webhookdb 1.2.1 → 1.3.0

data/lib/webhookdb/idempotency.rb

@@ -34,6 +34,10 @@ class Webhookdb::Idempotency < Webhookdb::Postgres::Model(:idempotencies)
 
     def skip_transaction_check? = self.skip_transaction_check
 
+    # @return [Hash]
+    def memory_cache = @memory_cache ||= {}
+    def _memory_cache_results = @_memory_cache_results ||= {}
+
     # @return [Builder]
     def once_ever
       b = self::Builder.new
@@ -63,7 +67,7 @@ class Webhookdb::Idempotency < Webhookdb::Postgres::Model(:idempotencies)
   end
 
   class Builder
-    attr_accessor :_every, :_once_ever, :_stored, :_sepconn, :_key
+    attr_accessor :_every, :_once_ever, :_stored, :_sepconn, :_key, :_in_memory
 
     # If set, the result of block is stored as JSON,
     # and returned when an idempotent call is made.
@@ -74,6 +78,16 @@ class Webhookdb::Idempotency < Webhookdb::Postgres::Model(:idempotencies)
       return self
     end
 
+    # If set, run a server-side idempotency (just for this process, across all threads)
+    # rather than in the database (for all processes).
+    # This is useful as a backoff mechanism for certain actions, like log sampling.
+    # Note, this uses an unbounded cache size for the sake of simplicity and performance,
+    # so be careful to use this with keys that will not grow infinitely.
+    def in_memory
+      self._in_memory = true
+      return self
+    end
+
     # Run the idempotency on a separate connection.
     # Allows use of idempotency within an existing transaction block,
     # which is normally not allowed. Usually should be used with #stored,
@@ -96,21 +110,24 @@ class Webhookdb::Idempotency < Webhookdb::Postgres::Model(:idempotencies)
       return self
     end
 
-    def execute
-      if self._sepconn
-        db = Webhookdb::Idempotency.separate_connection
+    def execute(&)
+      if self._in_memory
+        db = InMemory.new(Webhookdb::Idempotency.memory_cache, Webhookdb::Idempotency._memory_cache_results)
+      elsif self._sepconn
+        db = InDatabase.new(Webhookdb::Idempotency.separate_connection)
       else
-        db = Webhookdb::Idempotency.db
+        conn = Webhookdb::Idempotency.db
         Webhookdb::Postgres.check_transaction(
-          db,
+          conn,
           "Cannot use idempotency while already in a transaction, since side effects may not be idempotent. " \
           "You can chain withusing_seperate_connection to run the idempotency itself separately.",
         )
+        db = InDatabase.new(conn)
       end
 
-      db[:idempotencies].insert_conflict.insert(key: self._key)
+      db.ensure(self._key)
       db.transaction do
-        idem_row = db[:idempotencies].where(key: self._key).for_update.first
+        idem_row = db.lock(self._key)
         if idem_row.fetch(:last_run).nil?
           result = yield()
           result = self._update_row(db, result)
@@ -126,26 +143,56 @@ class Webhookdb::Idempotency < Webhookdb::Postgres::Model(:idempotencies)
     end
 
     def _update_row(db, result)
-      updates = {last_run: Time.now}
-      if self._stored
-        result = result.as_json
-        updates[:stored_result] = Sequel.pg_jsonb_wrap(result)
-      end
-      db[:idempotencies].where(key: self._key).update(updates)
-      return result
+      jresult = self._stored ? result.as_json : result
+      db.finish(self._key, last_run: Time.now, stored: self._stored, result: jresult)
+      return jresult
+    end
+  end
+
+  class InMemory
+    def initialize(cache, store)
+      @cache = cache
+      @store = store
+    end
+
+    def ensure(_key) = nil
+    def lock(key) = {last_run: @cache[key], stored_result: @store[key]}
+    def transaction(&) = yield
+
+    def finish(key, last_run:, stored:, result:)
+      @cache[key] = last_run
+      @store[key] = result if stored
+    end
+  end
+
+  class InDatabase
+    def initialize(conn)
+      @conn = conn
+    end
+
+    def db = @conn
+    def transaction(&) = db.transaction(&)
+    def ensure(key) = db[:idempotencies].insert_conflict.insert(key:)
+    def lock(key) = db[:idempotencies].where(key:).for_update.first
+
+    def finish(key, last_run:, stored:, result:)
+      updates = {last_run:}
+      updates[:stored_result] = Sequel.pg_jsonb_wrap(result) if stored
+      db[:idempotencies].where(key:).update(updates)
     end
   end
 end
 
 # Table: idempotencies
-# -------------------------------------------------------------------------------------
+# ----------------------------------------------------------------------------------------
 # Columns:
-#  id         | integer                  | PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY
-#  created_at | timestamp with time zone | NOT NULL DEFAULT now()
-#  updated_at | timestamp with time zone |
-#  last_run   | timestamp with time zone |
-#  key        | text                     |
+#  id            | integer                  | PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY
+#  created_at    | timestamp with time zone | NOT NULL DEFAULT now()
+#  updated_at    | timestamp with time zone |
+#  last_run      | timestamp with time zone |
+#  key           | text                     |
+#  stored_result | jsonb                    |
 # Indexes:
 #  idempotencies_pkey    | PRIMARY KEY btree (id)
 #  idempotencies_key_key | UNIQUE btree (key)
-# -------------------------------------------------------------------------------------
+# ----------------------------------------------------------------------------------------

data/lib/webhookdb/increase.rb

@@ -6,37 +6,85 @@ class Webhookdb::Increase
   include Appydays::Loggable
 
   configurable(:increase) do
+    # This is created in your 'platform' account, and is needed to call the OAuth endpoints.
+    # https://dashboard.increase.com/developers/api_keys
+    setting :api_key, "increase_api_key"
+    # This is created in your Platform account, and is used to sign webhooks,
+    # which we get for both platform events (which are ignored) and associated oauth app events
+    # (with an Increase-Group-Id header).
+    # https://dashboard.increase.com/developers/webhooks
+    setting :webhook_secret, "increase_webhook_secret"
+
+    # Id and secret for the WebhookDB Oauth app.
+    # https://dashboard.increase.com/developers/oauths
+    setting :oauth_client_id, "increase_oauth_fake_client"
+    setting :oauth_client_secret, "increase_oauth_fake_secret"
+
     setting :http_timeout, 30
   end
 
-  def self.webhook_response(request, webhook_secret)
-    http_signature = request.env["HTTP_X_BANK_WEBHOOK_SIGNATURE"]
-
-    return Webhookdb::WebhookResponse.error("missing hmac") if http_signature.nil?
+  class WebhookSignature < Webhookdb::TypedStruct
+    attr_accessor :t, :v1
 
-    request.body.rewind
-    request_data = request.body.read
+    def _defaults = {t: nil, v1: []}
 
-    computed_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), webhook_secret, request_data)
-
-    if http_signature != "sha256=" + computed_signature
-      # Invalid signature
-      self.logger.warn "increase signature verification error"
-      return Webhookdb::WebhookResponse.error("invalid hmac")
+    def format
+      parts = []
+      parts << "t=#{self.t.utc.iso8601}" if self.t
+      self.v1&.each { |v1| parts << "v1=#{v1}" }
+      return parts.join(",")
     end
+  end
 
-    return Webhookdb::WebhookResponse.ok
+  # @param s [String,nil]
+  # @return [WebhookSignature]
+  def self.parse_signature(s)
+    sig = WebhookSignature.new
+    s&.split(",")&.each do |part|
+      key, val = part.split("=")
+      if key == "t"
+        begin
+          sig.t = Time.rfc3339(val)
+        rescue ArgumentError
+          nil
+        end
+      elsif key == "v1"
+        sig.v1 << val
+      end
+    end
+    return sig
   end
 
-  # this helper function finds the relevant object data and helps us avoid repeated code
-  def self.find_desired_object_data(body)
-    return body.fetch("data", body)
+  # @param secret [String]
+  # @param data [String]
+  # @param t [Time]
+  # @return [WebhookSignature]
+  def self.compute_signature(secret:, data:, t:)
+    signed_payload = "#{t.utc.iso8601}.#{data}"
+    sig = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), secret, signed_payload)
+    return WebhookSignature.new(v1: [sig], t:)
   end
 
-  # this function interprets webhook contents to assist with filtering webhooks by object type in our increase services
-  def self.contains_desired_object(webhook_body, desired_object_name)
-    object_of_interest = self.find_desired_object_data(webhook_body)
-    object_id = object_of_interest["id"]
-    return object_id.include?(desired_object_name)
+  OLD_CUTOFF = 35.days
+  NEW_CUTOFF = 4.days
+
+  def self.webhook_response(request, webhook_secret, now: Time.now)
+    http_signature = request.env["HTTP_INCREASE_WEBHOOK_SIGNATURE"]
+    return Webhookdb::WebhookResponse.error("missing header") if http_signature.nil?
+
+    request.body.rewind
+    request_data = request.body.read
+
+    parsed_signature = self.parse_signature(http_signature)
+    return Webhookdb::WebhookResponse.error("missing timestamp") if parsed_signature.t.nil?
+    return Webhookdb::WebhookResponse.error("missing signatures") if parsed_signature.v1.empty?
+    return Webhookdb::WebhookResponse.error("too old") if parsed_signature.t < (now - OLD_CUTOFF)
+    return Webhookdb::WebhookResponse.error("too new") if parsed_signature.t > (now + NEW_CUTOFF)
+
+    computed_signature = self.compute_signature(secret: webhook_secret, data: request_data, t: parsed_signature.t)
+    return Webhookdb::WebhookResponse.error("invalid signature") unless
+      parsed_signature.v1.include?(computed_signature.v1.first)
+
+    return Webhookdb::WebhookResponse.ok
   end
 end

data/lib/webhookdb/intercom.rb

@@ -12,9 +12,16 @@ module Webhookdb::Intercom
     setting :page_size, 20
   end
 
-  def self.verify_webhook(data, hmac_header)
-    calculated_hmac = "sha1=#{OpenSSL::HMAC.hexdigest('SHA1', self.client_secret, data)}"
-    return ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, hmac_header)
+  def self.webhook_response(request, webhook_secret)
+    header_value = request.env["HTTP_X_HUB_SIGNATURE"]
+    return Webhookdb::WebhookResponse.error("missing hmac") if header_value.nil?
+    request.body.rewind
+    request_data = request.body.read
+    hmac = OpenSSL::HMAC.hexdigest("SHA1", webhook_secret, request_data)
+    calculated_hmac = "sha1=#{hmac}"
+    verified = ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, header_value)
+    return Webhookdb::WebhookResponse.ok if verified
+    return Webhookdb::WebhookResponse.error("invalid hmac")
   end
 
   def self.auth_headers(token)

data/lib/webhookdb/jobs/backfill.rb

@@ -26,10 +26,12 @@ class Webhookdb::Jobs::Backfill
       return
     end
     sint = bfjob.service_integration
+    bflock = bfjob.ensure_service_integration_lock
     self.with_log_tags(sint.log_tags.merge(backfill_job_id: bfjob.opaque_id)) do
       sint.db.transaction do
-        unless bfjob.lock?
+        unless bflock.lock?
           self.logger.info "skipping_locked_backfill_job"
+          bfjob.update(finished_at: Time.now)
           break
         end
         bfjob.refresh

data/lib/webhookdb/jobs/emailer.rb

@@ -9,7 +9,6 @@ class Webhookdb::Jobs::Emailer
   splay 5.seconds
 
   def _perform
-    self.logger.info "Sending pending emails"
     Webhookdb::Message.send_unsent
   end
 end

data/lib/webhookdb/jobs/icalendar_delete_stale_cancelled_events.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "webhookdb/async/scheduled_job"
+require "webhookdb/jobs"
+
+class Webhookdb::Jobs::IcalendarDeleteStaleCancelledEvents
+  extend Webhookdb::Async::ScheduledJob
+
+  cron "37 7 * * *" # Once a day
+  splay 120
+
+  def _perform
+    Webhookdb::ServiceIntegration.where(service_name: "icalendar_event_v1").each do |sint|
+      self.with_log_tags(sint.log_tags) do
+        sint.replicator.delete_stale_cancelled_events
+      end
+    end
+  end
+end

data/lib/webhookdb/jobs/icalendar_enqueue_syncs.rb

@@ -22,7 +22,7 @@ class Webhookdb::Jobs::IcalendarEnqueueSyncs
           self.with_log_tags(sint.log_tags) do
             splay = rand(1..max_splay)
             enqueued_job_id = Webhookdb::Jobs::IcalendarSync.perform_in(splay, sint.id, calendar_external_id)
-            self.logger.info("enqueued_icalendar_sync", calendar_external_id:, enqueued_job_id:)
+            self.logger.debug("enqueued_icalendar_sync", calendar_external_id:, enqueued_job_id:)
           end
         end
       end

data/lib/webhookdb/jobs/icalendar_sync.rb

@@ -16,7 +16,7 @@ class Webhookdb::Jobs::IcalendarSync
         self.logger.warn("icalendar_sync_row_miss", calendar_external_id:)
         return
       end
-      self.logger.info("icalendar_sync_start")
+      self.logger.debug("icalendar_sync_start")
       sint.replicator.sync_row(row)
     end
   end

data/lib/webhookdb/jobs/increase_event_handler.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "webhookdb/async/job"
+
+class Webhookdb::Jobs::IncreaseEventHandler
+  extend Webhookdb::Async::Job
+
+  on "increase.*"
+
+  def _perform(event)
+    case event.name
+      when "increase.oauth_connection.deactivated"
+        conn_id = event.payload[0].fetch("associated_object_id")
+        self.logger.info("increase_oauth_disconnect", oauth_connection_id: conn_id)
+        Webhookdb::Oauth::IncreaseProvider.disconnect_oauth(conn_id)
+      else
+        self.logger.info("increase_event_noop")
+    end
+  end
+end

data/lib/webhookdb/jobs/scheduled_backfills.rb

@@ -51,8 +51,9 @@ module Webhookdb::Jobs
         Webhookdb::Github.activity_cron_expression, 30.seconds, false,
       ),
       Spec.new(
+        # I think we can get rid of this once we're more confident webhooks are working reliably.
         "IntercomScheduledBackfill", "intercom_marketplace_root_v1",
-        "*/1 * * * *", 0, false, true,
+        "46 4 * * *", 0, false, true,
       ),
       Spec.new(
         "AtomSingleFeedPoller", "atom_single_feed_v1",

data/lib/webhookdb/jobs/sync_target_run_sync.rb

@@ -30,7 +30,9 @@ class Webhookdb::Jobs::SyncTargetRunSync
     ) do
       stgt.run_sync(now: Time.now)
     rescue Webhookdb::SyncTarget::SyncInProgress
-      self.logger.info("sync_target_already_in_progress")
+      Webhookdb::Idempotency.every(30.seconds).in_memory.under_key("sync_target_in_progress-#{stgt.id}") do
+        self.logger.info("sync_target_already_in_progress")
+      end
     rescue Webhookdb::SyncTarget::Deleted
       self.logger.info("sync_target_deleted")
     end

data/lib/webhookdb/message/body.rb

@@ -6,6 +6,7 @@ require "webhookdb/message"
 
 class Webhookdb::Message::Body < Webhookdb::Postgres::Model(:message_bodies)
   plugin :timestamps
+  plugin :text_searchable, terms: [:content]
 
   many_to_one :delivery, class: "Webhookdb::Message::Delivery"
 end
@@ -13,10 +14,11 @@ end
 # Table: message_bodies
 # ----------------------------------------------------------------------------------------------------
 # Columns:
-#  id          | integer | PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY
-#  content     | text    | NOT NULL
-#  mediatype   | text    | NOT NULL
-#  delivery_id | integer | NOT NULL
+#  id          | integer  | PRIMARY KEY GENERATED BY DEFAULT AS IDENTITY
+#  content     | text     | NOT NULL
+#  mediatype   | text     | NOT NULL
+#  delivery_id | integer  | NOT NULL
+#  text_search | tsvector |
 # Indexes:
 #  message_bodies_pkey              | PRIMARY KEY btree (id)
 #  message_bodies_delivery_id_index | btree (delivery_id)

data/lib/webhookdb/message/delivery.rb

@@ -7,6 +7,7 @@ require "webhookdb/message"
 class Webhookdb::Message::Delivery < Webhookdb::Postgres::Model(:message_deliveries)
   plugin :timestamps
   plugin :soft_deletes
+  plugin :text_searchable, terms: [:template, :to, :recipient]
 
   many_to_one :recipient, class: "Webhookdb::Customer"
   one_to_many :bodies, class: "Webhookdb::Message::Body"
@@ -115,6 +116,7 @@ end
 #  recipient_id         | integer                  |
 #  extra_fields         | jsonb                    | NOT NULL DEFAULT '{}'::jsonb
 #  soft_deleted_at      | timestamp with time zone |
+#  text_search          | tsvector                 |
 # Indexes:
 #  message_deliveries_pkey                     | PRIMARY KEY btree (id)
 #  message_deliveries_transport_message_id_key | UNIQUE btree (transport_message_id)

data/lib/webhookdb/messages/error_icalendar_fetch.rb

@@ -21,8 +21,7 @@ class Webhookdb::Messages::ErrorIcalendarFetch < Webhookdb::Message::Template
   end
 
   def signature
-    ehash = Digest::MD5.hexdigest(@kw.to_s)
-    return "msg-#{self.full_template_name}-sint:#{@service_integration.id}-eid:#{@external_calendar_id}-err:#{ehash}"
+    return "msg-#{self.full_template_name}-sint:#{@service_integration.id}-eid:#{@external_calendar_id}"
   end
 
   def template_folder = "errors"

data/lib/webhookdb/messages/error_signalwire_send_sms.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require "webhookdb/message/template"
+
+class Webhookdb::Messages::ErrorSignalwireSendSms < Webhookdb::Message::Template
+  def self.fixtured(_recipient)
+    sint = Webhookdb::Fixtures.service_integration.create
+    return self.new(
+      sint,
+      response_status: 422,
+      request_url: "https://whdbtest.signalwire.com/2010-04-01/Accounts/projid/Messages.json",
+      request_method: "POST",
+      response_body: {
+        code: "21717",
+        message: "From must belong to an active campaign.",
+        more_info: "https://developer.signalwire.com/compatibility-api/reference/error-codes",
+        status: 400,
+      }.to_json,
+    )
+  end
+
+  def initialize(service_integration, request_url:, request_method:, response_status:, response_body:)
+    @service_integration = service_integration
+    @request_url = request_url
+    @request_method = request_method
+    @response_status = response_status
+    @response_body = response_body
+    super()
+  end
+
+  def signature
+    return "msg-#{self.full_template_name}-sint:#{@service_integration.id}-req:#{@request_url}"
+  end
+
+  def template_folder = "errors"
+  def template_name = "signalwire_send_sms"
+
+  def liquid_drops
+    return super.merge(
+      service_name: @service_integration.service_name,
+      opaque_id: @service_integration.opaque_id,
+      request_method: @request_method,
+      request_url: @request_url,
+      response_status: @response_status,
+      response_body: @response_body,
+    )
+  end
+end

data/lib/webhookdb/oauth/fake_provider.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require "webhookdb/increase"
+
+class Webhookdb::Oauth::FakeProvider < Webhookdb::Oauth::Provider
+  class << self
+    # If any of these are non-nil, they're called instead of the instance method.
+    attr_accessor :supports_webhooks, :exchange_authorization_code
+
+    def reset
+      self.supports_webhooks = nil
+      self.exchange_authorization_code = nil
+    end
+  end
+
+  def key = "fake"
+  def app_name = "Fake"
+  def supports_webhooks? = _call_or_do(:supports_webhooks) { true }
+
+  def authorization_url(state:)
+    return "#{Webhookdb.api_url}/v1/install/fake_oauth_authorization?client_id=fakeclient&state=#{state}"
+  end
+
+  def exchange_authorization_code(code:)
+    return _call_or_do(:exchange_authorization_code) do
+      Webhookdb::Oauth::Tokens.new(access_token: "access-#{code}", refresh_token: "refresh-#{code}")
+    end
+  end
+
+  def build_marketplace_integrations(organization:, tokens:, **)
+    return Webhookdb::ServiceIntegration.create_disambiguated(
+      "fake_v1",
+      organization:,
+      webhook_secret: tokens.access_token,
+      backfill_key: tokens.refresh_token,
+    )
+  end
+
+  protected def _call_or_do(m)
+    d = Webhookdb::Oauth::FakeProvider.send(m)
+    return yield if d.nil?
+    return d.call
+  end
+end

data/lib/webhookdb/oauth/front_provider.rb

@@ -5,13 +5,11 @@ require "webhookdb/front"
 class Webhookdb::Oauth::FrontProvider < Webhookdb::Oauth::Provider
   include Appydays::Loggable
 
-  # Override these for custom OAuth of different apps
   def key = "front"
   def app_name = "Front"
   def client_id = Webhookdb::Front.client_id
   def client_secret = Webhookdb::Front.client_secret
 
-  def requires_webhookdb_auth? = true
   def supports_webhooks? = true
 
   def authorization_url(state:)
@@ -60,6 +58,7 @@ class Webhookdb::Oauth::FrontProvider < Webhookdb::Oauth::Provider
       backfill_key: tokens.refresh_token,
     )
     root_sint.replicator.build_dependents
+    return root_sint
   end
 end
 

data/lib/webhookdb/oauth/increase_provider.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require "webhookdb/increase"
+
+class Webhookdb::Oauth::IncreaseProvider < Webhookdb::Oauth::Provider
+  include Appydays::Loggable
+
+  def key = "increase"
+  def app_name = "Increase"
+  # Increase POSTs all Oauth app webhooks to the same place
+  def supports_webhooks? = true
+
+  def authorization_url(state:)
+    return "https://increase.com/oauth/authorization?client_id=#{Webhookdb::Increase.oauth_client_id}&state=#{state}&scope=read_only"
+  end
+
+  def exchange_authorization_code(code:)
+    token_resp = Webhookdb::Http.post(
+      "https://api.increase.com/oauth/tokens",
+      {
+        "client_id" => Webhookdb::Increase.oauth_client_id,
+        "client_secret" => Webhookdb::Increase.oauth_client_secret,
+        "code" => code,
+        grant_type: "authorization_code",
+      },
+      headers: {"Authorization" => "Bearer #{Webhookdb::Increase.api_key}"},
+      logger: self.logger,
+      timeout: Webhookdb::Increase.http_timeout,
+    )
+    return Webhookdb::Oauth::Tokens.new(access_token: token_resp.parsed_response["access_token"])
+  end
+
+  def build_marketplace_integrations(organization:, tokens:, **)
+    group_resp = Webhookdb::Http.get(
+      "https://api.increase.com/groups/current",
+      headers: {"Authorization" => "Bearer #{tokens.access_token}"},
+      logger: self.logger,
+      timeout: Webhookdb::Increase.http_timeout,
+    )
+    group_id = group_resp.parsed_response.fetch("id")
+    # We need to store the Oauth Connection ID for the group, so when there is an oauth disconnect,
+    # we know which replicator to destroy.
+    #
+    # The deactivation comes through as an event on the Platform account,
+    # and does not tell us the Group ID. And we cannot fetch the OAuth Connection
+    # on the Platform account, since once a Connection is deactivated,
+    # the Increase API will not return it.
+    #
+    # This seems like a bug, and has been reported to Increase.
+    # If their /oauth_connections/:id endpoint starts working for 'inactive' connections,
+    # this code can be removed, and we can look up the group ID when we handle the deactivate webhook.
+    oauth_conns_resp = Webhookdb::Http.get(
+      "https://api.increase.com/oauth_connections",
+      headers: {"Authorization" => "Bearer #{Webhookdb::Increase.api_key}"},
+      logger: self.logger,
+      timeout: Webhookdb::Increase.http_timeout,
+    )
+    group_conn = oauth_conns_resp.parsed_response["data"].find { |c| c.fetch("group_id") == group_id }
+    raise Webhookdb::InvariantViolation, "no OAuth Connection for Group #{group_id}/Org #{organization.key}" if
+      group_conn.nil?
+    root_sint = Webhookdb::ServiceIntegration.create_disambiguated(
+      "increase_app_v1",
+      organization:,
+      api_url: group_id,
+      backfill_key: tokens.access_token,
+      webhookdb_api_key: group_conn.fetch("id"),
+    )
+    root_sint.replicator.build_dependents
+    return root_sint
+  end
+
+  def self.disconnect_oauth(connection_id)
+    # It may have already been deleted, make this idempotent.
+    # See above for why we store the connection id directly.
+    Webhookdb::ServiceIntegration.where(service_name: "increase_app_v1").
+      with_encrypted_value(:webhookdb_api_key, connection_id).
+      all.
+      each(&:destroy_self_and_all_dependents)
+  end
+end

data/lib/webhookdb/oauth/intercom_provider.rb

@@ -7,7 +7,6 @@ class Webhookdb::Oauth::IntercomProvider < Webhookdb::Oauth::Provider
 
   def key = "intercom"
   def app_name = "Intercom"
-  def requires_webhookdb_auth? = false
   def supports_webhooks? = false
 
   def authorization_url(state:)
@@ -28,7 +27,7 @@ class Webhookdb::Oauth::IntercomProvider < Webhookdb::Oauth::Provider
     return Webhookdb::Oauth::Tokens.new(access_token: token_resp.parsed_response["token"])
   end
 
-  def find_or_create_customer(tokens:, scope:)
+  def build_marketplace_integrations(organization:, tokens:)
     intercom_user_resp = Webhookdb::Http.get(
       "https://api.intercom.io/me",
       headers: Webhookdb::Intercom.auth_headers(tokens.access_token),
@@ -36,17 +35,9 @@ class Webhookdb::Oauth::IntercomProvider < Webhookdb::Oauth::Provider
       timeout: Webhookdb::Intercom.http_timeout,
     )
 
-    intercom_user = intercom_user_resp.parsed_response
-    scope[:me_response] = intercom_user
-    intercom_email = intercom_user.fetch("email")
-    return Webhookdb::Customer.find_or_create_for_email(intercom_email)
-  end
-
-  def build_marketplace_integrations(organization:, tokens:, scope:)
-    intercom_user = scope.fetch(:me_response)
     # The intercom workspace id is used in the intercom webhook endpoint to identify which
     # service integration to delegate requests to.
-    intercom_workspace_id = intercom_user.dig("app", "id_code")
+    intercom_workspace_id = intercom_user_resp.parsed_response.dig("app", "id_code")
     root_sint = Webhookdb::ServiceIntegration.create_disambiguated(
       "intercom_marketplace_root_v1",
       organization:,
@@ -54,5 +45,6 @@ class Webhookdb::Oauth::IntercomProvider < Webhookdb::Oauth::Provider
       backfill_key: tokens.access_token,
     )
     root_sint.replicator.build_dependents
+    return root_sint
   end
 end