL. 19 new tests (819 total). Also marks task #28 as done — Printful sync products already include preview mockup images handled by the existing ImageDownloadWorker pipeline. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-15 09:32:14 +00:00
			`describe "POST /webhooks/printful" do`
			`@printful_secret "printful_test_secret_456"`

			`setup do`
			`_conn =`
			`provider_connection_fixture(%{`
			`provider_type: "printful",`
			`config: %{"store_id" => "99999", "webhook_secret" => @printful_secret}`
			`})`

			`:ok`
			`end`

			`test "returns 401 without token", %{conn: conn} do`
			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> post(~p"/webhooks/printful", %{type: "product_updated"})`

			`assert json_response(conn, 401)["error"] == "Invalid token"`
			`end`

			`test "returns 401 with wrong token", %{conn: conn} do`
			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pf-webhook-token", "wrong_token")`
			`\|> post(~p"/webhooks/printful", %{type: "product_updated"})`

			`assert json_response(conn, 401)["error"] == "Invalid token"`
			`end`

			`test "accepts valid token via header", %{conn: conn} do`
			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pf-webhook-token", @printful_secret)`
			`\|> post(~p"/webhooks/printful", %{type: "product_updated", data: %{}})`

			`assert json_response(conn, 200)["status"] == "ok"`
			`end`

			`test "accepts valid token via query param", %{conn: conn} do`
			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> post(~p"/webhooks/printful?token=#{@printful_secret}", %{`
			`type: "product_updated",`
			`data: %{}`
			`})`

			`assert json_response(conn, 200)["status"] == "ok"`
			`end`

			`test "handles unknown event gracefully", %{conn: conn} do`
			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pf-webhook-token", @printful_secret)`
			`\|> post(~p"/webhooks/printful", %{type: "unknown_event", data: %{}})`

			`assert json_response(conn, 200)["status"] == "ok"`
			`end`

			`test "returns 401 when no webhook secret configured", %{conn: conn} do`
rename project from SimpleshopTheme to Berrypod All modules, configs, paths, and references updated. 836 tests pass, zero warnings. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-18 21:23:15 +00:00			`Berrypod.Repo.delete_all(Berrypod.Products.ProviderConnection)`
add Printful webhook endpoint with token verification New POST /webhooks/printful route with VerifyPrintfulWebhook plug (shared secret token via header or query param). Handles package_shipped, order_failed, order_canceled, product_updated, product_synced, and product_deleted events. Webhook registration via Printful v2 API with token appended to URL. 19 new tests (819 total). Also marks task #28 as done — Printful sync products already include preview mockup images handled by the existing ImageDownloadWorker pipeline. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-02-15 09:32:14 +00:00
			`conn =`
			`conn`
			`\|> put_req_header("content-type", "application/json")`
			`\|> put_req_header("x-pf-webhook-token", @printful_secret)`
			`\|> post(~p"/webhooks/printful", %{type: "product_updated"})`

			`assert json_response(conn, 401)["error"] == "Invalid token"`
			`end`
			`end`
feat: add Printify webhook endpoint for real-time product updates - Add /webhooks/printify endpoint with HMAC-SHA256 signature verification - Add Webhooks context to handle product:updated, product:deleted events - Add ProductDeleteWorker for async product deletion - Add webhook API methods to Printify client (create, list, delete) - Add register_webhooks/2 to Printify provider - Add mix register_webhooks task for one-time webhook registration - Cache raw request body in endpoint for signature verification Usage: 1. Generate webhook secret: openssl rand -hex 20 2. Add to provider connection config as "webhook_secret" 3. Register with Printify: mix register_webhooks https://yourshop.com/webhooks/printify Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 22:41:15 +00:00			`end`