fotospiel-app/app/Http/Controllers/LemonSqueezyWebhookController.php

<?php

namespace App\Http\Controllers;

use App\Services\Addons\EventAddonWebhookService;
use App\Services\Checkout\CheckoutWebhookService;
use App\Services\Integrations\IntegrationWebhookRecorder;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;
use Symfony\Component\HttpFoundation\Response;

class LemonSqueezyWebhookController extends Controller
{
    public function __construct(
        private readonly CheckoutWebhookService $webhooks,
        private readonly EventAddonWebhookService $addonWebhooks,
        private readonly IntegrationWebhookRecorder $recorder,
    ) {}

    public function handle(Request $request): JsonResponse
    {
        try {
            if (! $this->verify($request)) {
                Log::warning('Lemon Squeezy webhook signature verification failed');

                return response()->json(['status' => 'invalid'], Response::HTTP_BAD_REQUEST);
            }

            $payload = $request->json()->all();

            if (! is_array($payload)) {
                return response()->json(['status' => 'ignored'], Response::HTTP_ACCEPTED);
            }

            $eventType = $payload['meta']['event_name'] ?? $request->headers->get('X-Event-Name');
            $eventId = $payload['meta']['event_id'] ?? $payload['data']['id'] ?? null;
            $webhookEvent = $this->recorder->recordReceived(
                'lemonsqueezy',
                $eventId ? (string) $eventId : null,
                $eventType ? (string) $eventType : null,
            );
            $handled = false;

            $this->logDev('Lemon Squeezy webhook received', [
                'event_type' => $eventType,
                'order_id' => data_get($payload, 'data.id'),
                'has_signature' => (string) $request->headers->get('X-Signature', '') !== '',
            ]);

            if ($eventType) {
                $handled = $this->webhooks->handleLemonSqueezyEvent($payload);
                $handled = $this->addonWebhooks->handle($payload) || $handled;
            }

            Log::info('Lemon Squeezy webhook processed', [
                'event_type' => $eventType,
                'handled' => $handled,
            ]);

            $statusCode = $handled ? Response::HTTP_OK : Response::HTTP_ACCEPTED;
            $handled
                ? $this->recorder->markProcessed($webhookEvent, ['handled' => true])
                : $this->recorder->markIgnored($webhookEvent, ['handled' => false]);

            return response()->json([
                'status' => $handled ? 'processed' : 'ignored',
            ], $statusCode);
        } catch (\Throwable $exception) {
            $eventId = $this->captureWebhookException($exception);

            Log::error('Lemon Squeezy webhook processing failed', [
                'message' => $exception->getMessage(),
                'event_type' => (string) data_get($request->json()->all(), 'meta.event_name'),
                'sentry_event_id' => $eventId,
            ]);

            $this->logDev('Lemon Squeezy webhook error payload', $this->reducePayload($request->json()->all()));

            if (isset($webhookEvent)) {
                $this->recorder->markFailed($webhookEvent, $exception->getMessage());
            }

            return response()->json(['status' => 'error'], Response::HTTP_INTERNAL_SERVER_ERROR);
        }
    }

    protected function verify(Request $request): bool
    {
        $secret = config('lemonsqueezy.webhook_secret');

        if (! $secret) {
            return true;
        }

        $signature = (string) $request->headers->get('X-Signature', '');

        if ($signature === '') {
            $this->logDev('Lemon Squeezy webhook missing signature header', [
                'header' => 'X-Signature',
            ]);

            return false;
        }

        $payload = $request->getContent();
        $expected = hash_hmac('sha256', $payload, $secret);

        $valid = hash_equals($expected, $signature);
        if (! $valid) {
            $this->logDev('Lemon Squeezy webhook signature mismatch', []);
        }

        return $valid;
    }

    /**
     * @param  array<string, mixed>  $context
     */
    protected function logDev(string $message, array $context = []): void
    {
        if (! app()->environment('development')) {
            return;
        }

        Log::info('[LemonSqueezyWebhook] '.$message, $context);
    }

    /**
     * @return array<string, mixed>
     */
    protected function reducePayload(array $payload): array
    {
        return array_filter([
            'event_type' => data_get($payload, 'meta.event_name'),
            'order_id' => data_get($payload, 'data.id'),
            'status' => data_get($payload, 'data.attributes.status'),
            'customer_id' => data_get($payload, 'data.attributes.customer_id'),
            'has_custom_data' => is_array(data_get($payload, 'meta.custom_data')),
        ], static fn ($value) => $value !== null);
    }

    protected function captureWebhookException(\Throwable $exception): ?string
    {
        report($exception);

        if (! app()->bound('sentry') || empty(config('sentry.dsn'))) {
            return null;
        }

        try {
            $eventId = app('sentry')->captureException($exception);
        } catch (\Throwable) {
            return null;
        }

        return $eventId ? (string) $eventId : null;
    }
}