soroushdes/flatrender
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
flatrender/services/payment/internal/handlers/webhooks.go
T
soroush.asadi 62ea110605
CI/CD / CI · Web (tsc) (push) Successful in 1m33s
Details
CI/CD / Deploy · full stack (push) Failing after 20s
Details
feat(payment): admin-editable ZarinPal settings + in-panel test payment 
Lets the broker's ZarinPal merchant / sandbox / amount-unit be set from
Admin → درگاه پرداخت (persisted in payment.settings) instead of env +
redeploy, and adds a per-app "test payment" button that mints a real
ZarinPal StartPay link straight from the panel — no site wiring needed.

- migration 33_payment_settings.sql: singleton payment.settings + a
  transactions.is_test column. (33, not 32 — 32 is content_render_engine.)
- broker read-path precedence: per-client override > DB settings > env.
- POST /v1/admin/clients/:id/test-payment + GET/PUT /v1/admin/settings.
- admin UI: «تنظیمات زرین‌پال» tab + «پرداخت آزمایشی» button.

Adversarial-review fixes (2 confirmed HIGH):
- do NOT pre-seed the settings row — a seeded sandbox=TRUE default would
  override a production ZARINPAL_SANDBOX=false env and silently route real
  payments to sandbox.zarinpal.com until an admin untouched the toggle.
  No row → env governs until an admin saves.
- test transactions are tagged is_test and the webhook dispatcher skips
  them, so an admin smoke-test can never notify (or credit) a real client,
  regardless of metadata. Broker-authoritative, not consumer-dependent.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-26 00:47:10 +03:30

140 lines
3.6 KiB
Go
Raw Permalink Blame History

package handlers
import (
"bytes"
"context"
"encoding/json"
"log"
"net/http"
"time"
"github.com/flatrender/payment-svc/internal/db"
"github.com/flatrender/payment-svc/internal/models"
"github.com/flatrender/payment-svc/internal/signing"
)
// Dispatcher delivers signed webhooks to client sites with retry/backoff.
type Dispatcher struct {
store *db.Store
http *http.Client
}
func NewDispatcher(store *db.Store) *Dispatcher {
return &Dispatcher{store: store, http: &http.Client{Timeout: 15 * time.Second}}
}
// Enqueue builds the signed payload for a finished transaction and queues delivery.
// No-op if the client has no webhook_url configured, or if this is an admin
// smoke-test transaction (broker-authoritative: a test must never notify — and
// therefore never credit — a real client, regardless of metadata).
func (d *Dispatcher) Enqueue(ctx context.Context, client *models.ClientApp, t *models.Transaction, nowUnix int64) {
if t.IsTest {
return
}
if client.WebhookURL == nil || *client.WebhookURL == "" {
return
}
event := "payment.failed"
if t.Status == models.StatusPaid {
event = "payment.paid"
}
payload := models.WebhookPayload{
Event: event,
ID: t.ID,
Status: t.Status,
AmountRial: t.AmountRial,
Currency: t.Currency,
Metadata: t.Metadata,
CreatedAtTs: nowUnix,
PaidAt: t.PaidAt,
}
if t.ClientRef != nil {
payload.ClientRef = *t.ClientRef
}
if t.RefID != nil {
payload.RefID = *t.RefID
}
if t.Authority != nil {
payload.Authority = *t.Authority
}
if t.CardPan != nil {
payload.CardPan = *t.CardPan
}
body, _ := json.Marshal(payload)
sig := signing.Sign(client.Secret, body)
id, err := d.store.EnqueueWebhook(ctx, t.ID, *client.WebhookURL, body, sig)
if err != nil {
log.Printf("webhook enqueue failed for txn %s: %v", t.ID, err)
return
}
// Best-effort immediate delivery so the client credits near-instantly; the
// retry loop (Run) still covers it if this attempt fails.
go func() {
bg, cancel := context.WithTimeout(context.Background(), 20*time.Second)
defer cancel()
if w, err := d.store.GetWebhook(bg, id); err == nil && w != nil {
d.deliver(bg, w)
}
}()
}
// Run starts the delivery loop until ctx is cancelled.
func (d *Dispatcher) Run(ctx context.Context) {
ticker := time.NewTicker(10 * time.Second)
defer ticker.Stop()
for {
select {
case <-ctx.Done():
return
case <-ticker.C:
d.tick(ctx)
}
}
}
func (d *Dispatcher) tick(ctx context.Context) {
due, err := d.store.ClaimDueWebhooks(ctx, 20)
if err != nil {
log.Printf("webhook claim failed: %v", err)
return
}
for _, w := range due {
d.deliver(ctx, w)
}
}
func (d *Dispatcher) deliver(ctx context.Context, w *db.WebhookDelivery) {
req, err := http.NewRequestWithContext(ctx, http.MethodPost, w.URL, bytes.NewReader(w.Payload))
if err != nil {
_ = d.store.MarkWebhookFailed(ctx, w.ID, 0, err.Error(), backoff(w.Attempts))
return
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("X-FlatPay-Signature", w.Signature)
req.Header.Set("X-FlatPay-Event", "payment")
resp, err := d.http.Do(req)
if err != nil {
_ = d.store.MarkWebhookFailed(ctx, w.ID, 0, err.Error(), backoff(w.Attempts))
return
}
defer resp.Body.Close()
if resp.StatusCode >= 200 && resp.StatusCode < 300 {
_ = d.store.MarkWebhookDelivered(ctx, w.ID, resp.StatusCode)
return
}
_ = d.store.MarkWebhookFailed(ctx, w.ID, resp.StatusCode, "non-2xx response", backoff(w.Attempts))
}
// backoff: 30s, 1m, 2m, 4m, 8m, ... capped at 1h.
func backoff(attempts int) time.Duration {
d := 30 * time.Second
for i := 0; i < attempts; i++ {
d *= 2
if d >= time.Hour {
return time.Hour
}
}
return d
}
Reference in New Issue View Git Blame Copy Permalink