webhookdb 0.1.0

data/lib/webhookdb/api/install.rb

@@ -0,0 +1,296 @@
+# frozen_string_literal: true
+
+require "webhookdb/api"
+require "webhookdb/oauth"
+require "webhookdb/service/view_api"
+
+class Webhookdb::API::Install < Webhookdb::API::V1
+  include Webhookdb::Service::ViewApi
+
+  namespace :install do
+    helpers do
+      def lookup_session!
+        session = Webhookdb::Oauth::Session.usable.where(oauth_state: params[:state]).first
+        forbidden! unless session
+        return session
+      end
+
+      def handle_login(email:, session:, action_url:)
+        new_customer, me = Webhookdb::Customer.find_or_create_for_email(email)
+        me.reset_codes_dataset.usable.each(&:expire!)
+        me.add_reset_code(transport: "email")
+        session.update(customer: me)
+        rendered = render_liquid(
+          "messages/web/install-customer-login.liquid",
+          serialize_view_params: true,
+          vars: {
+            view: "otp",
+            action_url:,
+            oauth_state: session.oauth_state,
+            new_customer:,
+            email:,
+          },
+        )
+        status 200
+        body rendered
+      end
+
+      def find_and_verify_user(email:, otp_token:)
+        (me = Webhookdb::Customer.with_email(email)) or forbidden!
+        begin
+          Webhookdb::Customer::ResetCode.use_code_with_token(otp_token) do |code|
+            raise Webhookdb::Customer::ResetCode::Unusable unless code.customer === me
+          end
+        rescue Webhookdb::Customer::ResetCode::Unusable
+          raise FormError.new("Sorry, that token is invalid. Please try again.", 403)
+        end
+        return me
+      end
+    end
+
+    route_param :oauth_provider, type: String, values: Webhookdb::Oauth.registry.keys do
+      helpers do
+        def oauth_provider
+          return @oauth_provider ||= Webhookdb::Oauth.provider(params[:oauth_provider])
+        end
+
+        def finish_org_setup(organization:, tokens:, scope:)
+          organization.prepare_database_connections?
+          oauth_provider.build_marketplace_integrations(organization:, tokens:, scope:)
+          rendered = render_liquid(
+            "messages/web/install-success.liquid",
+            serialize_view_params: true,
+            vars: {
+              app_name: oauth_provider.app_name,
+              database_url: organization.readonly_connection_url,
+              supports_webhooks: oauth_provider.supports_webhooks?,
+            },
+          )
+          status 200
+          body rendered
+        end
+
+        def exchange_authorization_code(code)
+          return oauth_provider.exchange_authorization_code(code:)
+        rescue Webhookdb::Http::Error => e
+          logger.warn "oauth_exchange_error", exception: e
+          raise FormError.new(
+            "Something went wrong getting your access token from #{oauth_provider.app_name}. Please start over",
+            400,
+          )
+        end
+
+        def find_admin_membership(customer)
+          _created, membership = Webhookdb::Customer.find_or_create_default_organization(customer)
+          membership = customer.verified_memberships.find(&:admin?) unless membership.admin?
+          return membership if membership
+          raise FormError.new(
+            "You must be an administrator of your WebhookDB organization to set up this app.",
+            403,
+          )
+        end
+      end
+
+      get do
+        rendered = render_liquid(
+          "messages/web/install.liquid",
+          serialize_view_params: true,
+          vars: {app_name: oauth_provider.app_name, action_url: "/v1/install/#{oauth_provider.key}"},
+        )
+        status 200
+        body rendered
+      end
+
+      post do
+        oauth_state = SecureRandom.hex(16)
+        Webhookdb::Oauth::Session.create(
+          oauth_state:,
+          **Webhookdb::Oauth::Session.params_for_request(request),
+        )
+        auth_url = oauth_provider.authorization_url(state: oauth_state)
+        redirect auth_url
+      end
+
+      params do
+        requires :code, type: String, desc: "Authorization code that we exchange for tokens."
+        requires :state, type: String, desc: "The user session info string that we provided to the oauth flow."
+      end
+      get :callback do
+        session = lookup_session!
+        code = params[:code]
+        if oauth_provider.requires_webhookdb_auth?
+          session.update(authorization_code: code)
+          redirect "/v1/install/#{oauth_provider.key}/login?state=#{session.oauth_state}"
+        else
+          scope = {}
+          # Order of operations here is:
+          # - Exchange token. We need the token to create the customer so it comes first.
+          # - Create the customer, find the membership, and create replicators.
+          # - If this last step fails, the code becomes invalid, which is annoying,
+          #   but should be rare and not a big deal to start over.
+          tokens = exchange_authorization_code(code)
+          session.db.transaction do
+            _created, customer = oauth_provider.find_or_create_customer(tokens:, scope:)
+            membership = find_admin_membership(customer)
+            finish_org_setup(organization: membership.organization, tokens:, scope:)
+            session.update(customer:, used_at: Time.now, authorization_code: code)
+          end
+        end
+      end
+
+      params do
+        requires :state, type: String
+      end
+      get :login do
+        session = lookup_session!
+        rendered = render_liquid(
+          "messages/web/install-customer-login.liquid",
+          serialize_view_params: true,
+          vars: {
+            view: "email",
+            action_url: "/v1/install/#{oauth_provider.key}/login",
+            oauth_state: session.oauth_state,
+          },
+        )
+        status 200
+        body rendered
+      end
+
+      params do
+        requires :state, type: String, desc: "the user session info string that we provided to Front"
+        optional :email, type: String
+        optional :otp_token, type: String
+      end
+      post :login do
+        session = lookup_session!
+        email = params[:email]
+        raise FormError.new("Email is required", 400) unless email.present?
+        otp_token = params[:otp_token]
+        if otp_token
+          # Order of operations here is:
+          # - Verify the OTP
+          # - Make sure we can find a valid admin membership
+          # - Only then do we exchange the token.
+          # - Setup replicators.
+          customer = find_and_verify_user(email:, otp_token:)
+          membership = find_admin_membership(customer)
+          tokens = exchange_authorization_code(session.authorization_code)
+          session.db.transaction do
+            finish_org_setup(organization: membership.organization, tokens:, scope: {})
+            session.update(used_at: Time.now)
+          end
+        else
+          handle_login(email:, session:, action_url: "/v1/install/#{oauth_provider.key}/login")
+        end
+      end
+    end
+
+    resource :front do
+      post :webhook do
+        is_initial_request = request.headers["X-Front-Challenge"].present?
+        if is_initial_request
+          whresp = Webhookdb::Front.initial_verification_request_response(request)
+          s_status, s_headers, s_body = whresp.to_rack
+          s_headers.each { |k, v| header k, v }
+          if s_headers["Content-Type"] == "application/json"
+            body Oj.load(s_body)
+          else
+            env["api.format"] = :binary
+            body s_body
+          end
+          status s_status
+          break
+        end
+
+        resource_url = params.dig(:payload, :_links, :self)
+        handle_webhook_request("front_marketplace_host-#{resource_url || '?'}") do
+          if resource_url.nil?
+            logger.warn "front_webhook_empty_resource_url"
+            status 200
+            present({message: "unregistered/empty app"})
+            next :pass
+          end
+
+          # In cases where there is a change to a message, the event payload will have a "target" object and that object
+          # will have a "type" of "message". In cases where there is a change to a conversation, there will be no
+          # "target" object. In these cases the conversation resource is in the event as the "conversation" object.
+          target_type = params.dig(:payload, :target, :_meta, :type) || "conversation"
+          service_name = "front_#{target_type}_v1"
+          api_url = URI.parse(resource_url).host
+          unless (root_sint = Webhookdb::ServiceIntegration[service_name: "front_marketplace_root_v1", api_url:])
+            logger.warn "front_webhook_unregistered_app", front_api_url: api_url
+            status 200
+            present({message: "unregistered app"})
+            next :pass
+          end
+
+          handling_sint = root_sint.recursive_dependents.find { |d| d.service_name == service_name }
+          if handling_sint.nil?
+            logger.warn "front_webhook_invalid_topic", front_api_url: api_url, front_topic: target_type
+            status 200
+            present({message: "invalid topic"})
+            next :pass
+          end
+          next handling_sint
+        end
+      end
+    end
+
+    resource :intercom do
+      post :webhook do
+        # Because the `_webhook_response` function is always the same here, I'm wondering if it's even
+        # advisable to do the integration lookup before performing a webhook verification when we don't
+        # need that info. Something to consider upon refactor
+
+        handle_webhook_request("intercom_marketplace_appid-#{params[:app_id] || '?'}") do
+          app_id = params[:app_id]
+          root_sint = Webhookdb::ServiceIntegration[service_name: "intercom_marketplace_root_v1", api_url: app_id]
+          if root_sint.nil?
+            logger.warn "intercom_webhook_unregistered_app", intercom_app_id: app_id
+            status 200
+            present({message: "unregistered app"})
+            next :pass
+          end
+          # Notification topics are formatted like "{model}.{thing that happened}" (e.g. "contact.created")
+          # to get the model type of the notification, for our purposes we can just grab that first chunk
+          type = params[:topic].split(".")[0]
+          handling_type = "intercom_#{type}_v1"
+          unless (handling_sint = root_sint.recursive_dependents.find { |d| d.service_name == handling_type })
+            logger.warn "intercom_webhook_invalid_topic", intercom_app_id: app_id, intercom_topic: params[:topic]
+            status 200
+            present({message: "invalid topic"})
+            next :pass
+          end
+          next handling_sint
+        end
+      end
+
+      params do
+        requires :app_id
+      end
+      post :uninstall do
+        # TODO: Verify the headers are valid
+        # We want to delete all the integrations associated with the app_id.
+        root_sint = Webhookdb::ServiceIntegration[service_name: "intercom_marketplace_root_v1",
+                                                  api_url: params["app_id"]]
+        root_sint.destroy_self_and_all_dependents
+        status 200
+        present({o: "k"})
+      end
+
+      params do
+        requires :workspace_id
+      end
+      post :health do
+        # TODO: Verify the headers are valid
+        # For now we are just returning "OK" per the specification:
+        # https://developers.intercom.com/docs/build-an-integration/learn-more/installation-health-check
+        # An interesting point is that this endpoint recieves a value called "workspace_id" but it is
+        # identical to the "app_id" value we get from the `/me` endpoint. It just has a different name here, for
+        # some reason.
+        status 200
+        present({state: "OK"})
+      end
+    end
+  end
+end

data/lib/webhookdb/api/me.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "grape"
+
+require "webhookdb/api"
+
+class Webhookdb::API::Me < Webhookdb::API::V1
+  resource :me do
+    desc "Return the current customer"
+    get do
+      customer = current_customer
+      present customer, with: Webhookdb::API::CurrentCustomerEntity, env:
+    end
+
+    resource :organization_memberships do
+      desc "Return all organizations the customer is part of."
+      params do
+        optional :active_org_identifier
+      end
+      get do
+        customer = current_customer
+        active_org_ids = Webhookdb::Organization.with_identifier(params[:active_org_identifier]).select_map(:id)
+        memberships, invited = Webhookdb::OrganizationMembership.where(customer:).all.partition(&:verified)
+        blocks = Webhookdb::Formatting.blocks
+        unless memberships.empty?
+          blocks.line("You are a member of the following organizations:")
+          blocks.blank
+          # the word "Status" here is referring to whether the org is "active" in the CLI. This designation
+          # is added by the client
+          rows = memberships.map do |m|
+            cli_status = active_org_ids.include?(m.organization_id) ? "active" : ""
+            [m.organization.name, m.organization.key, m.status, cli_status]
+          end
+          blocks.table(["Name", "Key", "Role", "Status"], rows)
+        end
+        blocks.blank if memberships.present? && invited.present?
+        unless invited.empty?
+          blocks.line("You have been invited to the following organizations:")
+          blocks.blank
+          rows = invited.map do |m|
+            [m.organization.name, m.organization.key, m.invitation_code]
+          end
+          blocks.table(["Name", "Key", "Join Code"], rows)
+          blocks.blank
+          blocks.line("To join an invited org, use: webhookdb org join [join code]")
+        end
+        blocks.line("You aren't affiliated with any organizations yet.") if memberships.empty? && invited.empty?
+        r = {blocks: blocks.as_json}
+        present r
+      end
+    end
+  end
+end

data/lib/webhookdb/api/organizations.rb

@@ -0,0 +1,254 @@
+# frozen_string_literal: true
+
+require "grape"
+
+require "webhookdb/api"
+require "webhookdb/admin_api"
+
+class Webhookdb::API::Organizations < Webhookdb::API::V1
+  include Webhookdb::Service::Types
+
+  resource :organizations do
+    route_param :org_identifier, type: String do
+      helpers do
+        def check_self_role_modification!(email)
+          return unless email == current_customer.email
+          return if params.key?(:guard_confirm)
+          Webhookdb::API::Helpers.prompt_for_required_param!(
+            request,
+            :guard_confirm,
+            "WARNING: You are modifying your own permissions. Enter to proceed, or Ctrl+C to quit:",
+          )
+        end
+
+        # If the current customer is the last admin of the org, we cannot allow them to remove themselves,
+        # since the org would have no admins.
+        def roll_back_if_no_admins!(org)
+          has_admins = !org.verified_memberships_dataset.
+            where(membership_role: Webhookdb::Role.admin_role).
+            empty?
+          return if has_admins
+          msg = "Sorry, you are the last admin in #{org.name} and cannot remove yourself. " \
+                "If you want to close down this org, Use 'webhookdb org close'"
+          merror!(409, msg, code: "remove_last_admin", rollback_db: org.db)
+        end
+      end
+
+      desc "Return organization with the given identifier."
+      get do
+        _customer = current_customer
+        org = lookup_org!
+        present org, with: Webhookdb::API::OrganizationEntity
+      end
+
+      resource :members do
+        desc "Return all customers associated with the organization"
+        get do
+          org_memberships = lookup_org!.all_memberships
+          present_collection org_memberships, with: Webhookdb::API::OrganizationMembershipEntity
+        end
+      end
+
+      resource :services do
+        desc "Returns a list of all available services."
+        get do
+          _customer = current_customer
+          org = lookup_org!
+          fake_entities = org.available_replicator_names.sort.map { |name| {name:} }
+          message = "Run `webhookdb integrations create [service name]` to start replicating data to your database."
+          present_collection fake_entities, with: Webhookdb::API::ServiceEntity, message:
+        end
+      end
+
+      desc "Generates an invitation code for a user, adds pending membership in the organization."
+      params do
+        optional :email, type: String, coerce_with: NormalizedEmail,
+                         prompt: "Enter the email to send the invitation to:"
+        optional :role_name,
+                 type: String,
+                 values: Webhookdb::OrganizationMembership::VALID_ROLE_NAMES,
+                 default: "member"
+      end
+      post :invite do
+        customer = current_customer
+        org = lookup_org!
+        ensure_admin!
+        customer.db.transaction do
+          email = params[:email]
+          # cannot use find_or_create_or_find here because all customers must be created with a random password,
+          # which can't be included in find parameters
+          invitee = Webhookdb::Customer[email:] ||
+            Webhookdb::Customer.create(email:, password: SecureRandom.hex(8))
+
+          membership = org.all_memberships_dataset[customer: invitee]
+          merror!(400, "That person is already a member of the organization.") if membership&.verified?
+
+          membership ||= Webhookdb::OrganizationMembership.new(
+            verified: false,
+            organization: org,
+            customer: invitee,
+          )
+          membership.membership_role = Webhookdb::Role.find_or_create_or_find(name: params[:role_name])
+          membership.invitation_code = "join-" + SecureRandom.hex(4)
+          membership.save_changes
+
+          membership.publish_deferred("invite", membership.id)
+          message = "An invitation to organization #{org.name} has been sent to #{email}.\n" \
+                    "Their invite code is:\n  #{membership.invitation_code}"
+          status 200
+          present membership, with: Webhookdb::API::OrganizationMembershipEntity, message:
+        end
+      end
+
+      desc "Allows organization admin to remove customer from an organization"
+      params do
+        optional :email, type: String, coerce_with: NormalizedEmail,
+                         prompt: "Enter the email of the member you are removing permissions from:"
+        optional :guard_confirm
+      end
+      post :remove_member do
+        customer = current_customer
+        org = lookup_org!
+        ensure_admin!
+        email = params[:email]
+        check_self_role_modification!(params[:email])
+        customer.db.transaction do
+          to_delete = org.all_memberships_dataset.where(customer: Webhookdb::Customer[email:])
+          merror!(400, "That user is not a member of #{org.name}.") if to_delete.empty?
+          to_delete.delete
+          roll_back_if_no_admins!(org)
+          status 200
+          present({}, with: Webhookdb::AdminAPI::BaseEntity,
+                      message: "#{email} is no longer a part of #{org.name}.",)
+        end
+      end
+
+      desc "Updates the field on an org."
+      params do
+        requires :field, type: String
+        requires :value, type: String
+      end
+      post :update do
+        customer = current_customer
+        org = lookup_org!
+        ensure_admin!
+        field_name = params[:field].downcase
+        unless org.cli_editable_fields.include?(field_name)
+          merror!(403, "That field is not editable from the command line")
+        end
+        customer.db.transaction do
+          org.send(:"#{field_name}=", params[:value])
+          org.save_changes
+          status 200
+          present org, with: Webhookdb::API::OrganizationEntity,
+                       message: "You have successfully updated the organization #{org.name}."
+        end
+      end
+
+      desc "Allows organization admin to change customer's role in an organization"
+      params do
+        optional :emails, type: [String], coerce_with: CommaSepArray,
+                          prompt: "Enter the emails to modify the roles of as a comma-separated list:"
+        optional :role_name, type: String, values: Webhookdb::OrganizationMembership::VALID_ROLE_NAMES,
+                             prompt: "Enter the name of the role to assign " \
+                                     "(#{Webhookdb::OrganizationMembership::VALID_ROLE_NAMES.join(', ')}): "
+        optional :guard_confirm
+      end
+      post :change_roles do
+        customer = current_customer
+        org = lookup_org!
+        ensure_admin!
+        params[:emails].each { |e| check_self_role_modification!(e) }
+        customer.db.transaction do
+          new_role = Webhookdb::Role.find_or_create_or_find(name: params[:role_name])
+          memberships = org.all_memberships_dataset.where(customer: Webhookdb::Customer.where(email: params[:emails]))
+          merror!(400, "Those emails do not belong to members of #{org.name}.") if memberships.empty?
+          memberships.update(membership_role_id: new_role.id)
+          roll_back_if_no_admins!(org)
+          message = "Success! These users have now been assigned the role of #{new_role.name} in #{org.name}."
+          status 200
+          present_collection memberships, with: Webhookdb::API::OrganizationMembershipEntity, message:
+        end
+      end
+
+      desc "Allow organization admin to change the name of the organization"
+      params do
+        optional :name, type: String, prompt: "Enter the new organization name:"
+      end
+      post :rename do
+        customer = current_customer
+        org = lookup_org!
+        ensure_admin!
+        customer.db.transaction do
+          prev_name = org.name
+          org.name = params[:name]
+          org.save_changes
+          status 200
+          present org, with: Webhookdb::API::OrganizationEntity,
+                       message: "The organization '#{org.key}' has been renamed from '#{prev_name}' to '#{org.name}'."
+        end
+      end
+
+      desc "Request closure of an organization"
+      post :close do
+        org = lookup_org!
+        c = current_customer
+        ensure_admin!(org, customer: c)
+        Webhookdb::DeveloperAlert.new(
+          subsystem: "Close Account",
+          emoji: ":no_pedestrians:",
+          fallback: "Org #{org.key} requested removal",
+          fields: [
+            {title: "Org Key", value: org.key, short: true},
+            {title: "Org Name", value: org.name, short: true},
+            {title: "Customer", value: "(#{c.id}) #{c.email}", short: false},
+          ],
+        ).emit
+        step = Webhookdb::Replicator::StateMachineStep.new.completed
+        step.output = "Thanks! We've received the request to close your #{org.name} organization. " \
+                      "We'll be in touch within 2 business days confirming removal."
+        status 200
+        present step, with: Webhookdb::API::StateMachineEntity
+      end
+    end
+
+    desc "Creates a new organization and adds current customer as a member."
+    params do
+      optional :name, type: String, prompt: "Enter the name of the organization:"
+    end
+    post :create do
+      customer = current_customer
+      customer.db.transaction do
+        new_org = Webhookdb::Organization.create_if_unique(name: params[:name])
+        merror!(400, "An organization with that name already exists.") if new_org.nil?
+        new_org.billing_email = customer.email
+        new_org.save_changes
+        mem = new_org.add_membership(customer:, membership_role: Webhookdb::Role.admin_role, verified: true)
+        customer.replace_default_membership(mem)
+        message = "Organization created with identifier '#{new_org.key}'.\n" \
+                  "Use `webhookdb org invite` to invite members to #{new_org.name}."
+        status 200
+        present new_org, with: Webhookdb::API::OrganizationEntity, message:
+      end
+    end
+
+    desc "Allows user to verify membership in an organization with an invitation code."
+    params do
+      optional :invitation_code, type: String, prompt: "Enter the invitation code:"
+    end
+    post :join do
+      customer = current_customer
+      customer.db.transaction do
+        membership = customer.invited_memberships_dataset[invitation_code: params[:invitation_code]]
+        merror!(400, "Looks like that invite code is invalid. Please try again.", alert: true) if membership.nil?
+        membership.verified = true
+        membership.invitation_code = ""
+        membership.save_changes
+        customer.replace_default_membership(membership)
+        message = "Congratulations! You are now a member of #{membership.organization_name}."
+        status 200
+        present membership, with: Webhookdb::API::OrganizationMembershipEntity, message:
+      end
+    end
+  end
+end

data/lib/webhookdb/api/replay.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require "webhookdb/api"
+
+class Webhookdb::API::Replay < Webhookdb::API::V1
+  DEFAULT_INTERVAL = 1.hour
+
+  resource :organizations do
+    route_param :org_identifier, type: String do
+      resource :replay do
+        params do
+          optional :before, type: Time
+          optional :after, type: Time
+          optional :hours, type: Integer
+          optional :service_integration_identifier
+        end
+        post do
+          current_customer
+          org = lookup_org!
+          cutoff_lower = params[:after]
+          cutoff_upper = params[:before]
+          interval = params.fetch(:hours, 0).positive? ? params[:hours].hours : DEFAULT_INTERVAL
+          if cutoff_lower.nil? && cutoff_upper.nil?
+            cutoff_upper = Time.now.utc
+            cutoff_lower = cutoff_upper - interval
+          elsif cutoff_lower && cutoff_upper
+            nil
+          elsif cutoff_upper
+            cutoff_lower = cutoff_upper - interval
+          elsif cutoff_lower
+            # Add an offset so that cutoff_upper is in the same timezone as cutoff_lower
+            cutoff_upper = cutoff_lower + (Time.now - cutoff_lower)
+          end
+
+          old_age_cutoff = Time.now - Webhookdb::LoggedWebhook.maximum_replay_history_hours.hours
+          merror!(400, "Webhooks older than #{old_age_cutoff.utc} cannot be replayed.") if cutoff_upper < old_age_cutoff
+
+          max_replay_hours = Webhookdb::LoggedWebhook.maximum_replay_interval_hours
+          if (cutoff_upper - cutoff_lower) > max_replay_hours.hours
+            merror!(400, "The maximum webhook replay interval is #{max_replay_hours} hours.")
+          end
+
+          ds = Webhookdb::LoggedWebhook.where(organization_id: org.id).
+            where { inserted_at >= cutoff_lower }.
+            where { inserted_at <= cutoff_upper }.
+            where(truncated_at: nil).select(:id)
+          if params[:service_integration_identifier].present?
+            sint = lookup_service_integration!(org, params[:service_integration_identifier])
+            ds = ds.where(service_integration_opaque_id: sint.opaque_id)
+          end
+          replayed = 0
+          ds.paged_each do |lw|
+            lw.replay_async
+            replayed += 1
+          end
+          s = replayed == 1 ? "" : "s"
+          message = "Replaying #{replayed} webhook#{s} between #{cutoff_lower.iso8601} and #{cutoff_upper.iso8601}."
+          status 200
+          present({}, with: Webhookdb::API::BaseEntity, message:)
+        end
+      end
+    end
+  end
+end