fix(asaas): Enhance webhook validation and add payment status cron fallback

leomp12 · claude · leomp12 · commit afd1572a054f · 2025-08-02T15:14:52.000-03:00
- Fix webhook auth token validation to match create-transaction format - Add asaasKeyId-based security validation - Refactor status parsing and payment update logic for reusability - Add cronCheckPayments function as fallback for missed webhook events - Improve error handling and logging for better observability 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/packages/apps/asaas/src/asaas-events.ts b/packages/apps/asaas/src/asaas-events.ts
@@ -1,81 +1,116 @@
 /* eslint-disable import/prefer-default-export */
 import type { Orders } from '@cloudcommerce/types';
+import type { AxiosError } from 'axios';
 import api from '@cloudcommerce/api';
 import '@cloudcommerce/firebase/lib/init';
 import * as functions from 'firebase-functions/v1';
 import config, { logger } from '@cloudcommerce/firebase/lib/config';
 import getAppData from '@cloudcommerce/firebase/lib/helpers/get-app-data';
+import { getAsaasAxios } from './util/asaas-api';
 
 type PaymentEntry = Exclude<Orders['payments_history'], undefined>[0]
 
-const { httpsFunctionOptions } = config.get();
+const {
+  storeId,
+  httpsFunctionOptions,
+} = config.get();
+
+const setAsaasEnv = async () => {
+  if (!process.env.ASAAS_API_KEY) {
+    const appData = await getAppData('asaas');
+    process.env.ASAAS_API_KEY = appData.asaas_api_key;
+    if (appData.asaas_sandbox) {
+      process.env.ASAAS_ENV = 'sandbox';
+    }
+  }
+};
+
+const parseAsaasStatus = (asaasStatus: string): PaymentEntry['status'] | null => {
+  switch (asaasStatus) {
+    case 'CREDIT_CARD_CAPTURE_REFUSED':
+      return 'unauthorized';
+    case 'AWAITING_CHARGEBACK_REVERSAL':
+    case 'CHARGEBACK_DISPUTE':
+    case 'CHARGEBACK_REQUESTED':
+      return 'in_dispute';
+    case 'RECEIVED_IN_CASH_UNDONE':
+    case 'DELETED':
+      return 'voided';
+    case 'REFUND_IN_PROGRESS':
+    case 'REFUNDED':
+      return 'refunded';
+    case 'PENDING':
+    case 'RESTORED':
+      return 'pending';
+    case 'RECEIVED':
+    case 'CONFIRMED':
+      return 'paid';
+    case 'REPROVED_BY_RISK_ANALYSIS':
+      return 'unauthorized';
+    case 'AWAITING_RISK_ANALYSIS':
+      return 'under_analysis';
+    default:
+      return null;
+  }
+};
+
+const updatePaymentStatus = async ({
+  orderId,
+  transactionId,
+  asaasStatus,
+  flag = 'webhook',
+}: {
+  orderId: Orders['_id'],
+  transactionId?: string,
+  asaasStatus: string,
+  flag?: string,
+}) => {
+  const status = parseAsaasStatus(asaasStatus);
+  if (!status) {
+    logger.warn(`Unexpected Asaas status for ${orderId}`, { asaasStatus });
+    return;
+  }
+  await api.post(`orders/${orderId}/payments_history`, {
+    date_time: new Date().toISOString(),
+    status,
+    transaction_id: transactionId,
+    flags: ['asaas', flag, asaasStatus],
+  });
+  logger.info(`Updated ${orderId} to ${status}`);
+};
 
 export const asaas = {
   webhook: functions
     .region(httpsFunctionOptions.region)
     .runWith(httpsFunctionOptions)
     .https.onRequest(async (req, res) => {
       const { body, headers } = req;
-      const asaasStatus = body?.event;
+      const asaasStatus = (body?.event as string | undefined)?.replace(/^PAYMENT_/, '');
       const asaasPaymentId = body?.payment?.id;
       if (req.method !== 'POST' || !asaasStatus || !asaasPaymentId) {
         res.sendStatus(405);
         return;
       }
-      if (!process.env.ASAAS_API_KEY) {
-        const appData = await getAppData('asaas');
-        process.env.ASAAS_API_KEY = appData.asaas_api_key;
-        if (appData.asaas_sandbox) {
-          process.env.ASAAS_ENV = 'sandbox';
-        }
-      }
+      await setAsaasEnv();
       const { ASAAS_API_KEY } = process.env;
       if (!ASAAS_API_KEY) {
         res.sendStatus(403);
         return;
       }
-      if (headers['asaas-access-token'] !== `w1_${ASAAS_API_KEY}`) {
+      const asaasKeyId = `${ASAAS_API_KEY}`.substring(0, 6) + `${ASAAS_API_KEY}`.slice(-3);
+      if (headers['asaas-access-token'] !== `${storeId}_${asaasKeyId}`) {
         logger.warn('Unauthorized webhook', {
-          headers,
+          asaasStatus,
+          asaasPaymentId,
         });
         res.sendStatus(401);
         return;
       }
       logger.info(`Asaas webhook ${asaasPaymentId} ${asaasStatus}`);
-      let status: PaymentEntry['status'] = 'pending';
-      switch (asaasStatus) {
-        case 'PAYMENT_CREDIT_CARD_CAPTURE_REFUSED':
-          status = 'unauthorized';
-          break;
-        case 'PAYMENT_AWAITING_CHARGEBACK_REVERSAL':
-        case 'PAYMENT_CHARGEBACK_DISPUTE':
-        case 'PAYMENT_CHARGEBACK_REQUESTED':
-          status = 'in_dispute';
-          break;
-        case 'PAYMENT_RECEIVED_IN_CASH_UNDONE':
-        case 'PAYMENT_DELETED':
-          status = 'voided';
-          break;
-        case 'PAYMENT_REFUND_IN_PROGRESS':
-        case 'PAYMENT_REFUNDED':
-          status = 'refunded';
-          break;
-        case 'PAYMENT_RESTORED':
-          status = 'pending';
-          break;
-        case 'PAYMENT_RECEIVED':
-        case 'PAYMENT_CONFIRMED':
-          status = 'paid';
-          break;
-        case 'PAYMENT_REPROVED_BY_RISK_ANALYSIS':
-          status = 'unauthorized';
-          break;
-        case 'PAYMENT_AWAITING_RISK_ANALYSIS':
-          status = 'under_analysis';
-          break;
-        default:
-          // Ignore unknow status
-          return;
+      const status = parseAsaasStatus(asaasStatus);
+      if (!status) {
+        res.sendStatus(204);
+        return;
       }
       const {
         data: { result: [order] },
@@ -94,16 +129,70 @@ export const asaas = {
         return intermediator?.transaction_id === String(asaasPaymentId);
       });
       if (transaction?._id) {
-        await api.post(`orders/${order._id}/payments_history`, {
-          date_time: new Date().toISOString(),
-          status,
-          transaction_id: transaction._id,
-          flags: ['asaas', asaasStatus],
+        await updatePaymentStatus({
+          orderId: order._id,
+          transactionId: transaction._id,
+          asaasStatus,
         });
-        logger.info(`Updated ${order._id} to ${status}`);
         res.sendStatus(201);
         return;
       }
       res.sendStatus(200);
     }),
+
+  cronCheckPayments: functions
+    .region(config.get().httpsFunctionOptions.region)
+    .runWith({ timeoutSeconds: 540 })
+    .pubsub.schedule(process.env.CRONTAB_ASAAS_CHECK_PAYMENTS || '28 15,2 * * *')
+    .timeZone('America/Sao_Paulo')
+    .onRun(async () => {
+      await setAsaasEnv();
+      const { ASAAS_API_KEY } = process.env;
+      if (!ASAAS_API_KEY) return;
+      const d = new Date();
+      const isOddHourExec = !!(d.getHours() % 2);
+      d.setDate(d.getDate() - 30);
+      const endpoint = 'orders'
+        + '?fields=_id,transactions'
+        + '&transactions.app.intermediator.code=asaas3'
+        + '&financial_status.current=pending'
+        + `&created_at>=${d.toISOString()}`
+        + `&sort=${(isOddHourExec ? '' : '-')}number`
+        + '&limit=500' as `orders?${string}`;
+      const { data: { result: orders } } = await api.get(endpoint);
+      logger.info(`${orders.length} orders listed`, {
+        orderIds: orders.map(({ _id }) => _id),
+      });
+      const asaasAxios = await getAsaasAxios();
+      for (let i = 0; i < orders.length; i++) {
+        const order = orders[i];
+        const transaction = order.transactions?.find(({ app }) => {
+          return app?.intermediator?.code === 'asaas3';
+        });
+        const asaasPaymentId = transaction?.intermediator?.transaction_id;
+        if (!asaasPaymentId) continue;
+        let asaasStatus: string | undefined;
+        try {
+          // eslint-disable-next-line no-await-in-loop
+          const { data } = await asaasAxios.get(`/v3/payments/${asaasPaymentId}/status`);
+          asaasStatus = data.status;
+        } catch (_err: any) {
+          const err: AxiosError = _err;
+          const status = err.response?.status;
+          logger.warn(`Failed with ${status} reading Asaas status for ${order._id}`);
+          if (status === 404 || status === 400) continue;
+          logger.error(err);
+          break;
+        }
+        if (!asaasStatus) continue;
+        const status = parseAsaasStatus(asaasStatus);
+        if (!status || status === 'pending') continue;
+        updatePaymentStatus({
+          orderId: order._id,
+          transactionId: transaction._id,
+          asaasStatus,
+          flag: 'cron',
+        });
+      }
+    }),
 };
