feat(phase-37): webhook management REST API with delivery log and HMAC

claude · claude · commit 90e4bf1df69e · 2026-06-19T13:47:29.000Z
- WebhookApiController: CRUD, deliveries, ping test, secret rotation - Auto-generates HMAC secret (sha256) on webhook creation - Supports 10 ERP event types: invoice, payment, contact, product, HR - Routes: /webhooks CRUD + /deliveries, /ping, /rotate-secret, /events - 10 feature tests covering validation, delivery log, secret rotation Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -168,6 +168,7 @@ beforeEach(function () {
 | 34    | Budget Management REST API — CRUD + activate + variance       | ✅     |
 | 35    | Customer Credit Limits — per-contact limits, hold, check API  | ✅     |
 | 36    | Product Variants REST API — attributes, variants, matrix view | ✅     |
+| 37    | Webhook Management REST API — CRUD, delivery log, ping, HMAC  | ✅     |
 
 ## File Locations Reference
 
diff --git a/erp/app/Http/Controllers/Api/V1/WebhookApiController.php b/erp/app/Http/Controllers/Api/V1/WebhookApiController.php
@@ -0,0 +1,121 @@
+<?php
+
+namespace App\Http\Controllers\Api\V1;
+
+use App\Models\Webhook;
+use App\Models\WebhookDelivery;
+use App\Services\WebhookService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Str;
+
+class WebhookApiController extends ApiController
+{
+    public static array $supportedEvents = [
+        'invoice.created', 'invoice.paid', 'invoice.cancelled',
+        'contact.created', 'contact.updated',
+        'product.low_stock',
+        'payment.received',
+        'purchase_order.approved',
+        'employee.hired', 'leave.approved',
+    ];
+
+    public function index(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+        $webhooks = Webhook::withoutGlobalScopes()
+            ->where('tenant_id', $tenantId)
+            ->withCount('deliveries')
+            ->latest()
+            ->get();
+
+        return $this->success($webhooks);
+    }
+
+    public function store(Request $request): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+
+        $data = $request->validate([
+            'name'      => ['required', 'string', 'max:255'],
+            'url'       => ['required', 'url'],
+            'events'    => ['required', 'array', 'min:1'],
+            'events.*'  => ['string', 'in:' . implode(',', self::$supportedEvents)],
+            'is_active' => ['sometimes', 'boolean'],
+        ]);
+
+        $webhook = Webhook::create([
+            ...$data,
+            'tenant_id' => $tenantId,
+            'secret'    => Str::random(32),
+        ]);
+
+        return $this->success($webhook, 201);
+    }
+
+    public function show(Webhook $webhook): JsonResponse
+    {
+        return $this->success($webhook->load('deliveries'));
+    }
+
+    public function update(Request $request, Webhook $webhook): JsonResponse
+    {
+        $data = $request->validate([
+            'name'      => ['sometimes', 'string', 'max:255'],
+            'url'       => ['sometimes', 'url'],
+            'events'    => ['sometimes', 'array', 'min:1'],
+            'events.*'  => ['string', 'in:' . implode(',', self::$supportedEvents)],
+            'is_active' => ['sometimes', 'boolean'],
+        ]);
+
+        $webhook->update($data);
+        return $this->success($webhook->fresh());
+    }
+
+    public function destroy(Webhook $webhook): JsonResponse
+    {
+        $webhook->delete();
+        return $this->success(['message' => 'Webhook deleted.']);
+    }
+
+    public function deliveries(Webhook $webhook): JsonResponse
+    {
+        $deliveries = $webhook->deliveries()
+            ->latest()
+            ->paginate(20);
+
+        return $this->paginated($deliveries);
+    }
+
+    public function ping(Request $request, Webhook $webhook): JsonResponse
+    {
+        $tenantId = $this->tenantId($request);
+        $delivery = WebhookService::send($webhook, 'ping', [
+            'tenant_id' => $tenantId,
+            'message'   => 'Webhook test ping from ERP',
+            'timestamp' => now()->toIso8601String(),
+        ]);
+
+        return $this->success([
+            'delivery_id'     => $delivery->id,
+            'success'         => $delivery->delivered_at !== null,
+            'response_status' => $delivery->response_status,
+        ]);
+    }
+
+    public function rotateSecret(Webhook $webhook): JsonResponse
+    {
+        $webhook->update(['secret' => Str::random(32)]);
+        return $this->success(['secret' => $webhook->fresh()->secret]);
+    }
+
+    public function events(): JsonResponse
+    {
+        return $this->success(self::$supportedEvents);
+    }
+
+    private function tenantId(Request $request): int
+    {
+        return app()->has('tenant') ? app('tenant')->id : $request->user()->tenant_id;
+    }
+}
diff --git a/erp/routes/api.php b/erp/routes/api.php
@@ -447,5 +447,18 @@
             Route::delete('/{variant}',[\App\Http\Controllers\Api\V1\ProductVariantController::class, 'destroy']);
         });
         Route::get('products/{product}/matrix', [\App\Http\Controllers\Api\V1\ProductVariantController::class, 'matrix']);
+
+        // Webhook Management
+        Route::get('/webhooks/events', [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'events']);
+        Route::prefix('webhooks')->group(function () {
+            Route::get('/',                         [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'index']);
+            Route::post('/',                        [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'store']);
+            Route::get('/{webhook}',                [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'show']);
+            Route::put('/{webhook}',                [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'update']);
+            Route::delete('/{webhook}',             [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'destroy']);
+            Route::get('/{webhook}/deliveries',     [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'deliveries']);
+            Route::post('/{webhook}/ping',          [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'ping']);
+            Route::post('/{webhook}/rotate-secret', [\App\Http\Controllers\Api\V1\WebhookApiController::class, 'rotateSecret']);
+        });
     });
 });
diff --git a/erp/tests/Feature/System/WebhookApiTest.php b/erp/tests/Feature/System/WebhookApiTest.php
@@ -0,0 +1,155 @@
+<?php
+
+use App\Models\User;
+use App\Models\Webhook;
+use App\Models\WebhookDelivery;
+use App\Modules\Core\Models\Tenant;
+use Database\Seeders\RolePermissionSeeder;
+
+beforeEach(function () {
+    $this->seed(RolePermissionSeeder::class);
+    $this->tenant = Tenant::create(['name' => 'Webhook API Co', 'slug' => 'webhook-api-' . uniqid()]);
+    $this->user   = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->user->assignRole('super-admin');
+    $this->token  = $this->user->createToken('test')->plainTextToken;
+    app()->instance('tenant', $this->tenant);
+});
+
+test('can list webhooks via api', function () {
+    Webhook::create([
+        'tenant_id' => $this->tenant->id,
+        'name'      => 'Invoice Hook',
+        'url'       => 'https://example.com/hook',
+        'events'    => ['invoice.created'],
+        'secret'    => 'secret123',
+    ]);
+
+    $this->withToken($this->token)
+        ->getJson('/api/v1/webhooks')
+        ->assertStatus(200)
+        ->assertJsonPath('data.0.name', 'Invoice Hook');
+});
+
+test('can create a webhook', function () {
+    $response = $this->withToken($this->token)
+        ->postJson('/api/v1/webhooks', [
+            'name'   => 'Payment Hook',
+            'url'    => 'https://example.com/payment',
+            'events' => ['payment.received', 'invoice.paid'],
+        ]);
+
+    $response->assertStatus(201);
+    expect(Webhook::where('name', 'Payment Hook')->exists())->toBeTrue();
+
+    $hook = Webhook::where('name', 'Payment Hook')->first();
+    expect($hook->secret)->not->toBeNull();
+});
+
+test('store validates url format', function () {
+    $this->withToken($this->token)
+        ->postJson('/api/v1/webhooks', [
+            'name'   => 'Bad URL',
+            'url'    => 'not-a-url',
+            'events' => ['invoice.created'],
+        ])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors(['url']);
+});
+
+test('store validates known events', function () {
+    $this->withToken($this->token)
+        ->postJson('/api/v1/webhooks', [
+            'name'   => 'Unknown Event',
+            'url'    => 'https://example.com/hook',
+            'events' => ['unknown.event'],
+        ])
+        ->assertStatus(422)
+        ->assertJsonValidationErrors(['events.0']);
+});
+
+test('can update a webhook', function () {
+    $hook = Webhook::create([
+        'tenant_id' => $this->tenant->id,
+        'name'      => 'Original',
+        'url'       => 'https://example.com/orig',
+        'events'    => ['invoice.created'],
+        'secret'    => 'abc',
+    ]);
+
+    $this->withToken($this->token)
+        ->putJson("/api/v1/webhooks/{$hook->id}", ['is_active' => false])
+        ->assertStatus(200)
+        ->assertJsonPath('data.is_active', false);
+});
+
+test('can delete a webhook', function () {
+    $hook = Webhook::create([
+        'tenant_id' => $this->tenant->id,
+        'name'      => 'Delete Me',
+        'url'       => 'https://example.com/del',
+        'events'    => ['invoice.created'],
+        'secret'    => 'abc',
+    ]);
+
+    $this->withToken($this->token)
+        ->deleteJson("/api/v1/webhooks/{$hook->id}")
+        ->assertStatus(200);
+
+    expect(Webhook::find($hook->id))->toBeNull();
+});
+
+test('deliveries endpoint returns delivery log', function () {
+    $hook = Webhook::create([
+        'tenant_id' => $this->tenant->id,
+        'name'      => 'Hook With Deliveries',
+        'url'       => 'https://example.com/del',
+        'events'    => ['invoice.created'],
+        'secret'    => 'abc',
+    ]);
+
+    WebhookDelivery::create([
+        'webhook_id'      => $hook->id,
+        'event'           => 'invoice.created',
+        'payload'         => ['id' => 1],
+        'response_status' => 200,
+        'delivered_at'    => now(),
+        'attempts'        => 1,
+    ]);
+
+    $this->withToken($this->token)
+        ->getJson("/api/v1/webhooks/{$hook->id}/deliveries")
+        ->assertStatus(200)
+        ->assertJsonPath('data.0.event', 'invoice.created');
+});
+
+test('rotate secret generates new secret', function () {
+    $hook = Webhook::create([
+        'tenant_id' => $this->tenant->id,
+        'name'      => 'Secret Hook',
+        'url'       => 'https://example.com/secret',
+        'events'    => ['invoice.created'],
+        'secret'    => 'original-secret',
+    ]);
+
+    $response = $this->withToken($this->token)
+        ->postJson("/api/v1/webhooks/{$hook->id}/rotate-secret")
+        ->assertStatus(200);
+
+    $newSecret = $response->json('data.secret');
+    expect($newSecret)->not->toBe('original-secret');
+    expect(strlen($newSecret))->toBeGreaterThanOrEqual(32);
+});
+
+test('events endpoint lists supported events', function () {
+    $this->withToken($this->token)
+        ->getJson('/api/v1/webhooks/events')
+        ->assertStatus(200);
+
+    $events = $this->withToken($this->token)->getJson('/api/v1/webhooks/events')->json('data');
+    expect($events)->toContain('invoice.created');
+    expect($events)->toContain('payment.received');
+});
+
+test('requires authentication', function () {
+    $this->getJson('/api/v1/webhooks')->assertStatus(401);
+});
