Initial commit: Port Nimara CRM (Layers 0-4)

Full CRM rebuild with Next.js 15, TypeScript, Tailwind, Drizzle ORM, PostgreSQL, Redis, BullMQ, MinIO, and Socket.io. Includes 461 source files covering clients, berths, interests/pipeline, documents/EOI, expenses/invoices, email, notifications, dashboard, admin, and client portal. CI/CD via Gitea Actions with Docker builds. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 11:52:51 +01:00
commit 67d7e6e3d5
572 changed files with 86496 additions and 0 deletions
--- a/src/lib/services/webhooks.service.ts
+++ b/src/lib/services/webhooks.service.ts
@@ -0,0 +1,331 @@
+import { randomBytes } from 'node:crypto';
+import { and, desc, eq, count } from 'drizzle-orm';
+
+import { db } from '@/lib/db';
+import { webhooks, webhookDeliveries } from '@/lib/db/schema/system';
+import { createAuditLog } from '@/lib/audit';
+import { encrypt, decrypt } from '@/lib/utils/encryption';
+import { NotFoundError } from '@/lib/errors';
+import { getQueue } from '@/lib/queue';
+import type {
+  CreateWebhookInput,
+  UpdateWebhookInput,
+  ListDeliveriesInput,
+} from '@/lib/validators/webhooks';
+import type { WebhookEvent } from '@/lib/services/webhook-event-map';
+
+// ─── Types ────────────────────────────────────────────────────────────────────
+
+interface AuditMeta {
+  userId: string;
+  portId: string;
+  ipAddress: string;
+  userAgent: string;
+}
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+/** Generates a 32-byte hex secret for signing webhook payloads. */
+function generateSecret(): string {
+  return randomBytes(32).toString('hex');
+}
+
+/**
+ * Returns a masked representation of the plaintext secret.
+ * Shows the first 5 and last 3 characters: `wh_ab...xyz`
+ */
+function maskSecret(plaintext: string): string {
+  if (plaintext.length < 10) return '***';
+  return `${plaintext.slice(0, 5)}...${plaintext.slice(-3)}`;
+}
+
+// ─── Create ───────────────────────────────────────────────────────────────────
+
+export async function createWebhook(
+  portId: string,
+  userId: string,
+  data: CreateWebhookInput,
+  meta: AuditMeta,
+) {
+  const plaintextSecret = generateSecret();
+  const encryptedSecret = encrypt(plaintextSecret);
+
+  const [webhook] = await db
+    .insert(webhooks)
+    .values({
+      portId,
+      name: data.name,
+      url: data.url,
+      secret: encryptedSecret,
+      events: data.events,
+      isActive: data.isActive,
+      createdBy: userId,
+    })
+    .returning();
+
+  void createAuditLog({
+    userId: meta.userId,
+    portId,
+    action: 'create',
+    entityType: 'webhook',
+    entityId: webhook!.id,
+    newValue: { name: data.name, url: data.url, events: data.events },
+    ipAddress: meta.ipAddress,
+    userAgent: meta.userAgent,
+  });
+
+  // Return with plaintext secret — shown ONCE only on creation
+  return {
+    ...webhook!,
+    secret: plaintextSecret,
+    secretMasked: maskSecret(plaintextSecret),
+  };
+}
+
+// ─── List ─────────────────────────────────────────────────────────────────────
+
+export async function listWebhooks(portId: string) {
+  const rows = await db
+    .select()
+    .from(webhooks)
+    .where(eq(webhooks.portId, portId))
+    .orderBy(desc(webhooks.createdAt));
+
+  return rows.map((w) => {
+    let secretMasked = '***';
+    if (w.secret) {
+      try {
+        const plaintext = decrypt(w.secret);
+        secretMasked = maskSecret(plaintext);
+      } catch {
+        secretMasked = '***';
+      }
+    }
+    return { ...w, secret: undefined, secretMasked };
+  });
+}
+
+// ─── Get Single ───────────────────────────────────────────────────────────────
+
+export async function getWebhook(portId: string, webhookId: string) {
+  const webhook = await db.query.webhooks.findFirst({
+    where: eq(webhooks.id, webhookId),
+  });
+
+  if (!webhook || webhook.portId !== portId) {
+    throw new NotFoundError('Webhook');
+  }
+
+  let secretMasked = '***';
+  if (webhook.secret) {
+    try {
+      const plaintext = decrypt(webhook.secret);
+      secretMasked = maskSecret(plaintext);
+    } catch {
+      secretMasked = '***';
+    }
+  }
+
+  return { ...webhook, secret: undefined, secretMasked };
+}
+
+// ─── Update ───────────────────────────────────────────────────────────────────
+
+export async function updateWebhook(
+  portId: string,
+  webhookId: string,
+  data: UpdateWebhookInput,
+  meta: AuditMeta,
+) {
+  const existing = await db.query.webhooks.findFirst({
+    where: eq(webhooks.id, webhookId),
+  });
+
+  if (!existing || existing.portId !== portId) {
+    throw new NotFoundError('Webhook');
+  }
+
+  const [updated] = await db
+    .update(webhooks)
+    .set({ ...data, updatedAt: new Date() })
+    .where(and(eq(webhooks.id, webhookId), eq(webhooks.portId, portId)))
+    .returning();
+
+  void createAuditLog({
+    userId: meta.userId,
+    portId,
+    action: 'update',
+    entityType: 'webhook',
+    entityId: webhookId,
+    oldValue: {
+      name: existing.name,
+      url: existing.url,
+      events: existing.events,
+      isActive: existing.isActive,
+    },
+    newValue: data as Record<string, unknown>,
+    ipAddress: meta.ipAddress,
+    userAgent: meta.userAgent,
+  });
+
+  return { ...updated!, secret: undefined };
+}
+
+// ─── Delete ───────────────────────────────────────────────────────────────────
+
+export async function deleteWebhook(
+  portId: string,
+  webhookId: string,
+  meta: AuditMeta,
+) {
+  const existing = await db.query.webhooks.findFirst({
+    where: eq(webhooks.id, webhookId),
+  });
+
+  if (!existing || existing.portId !== portId) {
+    throw new NotFoundError('Webhook');
+  }
+
+  // CASCADE deletes webhook_deliveries
+  await db
+    .delete(webhooks)
+    .where(and(eq(webhooks.id, webhookId), eq(webhooks.portId, portId)));
+
+  void createAuditLog({
+    userId: meta.userId,
+    portId,
+    action: 'delete',
+    entityType: 'webhook',
+    entityId: webhookId,
+    oldValue: { name: existing.name, url: existing.url },
+    ipAddress: meta.ipAddress,
+    userAgent: meta.userAgent,
+  });
+}
+
+// ─── Regenerate Secret ────────────────────────────────────────────────────────
+
+export async function regenerateSecret(
+  portId: string,
+  webhookId: string,
+  meta: AuditMeta,
+) {
+  const existing = await db.query.webhooks.findFirst({
+    where: eq(webhooks.id, webhookId),
+  });
+
+  if (!existing || existing.portId !== portId) {
+    throw new NotFoundError('Webhook');
+  }
+
+  const plaintextSecret = generateSecret();
+  const encryptedSecret = encrypt(plaintextSecret);
+
+  await db
+    .update(webhooks)
+    .set({ secret: encryptedSecret, updatedAt: new Date() })
+    .where(and(eq(webhooks.id, webhookId), eq(webhooks.portId, portId)));
+
+  void createAuditLog({
+    userId: meta.userId,
+    portId,
+    action: 'update',
+    entityType: 'webhook',
+    entityId: webhookId,
+    metadata: { type: 'secret_regenerated' },
+    ipAddress: meta.ipAddress,
+    userAgent: meta.userAgent,
+  });
+
+  // Return new plaintext secret — shown ONCE
+  return {
+    webhookId,
+    secret: plaintextSecret,
+    secretMasked: maskSecret(plaintextSecret),
+  };
+}
+
+// ─── List Deliveries ─────────────────────────────────────────────────────────
+
+export async function listDeliveries(
+  portId: string,
+  webhookId: string,
+  query: ListDeliveriesInput,
+) {
+  // Verify webhook belongs to port
+  const webhook = await db.query.webhooks.findFirst({
+    where: eq(webhooks.id, webhookId),
+  });
+
+  if (!webhook || webhook.portId !== portId) {
+    throw new NotFoundError('Webhook');
+  }
+
+  const { page, limit, status } = query;
+  const offset = (page - 1) * limit;
+
+  const filters = [eq(webhookDeliveries.webhookId, webhookId)];
+  if (status) {
+    filters.push(eq(webhookDeliveries.status, status));
+  }
+
+  const [countRow] = await db
+    .select({ total: count() })
+    .from(webhookDeliveries)
+    .where(and(...filters));
+  const total = countRow?.total ?? 0;
+
+  const data = await db
+    .select()
+    .from(webhookDeliveries)
+    .where(and(...filters))
+    .orderBy(desc(webhookDeliveries.createdAt))
+    .limit(limit)
+    .offset(offset);
+
+  return { data, total };
+}
+
+// ─── Send Test Webhook ────────────────────────────────────────────────────────
+
+export async function sendTestWebhook(
+  portId: string,
+  webhookId: string,
+  eventType: WebhookEvent,
+) {
+  const webhook = await db.query.webhooks.findFirst({
+    where: eq(webhooks.id, webhookId),
+  });
+
+  if (!webhook || webhook.portId !== portId) {
+    throw new NotFoundError('Webhook');
+  }
+
+  // Create a pending delivery record
+  const [delivery] = await db
+    .insert(webhookDeliveries)
+    .values({
+      webhookId,
+      eventType,
+      payload: {
+        test: true,
+        event: eventType,
+        port_id: portId,
+        data: { message: 'This is a test webhook delivery' },
+      },
+      status: 'pending',
+    })
+    .returning();
+
+  // Enqueue the job
+  const queue = getQueue('webhooks');
+  await queue.add('deliver', {
+    webhookId,
+    portId,
+    event: eventType,
+    deliveryId: delivery!.id,
+    payload: delivery!.payload,
+  });
+
+  return { deliveryId: delivery!.id, status: 'queued' };
+}