fix(woovi): Auto-register webhooks and validate by authorization header

- Create webhooks for all relevant Pix events on first transaction
- Store webhook IDs in Firestore to manage lifecycle
- Validate incoming webhooks by authorization header
- Map Woovi events to payment status (paid, voided, refunded)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: leomp12

packages/apps/woovi/src/woovi-create-transaction.ts

@@ -4,7 +4,8 @@ import type {
 } from '@cloudcommerce/types';
 import type { AxiosError } from 'axios';
 import { randomUUID } from 'node:crypto';
-import { logger } from '@cloudcommerce/firebase/lib/config';
+import { getFirestore } from 'firebase-admin/firestore';
+import config, { logger } from '@cloudcommerce/firebase/lib/config';
 import {
   fullName as getFullname,
   phone as getPhone,
@@ -31,6 +32,7 @@ export default async (modBody: AppModuleBody<'create_transaction'>) => {
       message: 'AppID não configurado (lojista deve configurar o aplicativo)',
     };
   }
+  const wooviKeyId = `${WOOVI_APP_ID}`.substring(0, 6) + `${WOOVI_APP_ID}`.slice(-3);
 
   const {
     order_id: orderId,
@@ -113,6 +115,62 @@ export default async (modBody: AppModuleBody<'create_transaction'>) => {
       };
     }
 
+    const {
+      storeId,
+      httpsFunctionOptions,
+    } = config.get();
+    const locationId = httpsFunctionOptions.region;
+    const appBaseUri = `https://${locationId}-${process.env.GCLOUD_PROJECT}.cloudfunctions.net`;
+    const webhookUrl = `${appBaseUri}/woovi-webhook`;
+    const docRef = getFirestore().doc('wooviSetup/webhook');
+    const docSnap = await docRef.get();
+    const webhookSetupData = docSnap.data();
+    if (webhookSetupData?.wooviKeyId !== wooviKeyId) {
+      const oldWebhookIds = webhookSetupData?.webhookIds as string[] | undefined;
+      if (oldWebhookIds?.length) {
+        await Promise.all(oldWebhookIds.map(async (id) => {
+          return wooviAxios.delete(`/webhook/${id}`).catch(logger.warn);
+        }));
+      }
+      const webhookEvents = [
+        'OPENPIX:CHARGE_CREATED',
+        'OPENPIX:CHARGE_COMPLETED',
+        'OPENPIX:CHARGE_COMPLETED_NOT_SAME_CUSTOMER_PAYER',
+        'PIX_AUTOMATIC_COBR_COMPLETED',
+        'OPENPIX:CHARGE_EXPIRED',
+        'OPENPIX:TRANSACTION_REFUND_RECEIVED',
+        'PIX_TRANSACTION_REFUND_SENT_CONFIRMED',
+      ];
+      const webhookIds: string[] = [];
+      try {
+        await Promise.all(webhookEvents.map(async (event) => {
+          const { data } = await wooviAxios.post('/webhook', {
+            webhook: {
+              name: `ecom.plus #${storeId} ${event.replace('OPENPIX:', '').replace('PIX_', '')}`,
+              event,
+              url: webhookUrl,
+              authorization: `${storeId}_${wooviKeyId}`,
+              isActive: true,
+            },
+          });
+          if (data.webhook?.id) {
+            webhookIds.push(data.webhook.id);
+          }
+        }));
+        await docRef.set({ wooviKeyId, webhookIds })
+          .catch(logger.warn);
+      } catch (_err) {
+        const err = _err as AxiosError;
+        logger.warn('Failed saving Woovi webhook', {
+          url: err.config?.url,
+          request: err.config?.data,
+          response: err.response?.data,
+          status: err.response?.status,
+        });
+        logger.error(err);
+      }
+    }
+
     return { transaction };
   } catch (_err) {
     const err = _err as AxiosError;

packages/apps/woovi/src/woovi-events.ts

@@ -3,9 +3,9 @@ import '@cloudcommerce/firebase/lib/init';
 import type { Orders } from '@cloudcommerce/types';
 import type { Request, Response } from 'firebase-functions/v1';
 import * as functions from 'firebase-functions/v1';
+import { getFirestore } from 'firebase-admin/firestore';
 import api from '@cloudcommerce/api';
 import config, { logger } from '@cloudcommerce/firebase/lib/config';
-import getAppData from '@cloudcommerce/firebase/lib/helpers/get-app-data';
 
 type PaymentEntry = Exclude<Orders['payments_history'], undefined>[0]
 
@@ -37,7 +37,7 @@ const listOrdersByTransaction = async (correlationID: string) => {
 const handleWebhook = async (req: Request, res: Response) => {
   const { body } = req;
   const event = body?.event as string | undefined;
-  const charge = body?.charge || body?.pix;
+  const charge = body?.charge || body?.pix?.charge;
   if (!event || !charge) {
     logger.warn('Woovi webhook missing event or charge', { body });
     return res.sendStatus(400);
@@ -48,30 +48,34 @@ const handleWebhook = async (req: Request, res: Response) => {
     return res.sendStatus(400);
   }
   logger.info(`> Woovi notification: ${event}`, { correlationID });
+  const status = parseWooviStatus(event);
+  if (!status) {
+    logger.info(`Ignoring Woovi event: ${event}`);
+    return res.sendStatus(204);
+  }
 
-  if (!process.env.WOOVI_APP_ID) {
-    const appData = await getAppData('woovi');
-    if (appData.woovi_app_id) {
-      process.env.WOOVI_APP_ID = appData.woovi_app_id;
-    }
+  const authorization = req.headers.authorization as string | undefined;
+  if (!authorization) {
+    logger.warn('Woovi webhook missing Authorization header');
+    return res.sendStatus(401);
   }
-  const { WOOVI_APP_ID } = process.env;
-  if (!WOOVI_APP_ID) {
-    logger.warn('Missing Woovi AppID');
+  const docRef = getFirestore().doc('wooviSetup/webhook');
+  const docSnap = await docRef.get();
+  const webhookSetupData = docSnap.data();
+  const { storeId } = config.get();
+  const expectedAuth = webhookSetupData?.wooviKeyId
+    ? `${storeId}_${webhookSetupData.wooviKeyId}`
+    : null;
+  if (!expectedAuth || authorization !== expectedAuth) {
+    logger.warn('Woovi webhook authorization mismatch', {
+      authorization,
+      expectedAuth,
+    });
     return res.sendStatus(403);
   }
 
   try {
-    const status = parseWooviStatus(event);
-    if (!status) {
-      logger.info(`Ignoring Woovi event: ${event}`);
-      return res.sendStatus(204);
-    }
-
-    let orders: Orders[] = [];
-    if (correlationID) {
-      orders = await listOrdersByTransaction(correlationID);
-    }
+    const orders = await listOrdersByTransaction(correlationID);
     if (!orders.length) {
       logger.warn('Order not found for Woovi charge', { correlationID });
       return res.sendStatus(404);