feat: add Printify webhook endpoint for real-time product updates

- Add /webhooks/printify endpoint with HMAC-SHA256 signature verification
- Add Webhooks context to handle product:updated, product:deleted events
- Add ProductDeleteWorker for async product deletion
- Add webhook API methods to Printify client (create, list, delete)
- Add register_webhooks/2 to Printify provider
- Add mix register_webhooks task for one-time webhook registration
- Cache raw request body in endpoint for signature verification

Usage:
1. Generate webhook secret: openssl rand -hex 20
2. Add to provider connection config as "webhook_secret"
3. Register with Printify: mix register_webhooks https://yourshop.com/webhooks/printify

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

lib/simpleshop_theme_web/controllers/webhook_controller.ex

@@ -0,0 +1,36 @@
+defmodule SimpleshopThemeWeb.WebhookController do
+  use SimpleshopThemeWeb, :controller
+
+  alias SimpleshopTheme.Webhooks
+
+  require Logger
+
+  @doc """
+  Receives Printify webhook events.
+
+  Events:
+  - product:publish:started - Product publish initiated
+  - product:updated - Product was modified
+  - product:deleted - Product was deleted
+  - shop:disconnected - Shop was disconnected
+  """
+  def printify(conn, params) do
+    event_type = params["type"] || params["event"]
+    resource = params["resource"] || params["data"] || %{}
+
+    Logger.info("Received Printify webhook: #{event_type}")
+
+    case Webhooks.handle_printify_event(event_type, resource) do
+      :ok ->
+        json(conn, %{status: "ok"})
+
+      {:ok, _} ->
+        json(conn, %{status: "ok"})
+
+      {:error, reason} ->
+        Logger.warning("Webhook handling failed: #{inspect(reason)}")
+        # Still return 200 to prevent Printify retrying
+        json(conn, %{status: "ok"})
+    end
+  end
+end

lib/simpleshop_theme_web/endpoint.ex

@@ -54,6 +54,7 @@ defmodule SimpleshopThemeWeb.Endpoint do
   plug Plug.Parsers,
     parsers: [:urlencoded, :multipart, :json],
     pass: ["*/*"],
+    body_reader: {SimpleshopThemeWeb.Plugs.CacheRawBody, :read_body, []},
     json_decoder: Phoenix.json_library()
 
   plug Plug.MethodOverride

lib/simpleshop_theme_web/plugs/cache_raw_body.ex

@@ -0,0 +1,22 @@
+defmodule SimpleshopThemeWeb.Plugs.CacheRawBody do
+  @moduledoc """
+  Custom body reader that caches the raw request body for webhook signature verification.
+  Used with Plug.Parsers :body_reader option.
+  """
+
+  def read_body(conn, opts) do
+    case Plug.Conn.read_body(conn, opts) do
+      {:ok, body, conn} ->
+        conn = Plug.Conn.assign(conn, :raw_body, body)
+        {:ok, body, conn}
+
+      {:more, body, conn} ->
+        existing = conn.assigns[:raw_body] || ""
+        conn = Plug.Conn.assign(conn, :raw_body, existing <> body)
+        {:more, body, conn}
+
+      {:error, reason} ->
+        {:error, reason}
+    end
+  end
+end

lib/simpleshop_theme_web/plugs/verify_printify_webhook.ex

@@ -0,0 +1,63 @@
+defmodule SimpleshopThemeWeb.Plugs.VerifyPrintifyWebhook do
+  @moduledoc """
+  Verifies Printify webhook signatures using HMAC-SHA256.
+
+  Expects:
+  - Raw body cached in conn.assigns[:raw_body]
+  - X-Pfy-Signature header in format "sha256={hex_digest}"
+  - Webhook secret stored in provider connection config
+  """
+
+  import Plug.Conn
+  require Logger
+
+  alias SimpleshopTheme.Products
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    with {:ok, signature} <- get_signature(conn),
+         {:ok, secret} <- get_webhook_secret(),
+         :ok <- verify_signature(conn.assigns[:raw_body], secret, signature) do
+      conn
+    else
+      {:error, reason} ->
+        Logger.warning("Printify webhook verification failed: #{reason}")
+
+        conn
+        |> put_resp_content_type("application/json")
+        |> send_resp(401, Jason.encode!(%{error: "Invalid signature"}))
+        |> halt()
+    end
+  end
+
+  defp get_signature(conn) do
+    case get_req_header(conn, "x-pfy-signature") do
+      ["sha256=" <> hex_digest] -> {:ok, hex_digest}
+      [_other] -> {:error, :invalid_signature_format}
+      [] -> {:error, :missing_signature}
+    end
+  end
+
+  defp get_webhook_secret do
+    case Products.get_provider_connection_by_type("printify") do
+      %{config: %{"webhook_secret" => secret}} when is_binary(secret) and secret != "" ->
+        {:ok, secret}
+
+      _ ->
+        {:error, :no_webhook_secret}
+    end
+  end
+
+  defp verify_signature(body, secret, expected_hex) do
+    computed =
+      :crypto.mac(:hmac, :sha256, secret, body || "")
+      |> Base.encode16(case: :lower)
+
+    if Plug.Crypto.secure_compare(computed, String.downcase(expected_hex)) do
+      :ok
+    else
+      {:error, :signature_mismatch}
+    end
+  end
+end

lib/simpleshop_theme_web/router.ex

@@ -17,6 +17,10 @@ defmodule SimpleshopThemeWeb.Router do
     plug :accepts, ["json"]
   end
 
+  pipeline :printify_webhook do
+    plug SimpleshopThemeWeb.Plugs.VerifyPrintifyWebhook
+  end
+
   pipeline :shop do
     plug :put_root_layout, html: {SimpleshopThemeWeb.Layouts, :shop_root}
     plug SimpleshopThemeWeb.Plugs.LoadTheme
@@ -46,10 +50,12 @@ defmodule SimpleshopThemeWeb.Router do
     get "/:id/recolored/:color", ImageController, :recolored_svg
   end
 
-  # Other scopes may use custom stacks.
-  # scope "/api", SimpleshopThemeWeb do
-  #   pipe_through :api
-  # end
+  # Webhook endpoints (no CSRF, signature verified)
+  scope "/webhooks", SimpleshopThemeWeb do
+    pipe_through [:api, :printify_webhook]
+
+    post "/printify", WebhookController, :printify
+  end
 
   # Enable LiveDashboard and Swoosh mailbox preview in development
   if Application.compile_env(:simpleshop_theme, :dev_routes) do