svc-infra 0.1.597__py3-none-any.whl → 0.1.598__py3-none-any.whl

svc_infra/db/inbox.py

@@ -13,6 +13,10 @@ class InboxStore(Protocol):
         """Optional: remove expired keys, return number purged."""
         ...
 
+    def is_marked(self, key: str) -> bool:
+        """Return True if key is already marked (not expired), without modifying it."""
+        ...
+
 
 class InMemoryInboxStore:
     def __init__(self) -> None:
@@ -33,6 +37,11 @@ class InMemoryInboxStore:
             self._keys.pop(k, None)
         return len(to_del)
 
+    def is_marked(self, key: str) -> bool:
+        now = time.time()
+        exp = self._keys.get(key)
+        return bool(exp and exp > now)
+
 
 class SqlInboxStore:
     """Skeleton for a SQL-backed inbox store (dedupe table).
@@ -53,3 +62,6 @@ class SqlInboxStore:
 
     def purge_expired(self) -> int:  # pragma: no cover - skeleton
         raise NotImplementedError
+
+    def is_marked(self, key: str) -> bool:  # pragma: no cover - skeleton
+        raise NotImplementedError

svc_infra/jobs/builtins/webhook_delivery.py

@@ -1,20 +1,11 @@
 from __future__ import annotations
 
-import hashlib
-import hmac
-import json
-from typing import Dict
-
 import httpx
 
 from svc_infra.db.inbox import InboxStore
 from svc_infra.db.outbox import OutboxStore
 from svc_infra.jobs.queue import Job
-
-
-def _compute_signature(secret: str, payload: Dict) -> str:
-    body = json.dumps(payload, separators=(",", ":")).encode()
-    return hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
+from svc_infra.webhooks.signing import sign
 
 
 def make_webhook_handler(
@@ -39,18 +30,46 @@ def make_webhook_handler(
         if not outbox_id or not topic:
             # Nothing we can do; ack to avoid poison loop
             return
-        # dedupe by outbox_id via inbox
+        # dedupe marker key (marked after successful delivery)
         key = f"webhook:{outbox_id}"
-        if not inbox.mark_if_new(key, ttl_seconds=24 * 3600):
+        if inbox.is_marked(key):
             # already delivered
             outbox.mark_processed(int(outbox_id))
             return
-        url = get_webhook_url_for_topic(topic)
-        secret = get_secret_for_topic(topic)
-        sig = _compute_signature(secret, payload)
+        event = payload.get("event") if isinstance(payload, dict) else None
+        subscription = payload.get("subscription") if isinstance(payload, dict) else None
+        if event is not None and subscription is not None:
+            delivery_payload = event
+            url = subscription.get("url") or get_webhook_url_for_topic(topic)
+            secret = subscription.get("secret") or get_secret_for_topic(topic)
+            subscription_id = subscription.get("id")
+        else:
+            delivery_payload = payload
+            url = get_webhook_url_for_topic(topic)
+            secret = get_secret_for_topic(topic)
+            subscription_id = None
+        sig = sign(secret, delivery_payload)
+        headers = {
+            header_name: sig,
+            "X-Event-Id": str(outbox_id),
+            "X-Topic": str(topic),
+            "X-Attempt": str(job.attempts or 1),
+            "X-Signature-Alg": "hmac-sha256",
+            "X-Signature-Version": "v1",
+        }
+        if subscription_id:
+            headers["X-Webhook-Subscription"] = str(subscription_id)
+        # include event payload version if present
+        version = None
+        if isinstance(delivery_payload, dict):
+            version = delivery_payload.get("version")
+        if version is not None:
+            headers["X-Payload-Version"] = str(version)
         async with httpx.AsyncClient(timeout=10) as client:
-            resp = await client.post(url, json=payload, headers={header_name: sig})
+            resp = await client.post(url, json=delivery_payload, headers=headers)
             if 200 <= resp.status_code < 300:
+                # record delivery and mark processed
+                inbox.mark_if_new(key, ttl_seconds=24 * 3600)
                 outbox.mark_processed(int(outbox_id))
                 return
             # allow retry on non-2xx: raise to trigger fail/backoff

svc_infra/webhooks/__init__.py

@@ -0,0 +1 @@
+from __future__ import annotations

svc_infra/webhooks/fastapi.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+from typing import Callable, Sequence
+
+from fastapi import HTTPException, Request, status
+
+from .signing import verify, verify_any
+
+
+def require_signature(
+    secrets_provider: Callable[[], str | Sequence[str]],
+    *,
+    header_name: str = "X-Signature",
+):
+    async def _dep(request: Request):
+        sig = request.headers.get(header_name)
+        if not sig:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED, detail="missing signature"
+            )
+        try:
+            body = await request.json()
+        except Exception:
+            raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="invalid JSON body")
+        secrets = secrets_provider()
+        ok = False
+        if isinstance(secrets, str):
+            ok = verify(secrets, body, sig)
+        else:
+            ok = verify_any(secrets, body, sig)
+        if not ok:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid signature"
+            )
+        return body
+
+    return _dep

svc_infra/webhooks/router.py

@@ -0,0 +1,55 @@
+from __future__ import annotations
+
+from typing import Any, Dict
+
+from fastapi import APIRouter, Depends, HTTPException
+
+from svc_infra.db.outbox import InMemoryOutboxStore, OutboxStore
+
+from .service import InMemoryWebhookSubscriptions, WebhookService
+
+router = APIRouter(prefix="/_webhooks", tags=["webhooks"])
+
+
+def get_outbox() -> OutboxStore:
+    # For now expose an in-memory default. Apps can override via DI.
+    # In production, provide a proper store through dependency override.
+    return InMemoryOutboxStore()
+
+
+def get_subs() -> InMemoryWebhookSubscriptions:
+    return InMemoryWebhookSubscriptions()
+
+
+def get_service(
+    outbox: OutboxStore = Depends(get_outbox),
+    subs: InMemoryWebhookSubscriptions = Depends(get_subs),
+) -> WebhookService:
+    return WebhookService(outbox=outbox, subs=subs)
+
+
+@router.post("/subscriptions")
+def add_subscription(
+    body: Dict[str, Any],
+    subs: InMemoryWebhookSubscriptions = Depends(get_subs),
+):
+    topic = body.get("topic")
+    url = body.get("url")
+    secret = body.get("secret")
+    if not topic or not url or not secret:
+        raise HTTPException(status_code=400, detail="Missing topic/url/secret")
+    subs.add(topic, url, secret)
+    return {"ok": True}
+
+
+@router.post("/test-fire")
+def test_fire(
+    body: Dict[str, Any],
+    svc: WebhookService = Depends(get_service),
+):
+    topic = body.get("topic")
+    payload = body.get("payload") or {}
+    if not topic:
+        raise HTTPException(status_code=400, detail="Missing topic")
+    outbox_id = svc.publish(topic, payload)
+    return {"ok": True, "outbox_id": outbox_id}

svc_infra/webhooks/service.py

@@ -0,0 +1,59 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field
+from datetime import datetime, timezone
+from typing import Dict, List
+
+from uuid import uuid4
+
+from svc_infra.db.outbox import OutboxStore
+
+
+@dataclass
+class WebhookSubscription:
+    topic: str
+    url: str
+    secret: str
+    id: str = field(default_factory=lambda: uuid4().hex)
+
+
+class InMemoryWebhookSubscriptions:
+    def __init__(self):
+        self._subs: Dict[str, List[WebhookSubscription]] = {}
+
+    def add(self, topic: str, url: str, secret: str) -> None:
+        self._subs.setdefault(topic, []).append(WebhookSubscription(topic, url, secret))
+
+    def get_for_topic(self, topic: str) -> List[WebhookSubscription]:
+        return list(self._subs.get(topic, []))
+
+
+class WebhookService:
+    def __init__(self, outbox: OutboxStore, subs: InMemoryWebhookSubscriptions):
+        self._outbox = outbox
+        self._subs = subs
+
+    def publish(self, topic: str, payload: Dict, *, version: int = 1) -> int:
+        created_at = datetime.now(timezone.utc).isoformat()
+        base_event = {
+            "topic": topic,
+            "payload": payload,
+            "version": version,
+            "created_at": created_at,
+        }
+        # For each subscription, enqueue an outbox message with subscriber identity
+        last_id = 0
+        for sub in self._subs.get_for_topic(topic):
+            event = dict(base_event)
+            msg_payload = {
+                "event": event,
+                "subscription": {
+                    "id": sub.id,
+                    "topic": sub.topic,
+                    "url": sub.url,
+                    "secret": sub.secret,
+                },
+            }
+            msg = self._outbox.enqueue(topic, msg_payload)
+            last_id = msg.id
+        return last_id

svc_infra/webhooks/signing.py

@@ -0,0 +1,30 @@
+from __future__ import annotations
+
+import hashlib
+import hmac
+import json
+from typing import Dict, Iterable
+
+
+def canonical_body(payload: Dict) -> bytes:
+    return json.dumps(payload, separators=(",", ":"), sort_keys=True).encode()
+
+
+def sign(secret: str, payload: Dict) -> str:
+    body = canonical_body(payload)
+    return hmac.new(secret.encode(), body, hashlib.sha256).hexdigest()
+
+
+def verify(secret: str, payload: Dict, signature: str) -> bool:
+    expected = sign(secret, payload)
+    try:
+        return hmac.compare_digest(expected, signature)
+    except Exception:
+        return False
+
+
+def verify_any(secrets: Iterable[str], payload: Dict, signature: str) -> bool:
+    for s in secrets:
+        if verify(s, payload, signature):
+            return True
+    return False

{svc_infra-0.1.597.dist-info → svc_infra-0.1.598.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: svc-infra
-Version: 0.1.597
+Version: 0.1.598
 Summary: Infrastructure for building and deploying prod-ready services
 License: MIT
 Keywords: fastapi,sqlalchemy,alembic,auth,infra,async,pydantic

{svc_infra-0.1.597.dist-info → svc_infra-0.1.598.dist-info}/RECORD

@@ -141,7 +141,7 @@ svc_infra/cli/foundation/runner.py,sha256=RbfjKwb3aHk1Y0MYU8xMpKRpIqRVMVr8GuL2ED
 svc_infra/cli/foundation/typer_bootstrap.py,sha256=KapgH1R-qON9FuYH1KYlVx_5sJvjmAGl25pB61XCpm4,985
 svc_infra/db/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 svc_infra/db/crud_schema.py,sha256=-fv-Om1lHVt6lcNbie6A2kRcPex4SDByUPfks6SpmUc,2521
-svc_infra/db/inbox.py,sha256=07GHRGN3jCjGVgcjjVGeKKgXkmwvgtwSu_O1Cb1_9hA,1600
+svc_infra/db/inbox.py,sha256=drxLRLHaMRrCDgo_8wj12do80wDh5ssHV6LGkaM98no,1996
 svc_infra/db/nosql/__init__.py,sha256=5ETPHk-KYUtc-efuGzDFQmWkT0xFtYy8YWOHobMZhvM,154
 svc_infra/db/nosql/base.py,sha256=p47VVpwWvGNkyWe5RDSmGaUFyZovcyNqirMqoHFQ4QU,230
 svc_infra/db/nosql/constants.py,sha256=Z9bJImxwb8D7vovASFegv8XMwaWcM28tsKJV2SjywXE,416
@@ -195,7 +195,7 @@ svc_infra/db/sql/utils.py,sha256=nzuDcDhnVNehx5Y9BZLgxw8fvpfYbxTfXQsgnznVf4w,328
 svc_infra/db/sql/versioning.py,sha256=okZu2ad5RAFXNLXJgGpcQvZ5bc6gPjRWzwiBT0rEJJw,400
 svc_infra/db/utils.py,sha256=aTD49VJSEu319kIWJ1uijUoP51co4lNJ3S0_tvuyGio,802
 svc_infra/jobs/builtins/outbox_processor.py,sha256=VZoehNyjdaV_MmV74WMcbZR6z9E3VFMtZC-pxEwK0x0,1247
-svc_infra/jobs/builtins/webhook_delivery.py,sha256=6D_nmwpPOyrkzx4MM2vrpA0JKGfWbWo4BBavYEXhpDQ,1894
+svc_infra/jobs/builtins/webhook_delivery.py,sha256=z_cl6YKwnduGjGaB8ZoUpKhFcEAhUZqqBma8v2FO1so,2982
 svc_infra/jobs/easy.py,sha256=eix-OxWeE3vdkY3GGNoYM0GAyOxc928SpiSzMkr9k0A,977
 svc_infra/jobs/loader.py,sha256=LFO6gOacj6rT698vkDg0YfcHDRTue4zus3Nl9QrS5R0,1164
 svc_infra/jobs/queue.py,sha256=PS5f4CJm5_K7icojTxZOwC6uKw3O2M-jE111u85ySbA,2288
@@ -263,7 +263,12 @@ svc_infra/security/permissions.py,sha256=fQm7-OcJJkWsScDcjS2gwmqaW93zQqltaHRl6bv
 svc_infra/security/session.py,sha256=JkClqoZ-Moo9yqHzCREXMVSpzyjbn2Zh6zCjtWO93Ik,2848
 svc_infra/security/signed_cookies.py,sha256=2t61BgjsBaTzU46bt7IUJo7lwDRE9_eS4vmAQXJ8mlY,2219
 svc_infra/utils.py,sha256=VX1yjTx61-YvAymyRhGy18DhybiVdPddiYD_FlKTbJU,952
-svc_infra-0.1.597.dist-info/METADATA,sha256=GN5xri15URUe0_f-BESdwDp7BzNL5DBj5penjmrOcuw,3527
-svc_infra-0.1.597.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
-svc_infra-0.1.597.dist-info/entry_points.txt,sha256=6x_nZOsjvn6hRZsMgZLgTasaCSKCgAjsGhACe_CiP0U,48
-svc_infra-0.1.597.dist-info/RECORD,,
+svc_infra/webhooks/__init__.py,sha256=U4S_2y3zgLZVfMenHRaJFBW8yqh2mUBuI291LGQVOJ8,35
+svc_infra/webhooks/fastapi.py,sha256=BCNvGNxukf6dC2a4i-6en-PrjBGV19YvCWOot5lXWsA,1101
+svc_infra/webhooks/router.py,sha256=6JvAVPMEth_xxHX-IsIOcyMgHX7g1H0OVxVXKLuMp9w,1596
+svc_infra/webhooks/service.py,sha256=hWgiJRXKBwKunJOx91C7EcLUkotDtD3Xp0RT6vj2IC0,1797
+svc_infra/webhooks/signing.py,sha256=NCwdZzmravUe7HVIK_uXK0qqf12FG-_MVsgPvOw6lsM,784
+svc_infra-0.1.598.dist-info/METADATA,sha256=OwFbEqh9yMLpWr5rcN3Bp0M_ywJypISbUxabiMuQZY8,3527
+svc_infra-0.1.598.dist-info/WHEEL,sha256=IYZQI976HJqqOpQU6PHkJ8fb3tMNBFjg-Cn-pwAbaFM,88
+svc_infra-0.1.598.dist-info/entry_points.txt,sha256=6x_nZOsjvn6hRZsMgZLgTasaCSKCgAjsGhACe_CiP0U,48
+svc_infra-0.1.598.dist-info/RECORD,,