Auth tweaks, Audit implementation, Webhooks

This commit is contained in:
2026-04-13 14:17:45 -07:00
parent b9a04df861
commit 334b6cf3e1
46 changed files with 4654 additions and 61 deletions

View File

@@ -0,0 +1,227 @@
using System.Net;
using System.Security.Cryptography;
using System.Text;
using MicCheck.Api.Data;
using MicCheck.Api.Webhooks;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using Moq.Protected;
using NUnit.Framework;
namespace MicCheck.Api.Tests.Unit.Webhooks;
[TestFixture]
public class WebhookDispatcherTests
{
[Test]
public void WhenComputingSignature_ThenItMatchesHmacSha256()
{
const string secret = "my-secret";
const string payload = """{"event_type":"FLAG_UPDATED","data":{}}""";
var result = WebhookDispatcher.ComputeSignature(secret, payload);
var keyBytes = Encoding.UTF8.GetBytes(secret);
var payloadBytes = Encoding.UTF8.GetBytes(payload);
var expected = "sha256=" + Convert.ToHexString(HMACSHA256.HashData(keyBytes, payloadBytes)).ToLowerInvariant();
Assert.That(result, Is.EqualTo(expected));
}
[Test]
public void WhenComputingSignatureWithDifferentPayloads_ThenResultsDiffer()
{
const string secret = "my-secret";
var sig1 = WebhookDispatcher.ComputeSignature(secret, "payload-one");
var sig2 = WebhookDispatcher.ComputeSignature(secret, "payload-two");
Assert.That(sig1, Is.Not.EqualTo(sig2));
}
[Test]
public void WhenComputingSignatureWithDifferentSecrets_ThenResultsDiffer()
{
const string payload = "same-payload";
var sig1 = WebhookDispatcher.ComputeSignature("secret-a", payload);
var sig2 = WebhookDispatcher.ComputeSignature("secret-b", payload);
Assert.That(sig1, Is.Not.EqualTo(sig2));
}
[Test]
public async Task WhenDispatchingToActiveWebhook_ThenPayloadIsPostedWithSignatureHeader()
{
var (db, factory, capturedRequests) = SetUpDispatcher(HttpStatusCode.OK);
var org = new MicCheck.Api.Organizations.Organization { Name = "Org", CreatedAt = DateTimeOffset.UtcNow };
db.Organizations.Add(org);
db.SaveChanges();
db.Webhooks.Add(new Webhook
{
Url = "https://example.com/hook",
Secret = "test-secret",
Scope = WebhookScope.Organization,
OrganizationId = org.Id,
Enabled = true,
CreatedAt = DateTimeOffset.UtcNow
});
db.SaveChanges();
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
var webhookEvent = new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = org.Id,
Data = new { test = true }
};
await dispatcher.DispatchAsync(webhookEvent);
Assert.That(capturedRequests, Has.Count.EqualTo(1));
Assert.That(capturedRequests[0].Headers.Contains("X-Flagsmith-Signature"), Is.True);
}
[Test]
public async Task WhenDispatchingToWebhookWithoutSecret_ThenNoSignatureHeaderIsAdded()
{
var (db, factory, capturedRequests) = SetUpDispatcher(HttpStatusCode.OK);
var org = new MicCheck.Api.Organizations.Organization { Name = "Org", CreatedAt = DateTimeOffset.UtcNow };
db.Organizations.Add(org);
db.SaveChanges();
db.Webhooks.Add(new Webhook
{
Url = "https://example.com/hook",
Secret = null,
Scope = WebhookScope.Organization,
OrganizationId = org.Id,
Enabled = true,
CreatedAt = DateTimeOffset.UtcNow
});
db.SaveChanges();
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
await dispatcher.DispatchAsync(new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = org.Id,
Data = new { }
});
Assert.That(capturedRequests[0].Headers.Contains("X-Flagsmith-Signature"), Is.False);
}
[Test]
public async Task WhenDeliverySucceeds_ThenDeliveryLogIsRecordedAsSuccess()
{
var (db, factory, _) = SetUpDispatcher(HttpStatusCode.OK);
var org = new MicCheck.Api.Organizations.Organization { Name = "Org", CreatedAt = DateTimeOffset.UtcNow };
db.Organizations.Add(org);
db.SaveChanges();
db.Webhooks.Add(new Webhook
{
Url = "https://example.com/hook",
Scope = WebhookScope.Organization,
OrganizationId = org.Id,
Enabled = true,
CreatedAt = DateTimeOffset.UtcNow
});
db.SaveChanges();
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
await dispatcher.DispatchAsync(new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = org.Id,
Data = new { }
});
var log = db.WebhookDeliveryLogs.First();
Assert.That(log.Success, Is.True);
Assert.That(log.ResponseStatusCode, Is.EqualTo(200));
Assert.That(log.AttemptNumber, Is.EqualTo(1));
}
[Test]
public async Task WhenDeliveryFails_ThenDeliveryLogIsRecordedAsFailure()
{
var (db, factory, _) = SetUpDispatcher(HttpStatusCode.InternalServerError);
var org = new MicCheck.Api.Organizations.Organization { Name = "Org", CreatedAt = DateTimeOffset.UtcNow };
db.Organizations.Add(org);
db.SaveChanges();
db.Webhooks.Add(new Webhook
{
Url = "https://example.com/hook",
Scope = WebhookScope.Organization,
OrganizationId = org.Id,
Enabled = true,
CreatedAt = DateTimeOffset.UtcNow
});
db.SaveChanges();
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
await dispatcher.DispatchAsync(new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = org.Id,
Data = new { }
});
var log = db.WebhookDeliveryLogs.First();
Assert.That(log.Success, Is.False);
Assert.That(log.ResponseStatusCode, Is.EqualTo(500));
}
[Test]
public async Task WhenNoWebhooksAreRegistered_ThenNoDeliveryLogsAreCreated()
{
var (db, factory, _) = SetUpDispatcher(HttpStatusCode.OK);
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
await dispatcher.DispatchAsync(new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = 99,
Data = new { }
});
Assert.That(db.WebhookDeliveryLogs.Count(), Is.EqualTo(0));
}
private static (MicCheckDbContext Db, IHttpClientFactory Factory, List<HttpRequestMessage> CapturedRequests)
SetUpDispatcher(HttpStatusCode responseStatus)
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
var db = new MicCheckDbContext(options);
var capturedRequests = new List<HttpRequestMessage>();
var handler = new Mock<HttpMessageHandler>();
handler.Protected()
.Setup<Task<HttpResponseMessage>>("SendAsync",
ItExpr.IsAny<HttpRequestMessage>(),
ItExpr.IsAny<CancellationToken>())
.ReturnsAsync((HttpRequestMessage req, CancellationToken _) =>
{
capturedRequests.Add(req);
return new HttpResponseMessage(responseStatus)
{
Content = new StringContent("ok")
};
});
var httpClient = new HttpClient(handler.Object);
var factory = new Mock<IHttpClientFactory>();
factory.Setup(f => f.CreateClient(It.IsAny<string>())).Returns(httpClient);
return (db, factory.Object, capturedRequests);
}
}

View File

@@ -0,0 +1,121 @@
using MicCheck.Api.Data;
using MicCheck.Api.Webhooks;
using Microsoft.EntityFrameworkCore;
using NUnit.Framework;
namespace MicCheck.Api.Tests.Unit.Webhooks;
[TestFixture]
public class WebhookRetryTests
{
[Test]
public void WhenRetryDelaysAreConfigured_ThenFirstRetryIsAfter5Minutes()
{
// Retry delay for attempt 1 → 2 is 5 minutes
var delay = TimeSpan.FromMinutes(5);
Assert.That(delay.TotalMinutes, Is.EqualTo(5));
}
[Test]
public void WhenRetryDelaysAreConfigured_ThenSecondRetryIsAfter30Minutes()
{
// Retry delay for attempt 2 → 3 is 30 minutes
var delay = TimeSpan.FromMinutes(30);
Assert.That(delay.TotalMinutes, Is.EqualTo(30));
}
[Test]
public async Task WhenFailedDeliveryIsOldEnough_ThenItIsEligibleForRetry()
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
using var db = new MicCheckDbContext(options);
db.WebhookDeliveryLogs.Add(new WebhookDeliveryLog
{
WebhookId = 1,
EventType = WebhookEventTypes.FlagUpdated,
PayloadJson = """{"event_type":"FLAG_UPDATED","data":{}}""",
Success = false,
AttemptNumber = 1,
AttemptedAt = DateTimeOffset.UtcNow.AddMinutes(-6),
Duration = TimeSpan.FromMilliseconds(100)
});
await db.SaveChangesAsync();
var retryAfter = DateTimeOffset.UtcNow - TimeSpan.FromMinutes(5);
var eligible = await db.WebhookDeliveryLogs
.Where(d => !d.Success && d.AttemptNumber == 1 && d.AttemptedAt <= retryAfter)
.ToListAsync();
Assert.That(eligible, Has.Count.EqualTo(1));
}
[Test]
public async Task WhenFailedDeliveryIsTooRecent_ThenItIsNotEligibleForRetry()
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
using var db = new MicCheckDbContext(options);
db.WebhookDeliveryLogs.Add(new WebhookDeliveryLog
{
WebhookId = 1,
EventType = WebhookEventTypes.FlagUpdated,
PayloadJson = """{"event_type":"FLAG_UPDATED","data":{}}""",
Success = false,
AttemptNumber = 1,
AttemptedAt = DateTimeOffset.UtcNow.AddMinutes(-1),
Duration = TimeSpan.FromMilliseconds(100)
});
await db.SaveChangesAsync();
var retryAfter = DateTimeOffset.UtcNow - TimeSpan.FromMinutes(5);
var eligible = await db.WebhookDeliveryLogs
.Where(d => !d.Success && d.AttemptNumber == 1 && d.AttemptedAt <= retryAfter)
.ToListAsync();
Assert.That(eligible, Is.Empty);
}
[Test]
public async Task WhenDeliveryHasAlreadyBeenRetried_ThenItIsNotRetriedAgain()
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
using var db = new MicCheckDbContext(options);
var firstAttemptedAt = DateTimeOffset.UtcNow.AddMinutes(-10);
db.WebhookDeliveryLogs.Add(new WebhookDeliveryLog
{
WebhookId = 1,
EventType = WebhookEventTypes.FlagUpdated,
PayloadJson = "{}",
Success = false,
AttemptNumber = 1,
AttemptedAt = firstAttemptedAt,
Duration = TimeSpan.Zero
});
db.WebhookDeliveryLogs.Add(new WebhookDeliveryLog
{
WebhookId = 1,
EventType = WebhookEventTypes.FlagUpdated,
PayloadJson = "{}",
Success = false,
AttemptNumber = 2,
AttemptedAt = firstAttemptedAt.AddMinutes(5),
Duration = TimeSpan.Zero
});
await db.SaveChangesAsync();
var alreadyRetried = await db.WebhookDeliveryLogs
.AnyAsync(d => d.WebhookId == 1 && d.AttemptNumber == 2 && d.AttemptedAt > firstAttemptedAt);
Assert.That(alreadyRetried, Is.True);
}
}