add Printful webhook endpoint with token verification

New POST /webhooks/printful route with VerifyPrintfulWebhook plug (shared secret token via header or query param). Handles package_shipped, order_failed, order_canceled, product_updated, product_synced, and product_deleted events. Webhook registration via Printful v2 API with token appended to URL. 19 new tests (819 total). Also marks task #28 as done — Printful sync products already include preview mockup images handled by the existing ImageDownloadWorker pipeline. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 09:32:14 +00:00
parent 0cfcb2448e
commit 24d61f7a9e
8 changed files with 519 additions and 8 deletions
--- a/lib/simpleshop_theme_web/controllers/webhook_controller.ex
+++ b/lib/simpleshop_theme_web/controllers/webhook_controller.ex
@@ -33,4 +33,34 @@ defmodule SimpleshopThemeWeb.WebhookController do
        json(conn, %{status: "ok"})
    end
  end
+
+  @doc """
+  Receives Printful webhook events.
+
+  Events:
+  - package_shipped - Package has been shipped
+  - order_failed - Order processing failed
+  - order_canceled - Order was canceled
+  - product_updated - Sync product was updated
+  - product_deleted - Sync product was deleted
+  """
+  def printful(conn, params) do
+    event_type = params["type"]
+    data = params["data"] || %{}
+
+    Logger.info("Received Printful webhook: #{event_type}")
+
+    case Webhooks.handle_printful_event(event_type, data) do
+      :ok ->
+        json(conn, %{status: "ok"})
+
+      {:ok, _} ->
+        json(conn, %{status: "ok"})
+
+      {:error, reason} ->
+        Logger.warning("Printful webhook handling failed: #{inspect(reason)}")
+        # Return 200 to prevent Printful retrying
+        json(conn, %{status: "ok"})
+    end
+  end
 end
--- a/lib/simpleshop_theme_web/plugs/verify_printful_webhook.ex
+++ b/lib/simpleshop_theme_web/plugs/verify_printful_webhook.ex
@@ -0,0 +1,67 @@
+defmodule SimpleshopThemeWeb.Plugs.VerifyPrintfulWebhook do
+  @moduledoc """
+  Verifies Printful webhook requests using a shared secret token.
+
+  Checks the `webhook_secret` stored in the Printful provider connection
+  config against the `X-PF-Webhook-Token` header (or `token` query param
+  as fallback). Can be upgraded to HMAC signature verification once the
+  exact Printful signing format is confirmed.
+
+  Expects raw body cached in conn.assigns[:raw_body] (via CacheRawBody).
+  """
+
+  import Plug.Conn
+  require Logger
+
+  alias SimpleshopTheme.Products
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    with {:ok, token} <- get_token(conn),
+         {:ok, secret} <- get_webhook_secret(),
+         :ok <- verify_token(token, secret) do
+      conn
+    else
+      {:error, reason} ->
+        Logger.warning("Printful webhook verification failed: #{reason}")
+
+        conn
+        |> put_resp_content_type("application/json")
+        |> send_resp(401, Jason.encode!(%{error: "Invalid token"}))
+        |> halt()
+    end
+  end
+
+  defp get_token(conn) do
+    # Check header first, then query param
+    case get_req_header(conn, "x-pf-webhook-token") do
+      [token] when token != "" ->
+        {:ok, token}
+
+      _ ->
+        case conn.query_params["token"] || conn.params["token"] do
+          token when is_binary(token) and token != "" -> {:ok, token}
+          _ -> {:error, :missing_token}
+        end
+    end
+  end
+
+  defp get_webhook_secret do
+    case Products.get_provider_connection_by_type("printful") do
+      %{config: %{"webhook_secret" => secret}} when is_binary(secret) and secret != "" ->
+        {:ok, secret}
+
+      _ ->
+        {:error, :no_webhook_secret}
+    end
+  end
+
+  defp verify_token(token, secret) do
+    if Plug.Crypto.secure_compare(token, secret) do
+      :ok
+    else
+      {:error, :token_mismatch}
+    end
+  end
+end
--- a/lib/simpleshop_theme_web/router.ex
+++ b/lib/simpleshop_theme_web/router.ex
@@ -24,6 +24,10 @@ defmodule SimpleshopThemeWeb.Router do
    plug SimpleshopThemeWeb.Plugs.VerifyPrintifyWebhook
  end

+  pipeline :printful_webhook do
+    plug SimpleshopThemeWeb.Plugs.VerifyPrintfulWebhook
+  end
+
  pipeline :shop do
    plug :put_root_layout, html: {SimpleshopThemeWeb.Layouts, :shop_root}
    plug SimpleshopThemeWeb.Plugs.LoadTheme
@@ -101,6 +105,12 @@ defmodule SimpleshopThemeWeb.Router do
    post "/printify", WebhookController, :printify
  end

+  scope "/webhooks", SimpleshopThemeWeb do
+    pipe_through [:api, :printful_webhook]
+
+    post "/printful", WebhookController, :printful
+  end
+
  scope "/webhooks", SimpleshopThemeWeb do
    pipe_through [:api]