Webhooks handling (#42)

danilopolani · web-flow · commit 4301825b7683 · 2025-05-27T18:50:46.000+02:00
diff --git a/README.md b/README.md
@@ -18,7 +18,8 @@ Design global layouts, compose your template, preview your emails and send them
 - 🔐 **Secure by default**: Both authentication and API endpoint are always secure: use one of the pre-built auth system or bring your own.
 - 📎  **Attachments**: Upload or retrieve attachments from a remote source such *S3*, *Spaces* etc.
 - 🪄 **Hackable**: MailCarrier relies on [Laravel](https://laravel.com/) and [Filament](https://filamentphp.com/), that means that over 30K packages are available to customise your MailCarrier instance.
-- ⏳ **Queues**: You can choose whether or not to send emails in a enqueued, background jobs, to not block the user experience.  
+- ⏳ **Queues**: You can choose whether or not to send emails in a enqueued, background jobs, to not block the user experience.
+- 🪝 **Webhooks**: Track and receive events from your provider directly in MailCarrier.  
 
 ## Quick start
 
diff --git a/config/mailcarrier.php b/config/mailcarrier.php
@@ -196,4 +196,18 @@
         */
         'connection' => null,
     ],
+
+    'webhooks' => [
+        'strategies' => [
+            // \MailCarrier\Webhooks\Strategies\MailgunStrategy::class,
+        ],
+
+        'providers' => [
+            'mailgun' => [
+                'secret' => env('MAILGUN_WEBHOOK_SECRET'),
+                'verbose' => env('MAILGUN_WEBHOOK_VERBOSE', false),
+                'fatal' => env('MAILGUN_WEBHOOK_FATAL', false),
+            ],
+        ],
+    ],
 ];
diff --git a/routes/web.php b/routes/web.php
@@ -5,6 +5,7 @@
 use MailCarrier\Http\Controllers\LogController;
 use MailCarrier\Http\Controllers\MailCarrierController;
 use MailCarrier\Http\Controllers\SocialAuthController;
+use MailCarrier\Http\Controllers\WebhookController;
 use MailCarrier\Livewire\PreviewTemplate;
 
 Route::middleware(['web', 'auth:' . Config::get('filament.auth.guard')])->group(function () {
@@ -22,3 +23,5 @@
 Route::middleware('web')->group(function () {
     Route::get('templates/preview', PreviewTemplate::class)->name('templates.preview');
 });
+
+Route::post('webhook', WebhookController::class)->name('webhook.process');
diff --git a/src/Http/Controllers/WebhookController.php b/src/Http/Controllers/WebhookController.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace MailCarrier\Http\Controllers;
+
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Illuminate\Support\Collection;
+use MailCarrier\Webhooks\Actions\ProcessWebhook;
+use MailCarrier\Webhooks\Dto\IncomingWebhook;
+
+class WebhookController extends Controller
+{
+    /**
+     * Handle incoming webhooks from email providers.
+     */
+    public function __invoke(Request $request, ProcessWebhook $processWebhook): Response
+    {
+        $webhook = new IncomingWebhook(
+            headers: (new Collection($request->headers->all()))
+                ->map(fn (array $values) => $values[0]),
+            body: $request->all(),
+        );
+
+        $processWebhook->run($webhook);
+
+        return new Response;
+    }
+}
diff --git a/src/Webhooks/Actions/ProcessWebhook.php b/src/Webhooks/Actions/ProcessWebhook.php
@@ -0,0 +1,70 @@
+<?php
+
+namespace MailCarrier\Webhooks\Actions;
+
+use Illuminate\Support\Facades\App;
+use Illuminate\Support\Facades\Config;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Str;
+use MailCarrier\Actions\Action;
+use MailCarrier\Models\Log as LogModel;
+use MailCarrier\Webhooks\Dto\IncomingWebhook;
+use MailCarrier\Webhooks\Dto\WebhookData;
+use MailCarrier\Webhooks\Exceptions\WebhookValidationException;
+
+class ProcessWebhook extends Action
+{
+    /**
+     * Process the incoming webhook using all configured strategies.
+     *
+     * @throws \MailCarrier\Webhooks\Exceptions\WebhookValidationException
+     */
+    public function run(IncomingWebhook $webhook): void
+    {
+        /** @var array<class-string<\MailCarrier\Webhooks\Strategies\Contracts\Strategy>> $strategies */
+        $strategies = Config::get('mailcarrier.webhooks.strategies', []);
+
+        foreach ($strategies as $strategyClass) {
+            /** @var \MailCarrier\Webhooks\Strategies\Contracts\Strategy $strategy */
+            $strategy = App::make($strategyClass);
+
+            if (!$strategy->validate($webhook)) {
+                if ($strategy->isVerbose()) {
+                    Log::warning('Webhook validation failed', [
+                        'strategy' => Str::of($strategyClass)
+                            ->afterLast('\\')
+                            ->remove('::class')
+                            ->toString(),
+                    ]);
+                }
+
+                if ($strategy->isFatal()) {
+                    throw new WebhookValidationException;
+                }
+
+                continue;
+            }
+
+            $data = $strategy->extract($webhook->body);
+
+            $this->updateLog($data);
+
+            // If we found a valid strategy and updated the log, we can stop
+            break;
+        }
+    }
+
+    /**
+     * Create a new log event with webhook data.
+     */
+    private function updateLog(WebhookData $data): void
+    {
+        LogModel::query()
+            ->firstWhere('message_id', $data->messageId)
+            ?->events()
+            ?->create([
+                'name' => $data->eventName,
+                'createdAt' => $data->date,
+            ]);
+    }
+}
diff --git a/src/Webhooks/Dto/IncomingWebhook.php b/src/Webhooks/Dto/IncomingWebhook.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace MailCarrier\Webhooks\Dto;
+
+use Illuminate\Support\Arr;
+use Illuminate\Support\Collection;
+
+class IncomingWebhook
+{
+    /**
+     * @param  Collection<string, string|null>  $headers
+     * @param  array<string, mixed>  $body
+     */
+    public function __construct(
+        public readonly Collection $headers,
+        public readonly array $body,
+    ) {}
+
+    /**
+     * Get a header value by name.
+     */
+    public function getHeader(string $name, ?string $default = null): ?string
+    {
+        return $this->headers->get($name, $default);
+    }
+
+    /**
+     * Get a body value by key using dot notation.
+     */
+    public function getBodyValue(string $key, mixed $default = null): mixed
+    {
+        return Arr::get($this->body, $key, $default);
+    }
+}
diff --git a/src/Webhooks/Dto/WebhookData.php b/src/Webhooks/Dto/WebhookData.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace MailCarrier\Webhooks\Dto;
+
+use Carbon\CarbonImmutable;
+
+class WebhookData
+{
+    public function __construct(
+        public readonly string $messageId,
+        public readonly string $eventName,
+        public readonly CarbonImmutable $date,
+    ) {}
+}
diff --git a/src/Webhooks/Exceptions/WebhookValidationException.php b/src/Webhooks/Exceptions/WebhookValidationException.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace MailCarrier\Webhooks\Exceptions;
+
+use Symfony\Component\HttpKernel\Exception\UnprocessableEntityHttpException;
+
+class WebhookValidationException extends UnprocessableEntityHttpException
+{
+    public function __construct()
+    {
+        parent::__construct('Webhook validation failed.');
+    }
+}
diff --git a/src/Webhooks/Strategies/Contracts/Strategy.php b/src/Webhooks/Strategies/Contracts/Strategy.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace MailCarrier\Webhooks\Strategies\Contracts;
+
+use MailCarrier\Webhooks\Dto\IncomingWebhook;
+use MailCarrier\Webhooks\Dto\WebhookData;
+
+interface Strategy
+{
+    /**
+     * Whether to log validation failures.
+     */
+    public function isVerbose(): bool;
+
+    /**
+     * Whether to throw an exception on validation failure instead of continuing.
+     */
+    public function isFatal(): bool;
+
+    /**
+     * Validate the incoming webhook.
+     */
+    public function validate(IncomingWebhook $webhook): bool;
+
+    /**
+     * Extract structured data from the webhook payload.
+     */
+    public function extract(array $payload): WebhookData;
+}
diff --git a/src/Webhooks/Strategies/MailgunStrategy.php b/src/Webhooks/Strategies/MailgunStrategy.php
@@ -0,0 +1,89 @@
+<?php
+
+namespace MailCarrier\Webhooks\Strategies;
+
+use Carbon\CarbonImmutable;
+use Illuminate\Support\Facades\Config;
+use MailCarrier\Webhooks\Dto\IncomingWebhook;
+use MailCarrier\Webhooks\Dto\WebhookData;
+use MailCarrier\Webhooks\Strategies\Contracts\Strategy;
+
+class MailgunStrategy implements Strategy
+{
+    /**
+     * Whether to log validation failures.
+     */
+    public function isVerbose(): bool
+    {
+        return Config::get('mailcarrier.webhooks.providers.mailgun.verbose', false);
+    }
+
+    /**
+     * Whether to throw an exception on validation failure instead of continuing.
+     */
+    public function isFatal(): bool
+    {
+        return Config::get('mailcarrier.webhooks.providers.mailgun.fatal', false);
+    }
+
+    /**
+     * Get the Mailgun webhook secret from config.
+     */
+    private function getSecret(): string
+    {
+        $secret = Config::get('mailcarrier.webhooks.providers.mailgun.secret');
+
+        if (empty($secret)) {
+            throw new \RuntimeException('Mailgun webhook secret is not configured. Please set MAILGUN_WEBHOOK_SECRET in your .env file.');
+        }
+
+        return $secret;
+    }
+
+    /**
+     * Validate the webhook signature using Mailgun's algorithm.
+     *
+     * @see https://documentation.mailgun.com/docs/mailgun/user-manual/tracking-messages/#securing-webhooks
+     */
+    public function validate(IncomingWebhook $webhook): bool
+    {
+        $signature = $webhook->getBodyValue('signature');
+
+        if (!isset($signature['timestamp'], $signature['token'], $signature['signature'])) {
+            return false;
+        }
+
+        // Concatenate timestamp and token
+        $data = $signature['timestamp'] . $signature['token'];
+
+        // Calculate HMAC using SHA256 with secret from config
+        $calculatedSignature = hash_hmac('sha256', $data, $this->getSecret());
+
+        // Compare signatures
+        return hash_equals($calculatedSignature, $signature['signature']);
+    }
+
+    /**
+     * Extract structured data from Mailgun's webhook payload.
+     *
+     * @param  array  $payload  The raw webhook payload from Mailgun
+     */
+    public function extract(array $payload): WebhookData
+    {
+        if (!isset($payload['event-data'])) {
+            throw new \InvalidArgumentException('Invalid Mailgun webhook payload: missing event-data');
+        }
+
+        $eventData = $payload['event-data'];
+
+        if (!isset($eventData['id'], $eventData['event'], $eventData['timestamp'])) {
+            throw new \InvalidArgumentException('Invalid Mailgun webhook payload: missing required fields');
+        }
+
+        return new WebhookData(
+            messageId: $eventData['id'],
+            eventName: $eventData['event'],
+            date: CarbonImmutable::createFromTimestamp($eventData['timestamp'])
+        );
+    }
+}
diff --git a/tests/Feature/Webhooks/ProcessTest.php b/tests/Feature/Webhooks/ProcessTest.php
diff --git a/tests/Feature/Webhooks/Strategies/FailingStrategy.php b/tests/Feature/Webhooks/Strategies/FailingStrategy.php
diff --git a/tests/Feature/Webhooks/Strategies/FatalFailingStrategy.php b/tests/Feature/Webhooks/Strategies/FatalFailingStrategy.php
diff --git a/tests/Feature/Webhooks/Strategies/TestStrategy.php b/tests/Feature/Webhooks/Strategies/TestStrategy.php
diff --git a/tests/Feature/Webhooks/Strategies/VerboseFailingStrategy.php b/tests/Feature/Webhooks/Strategies/VerboseFailingStrategy.php
