feat: handle webhook with quickbooks

Author: barbinbrad

apps/erp/app/routes/api+/integrations.quickbooks.oauth.ts

@@ -70,12 +70,17 @@ export async function loader({ request }: LoaderFunctionArgs) {
         id: QuickBooks.id,
         active: true,
         // @ts-ignore
-        metadata: auth,
+        metadata: {
+          ...auth,
+          tenantId: data.realmId,
+        },
         updatedBy: userId,
         companyId: companyId,
       }
     );
 
+    console.log({ createdQuickBooksIntegration });
+
     if (createdQuickBooksIntegration?.data?.metadata) {
       const requestUrl = new URL(request.url);
 

apps/erp/app/routes/api+/webhook.quickbooks.ts

@@ -1,4 +1,4 @@
-import { getCarbonServiceRole } from "@carbon/auth";
+import { getCarbonServiceRole, QUICKBOOKS_WEBHOOK_SECRET } from "@carbon/auth";
 
 import type { ActionFunctionArgs } from "@vercel/remix";
 import { json } from "@vercel/remix";
@@ -9,17 +9,34 @@ export const config = {
   runtime: "nodejs",
 };
 
-const integrationValidator = z.object({
-  webhookToken: z.string(),
+const quickbooksEventValidator = z.object({
+  eventNotifications: z.array(
+    z.object({
+      realmId: z.string(),
+      dataChangeEvent: z.object({
+        entities: z.array(
+          z.object({
+            id: z.string(),
+            name: z.string(),
+            operation: z.enum(["Create", "Update", "Delete"]),
+          })
+        ),
+      }),
+    })
+  ),
 });
 
 function verifyQuickBooksSignature(
   payload: string,
-  signature: string,
-  webhookToken: string
+  signature: string
 ): boolean {
+  if (!QUICKBOOKS_WEBHOOK_SECRET) {
+    console.warn("QUICKBOOKS_WEBHOOK_SECRET is not set");
+    return true;
+  }
+
   const expectedSignature = crypto
-    .createHmac("sha256", webhookToken)
+    .createHmac("sha256", QUICKBOOKS_WEBHOOK_SECRET)
     .update(payload)
     .digest("base64");
 
@@ -32,8 +49,48 @@ function verifyQuickBooksSignature(
 export async function action({ request, params }: ActionFunctionArgs) {
   const serviceRole = await getCarbonServiceRole();
 
-  const payload = await request.json();
-  console.log({ payload });
+  const payload = await request.clone().json();
+
+  const parsedPayload = quickbooksEventValidator.safeParse(payload);
+  if (!parsedPayload.success) {
+    return json({ success: false }, { status: 400 });
+  }
+
+  const payloadText = await request.text();
+  const signatureHeader = request.headers.get("intuit-signature");
+
+  if (!signatureHeader) {
+    return json({ success: false }, { status: 401 });
+  }
+
+  const requestIsValid = verifyQuickBooksSignature(
+    payloadText,
+    signatureHeader
+  );
+
+  if (!requestIsValid) {
+    return json({ success: false }, { status: 401 });
+  }
+
+  const events = parsedPayload.data.eventNotifications;
+  for await (const event of events) {
+    const { realmId, dataChangeEvent } = event;
+
+    const companyIntegration = await serviceRole
+      .from("companyIntegration")
+      .select("*")
+      .eq("metadata->>tenantId", realmId)
+      .eq("id", "quickbooks")
+      .single();
+
+    console.log({ companyIntegration });
+
+    const { entities } = dataChangeEvent;
+    for await (const entity of entities) {
+      const { id, name, operation } = entity;
+      console.log({ realmId, id, name, operation });
+    }
+  }
 
   // const quickbooksIntegration = await serviceRole
   //   .from("companyIntegration")
@@ -48,17 +105,7 @@ export async function action({ request, params }: ActionFunctionArgs) {
   //   );
 
   //   const payloadText = await request.text();
-  //   const signatureHeader = request.headers.get("intuit-signature");
-
-  //   if (!signatureHeader) {
-  //     return json({ success: false }, { status: 401 });
-  //   }
-
-  //   if (
-  //     !verifyQuickBooksSignature(payloadText, signatureHeader, webhookToken)
-  //   ) {
-  //     return json({ success: false }, { status: 401 });
-  //   }
+  //
 
   //   const payload = JSON.parse(payloadText);
   //   console.log("QuickBooks webhook payload", payload);

apps/erp/vite.config.ts

@@ -33,7 +33,7 @@ export default defineConfig({
   },
   server: {
     port: 3000,
-    allowedHosts: ["8aef5c58f593.ngrok-free.app"],
+    allowedHosts: ["34cf759c5276.ngrok-free.app"],
   },
   plugins: [
     remix({

packages/auth/src/config/env.ts

@@ -28,6 +28,7 @@ declare global {
       POSTHOG_API_HOST: string;
       POSTHOG_PROJECT_PUBLIC_KEY: string;
       QUICKBOOKS_CLIENT_SECRET: string;
+      QUICKBOOKS_WEBHOOK_SECRET: string;
       RESEND_API_KEY: string;
       RESEND_DOMAIN: string;
       SESSION_SECRET: string;
@@ -135,6 +136,11 @@ export const QUICKBOOKS_CLIENT_SECRET = getEnv("QUICKBOOKS_CLIENT_SECRET", {
   isSecret: true,
 });
 
+export const QUICKBOOKS_WEBHOOK_SECRET = getEnv("QUICKBOOKS_WEBHOOK_SECRET", {
+  isRequired: false,
+  isSecret: true,
+});
+
 export const RESEND_DOMAIN =
   getEnv("RESEND_DOMAIN", {
     isRequired: false,

packages/ee/src/accounting/providers/quickbooks.ts

@@ -75,7 +75,6 @@ export class QuickBooksProvider extends CoreProvider {
       accessToken: data.access_token,
       refreshToken: data.refresh_token,
       expiresAt: new Date(Date.now() + data.expires_in * 1000),
-      tenantId: data.realmId, // QuickBooks uses realmId as tenant identifier
     };
   }