feat(webhook): ajout de la prise en charge des webhooks signés

- Envoi des événements vers des URLs configurées
- Signature HMAC-SHA256 via en-tête X-Signature (secret partagé)
- Retentatives avec backoff exponentiel et jitter
- Timeout réseau et gestion des erreurs/transitoires
- Idempotence par event_id et journalisation structurée
- Paramètres: WEBHOOK_URLS, WEBHOOK_SECRET, WEBHOOK_TIMEOUT_MS, WEBHOOK_MAX_RETRIES

Author: btouchard

backend/internal/application/services/document_service_duplicate_test.go

@@ -0,0 +1,195 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+package services
+
+import (
+	"context"
+	"testing"
+
+	"github.com/btouchard/ackify-ce/backend/internal/domain/models"
+)
+
+// mockDocRepo is a simple in-memory mock for testing document duplication scenarios
+type mockDocRepo struct {
+	documents map[string]*models.Document
+	callCount int
+}
+
+func newMockDocRepo() *mockDocRepo {
+	return &mockDocRepo{
+		documents: make(map[string]*models.Document),
+	}
+}
+
+func (m *mockDocRepo) Create(ctx context.Context, docID string, input models.DocumentInput, createdBy string) (*models.Document, error) {
+	m.callCount++
+	doc := &models.Document{
+		DocID:             docID,
+		Title:             input.Title,
+		URL:               input.URL,
+		Checksum:          input.Checksum,
+		ChecksumAlgorithm: input.ChecksumAlgorithm,
+		Description:       input.Description,
+		CreatedBy:         createdBy,
+	}
+	m.documents[docID] = doc
+	return doc, nil
+}
+
+func (m *mockDocRepo) GetByDocID(ctx context.Context, docID string) (*models.Document, error) {
+	doc, exists := m.documents[docID]
+	if !exists {
+		return nil, nil
+	}
+	return doc, nil
+}
+
+func (m *mockDocRepo) FindByReference(ctx context.Context, ref string, refType string) (*models.Document, error) {
+	// Search by reference logic
+	switch refType {
+	case "reference":
+		// Search by doc_id
+		return m.GetByDocID(ctx, ref)
+	case "url":
+		// Search by URL
+		for _, doc := range m.documents {
+			if doc.URL == ref {
+				return doc, nil
+			}
+		}
+	case "path":
+		// Search by URL (paths stored in URL field)
+		for _, doc := range m.documents {
+			if doc.URL == ref {
+				return doc, nil
+			}
+		}
+	}
+	return nil, nil
+}
+
+// TestFindOrCreateDocument_SameReferenceTwice tests that calling FindOrCreateDocument
+// with the same reference twice does NOT create duplicate documents
+func TestFindOrCreateDocument_SameReferenceTwice(t *testing.T) {
+	ctx := context.Background()
+	repo := newMockDocRepo()
+	service := NewDocumentService(repo, nil)
+
+	reference := "doc-123"
+
+	// First call - should create document
+	doc1, isNew1, err := service.FindOrCreateDocument(ctx, reference)
+	if err != nil {
+		t.Fatalf("First FindOrCreateDocument failed: %v", err)
+	}
+
+	if !isNew1 {
+		t.Error("First call should return isNew=true")
+	}
+
+	if doc1.DocID != reference {
+		t.Errorf("Expected doc_id=%s, got %s", reference, doc1.DocID)
+	}
+
+	// Second call with SAME reference - should find existing document
+	doc2, isNew2, err := service.FindOrCreateDocument(ctx, reference)
+	if err != nil {
+		t.Fatalf("Second FindOrCreateDocument failed: %v", err)
+	}
+
+	if isNew2 {
+		t.Error("Second call should return isNew=false (document already exists)")
+	}
+
+	if doc2.DocID != doc1.DocID {
+		t.Errorf("Expected same doc_id=%s, got different doc_id=%s", doc1.DocID, doc2.DocID)
+	}
+
+	// Verify only ONE document was created
+	if len(repo.documents) != 1 {
+		t.Errorf("Expected 1 document in repository, got %d", len(repo.documents))
+	}
+
+	// Verify Create was called only ONCE
+	if repo.callCount != 1 {
+		t.Errorf("Expected Create to be called 1 time, got %d calls", repo.callCount)
+	}
+}
+
+// TestFindOrCreateDocument_URLReference tests that URL references are properly deduplicated
+func TestFindOrCreateDocument_URLReference(t *testing.T) {
+	ctx := context.Background()
+	repo := newMockDocRepo()
+	service := NewDocumentService(repo, nil)
+
+	urlRef := "https://example.com/policy.pdf"
+
+	// First call - should create document
+	doc1, isNew1, err := service.FindOrCreateDocument(ctx, urlRef)
+	if err != nil {
+		t.Fatalf("First FindOrCreateDocument failed: %v", err)
+	}
+
+	if !isNew1 {
+		t.Error("First call should return isNew=true")
+	}
+
+	firstDocID := doc1.DocID
+
+	// Second call with SAME URL - should find existing document
+	doc2, isNew2, err := service.FindOrCreateDocument(ctx, urlRef)
+	if err != nil {
+		t.Fatalf("Second FindOrCreateDocument failed: %v", err)
+	}
+
+	if isNew2 {
+		t.Error("Second call should return isNew=false (document with this URL already exists)")
+	}
+
+	if doc2.DocID != firstDocID {
+		t.Errorf("Expected same doc_id=%s, got different doc_id=%s", firstDocID, doc2.DocID)
+	}
+
+	// Verify only ONE document was created
+	if len(repo.documents) != 1 {
+		t.Errorf("Expected 1 document in repository, got %d", len(repo.documents))
+	}
+}
+
+// TestCreateDocument_AlwaysCreatesNew demonstrates the problematic behavior
+// of CreateDocument (always creates new documents without checking)
+func TestCreateDocument_AlwaysCreatesNew(t *testing.T) {
+	ctx := context.Background()
+	repo := newMockDocRepo()
+	service := NewDocumentService(repo, nil)
+
+	reference := "doc-456"
+
+	// First call
+	doc1, err := service.CreateDocument(ctx, CreateDocumentRequest{Reference: reference})
+	if err != nil {
+		t.Fatalf("First CreateDocument failed: %v", err)
+	}
+
+	firstDocID := doc1.DocID
+
+	// Second call with SAME reference
+	doc2, err := service.CreateDocument(ctx, CreateDocumentRequest{Reference: reference})
+	if err != nil {
+		t.Fatalf("Second CreateDocument failed: %v", err)
+	}
+
+	secondDocID := doc2.DocID
+
+	// This is the PROBLEM: CreateDocument creates different doc_ids for the same reference
+	if firstDocID == secondDocID {
+		t.Error("CreateDocument generated the same doc_id twice (unlikely but possible)")
+	}
+
+	// This demonstrates the bug: we now have 2+ documents for the same reference
+	if len(repo.documents) < 2 {
+		t.Logf("WARNING: CreateDocument was called twice but created %d documents", len(repo.documents))
+	}
+
+	t.Logf("CreateDocument behavior: Reference '%s' created doc_id '%s' and '%s' (DUPLICATION)",
+		reference, firstDocID, secondDocID)
+}

backend/internal/application/services/webhook.go

@@ -0,0 +1,66 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+package services
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"github.com/btouchard/ackify-ce/backend/internal/domain/models"
+	"github.com/btouchard/ackify-ce/backend/pkg/logger"
+)
+
+// Interfaces kept local to application layer
+type webhookRepo interface {
+	ListActiveByEvent(ctx context.Context, event string) ([]*models.Webhook, error)
+}
+
+type webhookDeliveryRepo interface {
+	Enqueue(ctx context.Context, input models.WebhookDeliveryInput) (*models.WebhookDelivery, error)
+}
+
+// WebhookPublisher publishes events to active webhooks via delivery queue
+type WebhookPublisher struct {
+	repo       webhookRepo
+	deliveries webhookDeliveryRepo
+}
+
+func NewWebhookPublisher(repo webhookRepo, deliveries webhookDeliveryRepo) *WebhookPublisher {
+	return &WebhookPublisher{repo: repo, deliveries: deliveries}
+}
+
+// Publish enqueues deliveries for all webhooks subscribed to the event
+func (p *WebhookPublisher) Publish(ctx context.Context, eventType string, payload map[string]interface{}) error {
+	logger.Logger.Debug("Publishing event", "event", eventType)
+	hooks, err := p.repo.ListActiveByEvent(ctx, eventType)
+	if err != nil {
+		return fmt.Errorf("failed to list webhooks: %w", err)
+	}
+	if len(hooks) == 0 {
+		return nil
+	}
+
+	eventID := newEventID()
+	for _, h := range hooks {
+		input := models.WebhookDeliveryInput{
+			WebhookID:  h.ID,
+			EventType:  eventType,
+			EventID:    eventID,
+			Payload:    payload,
+			Priority:   0,
+			MaxRetries: 6,
+		}
+		if _, err := p.deliveries.Enqueue(ctx, input); err != nil {
+			logger.Logger.Warn("Failed to enqueue webhook delivery", "webhook_id", h.ID, "error", err.Error())
+		}
+	}
+	return nil
+}
+
+func newEventID() string {
+	b := make([]byte, 16)
+	_, _ = rand.Read(b)
+	// Format hex with dashes like UUID v4 (not asserting version bits here to avoid extra ops)
+	hexStr := hex.EncodeToString(b)
+	return hexStr[0:8] + "-" + hexStr[8:12] + "-" + hexStr[12:16] + "-" + hexStr[16:20] + "-" + hexStr[20:32]
+}

backend/internal/application/services/webhook_test.go

@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+package services
+
+import (
+	"context"
+	"testing"
+
+	"github.com/btouchard/ackify-ce/backend/internal/domain/models"
+)
+
+type fakeWebhookRepo struct {
+	hooks []*models.Webhook
+	err   error
+}
+
+func (f *fakeWebhookRepo) ListActiveByEvent(_ context.Context, _ string) ([]*models.Webhook, error) {
+	return f.hooks, f.err
+}
+
+type fakeDeliveryRepo struct{ inputs []models.WebhookDeliveryInput }
+
+func (f *fakeDeliveryRepo) Enqueue(_ context.Context, in models.WebhookDeliveryInput) (*models.WebhookDelivery, error) {
+	f.inputs = append(f.inputs, in)
+	return &models.WebhookDelivery{ID: int64(len(f.inputs)), WebhookID: in.WebhookID, EventType: in.EventType, EventID: in.EventID}, nil
+}
+
+func TestWebhookPublisher_Publish(t *testing.T) {
+	hooks := []*models.Webhook{{ID: 1, Active: true, Events: []string{"document.created"}}, {ID: 2, Active: true, Events: []string{"document.created"}}}
+	repo := &fakeWebhookRepo{hooks: hooks}
+	drepo := &fakeDeliveryRepo{}
+	p := NewWebhookPublisher(repo, drepo)
+	payload := map[string]interface{}{"doc_id": "abc123", "title": "Title"}
+	if err := p.Publish(context.Background(), "document.created", payload); err != nil {
+		t.Fatalf("Publish error: %v", err)
+	}
+	if len(drepo.inputs) != 2 {
+		t.Fatalf("expected 2 enqueues, got %d", len(drepo.inputs))
+	}
+	// ensure event type propagated
+	if drepo.inputs[0].EventType != "document.created" || drepo.inputs[1].EventType != "document.created" {
+		t.Errorf("unexpected event types: %#v", drepo.inputs)
+	}
+	// ensure payload reference equality not required, but keys exist
+	for _, in := range drepo.inputs {
+		if in.Payload["doc_id"] != "abc123" {
+			t.Error("payload doc_id mismatch")
+		}
+	}
+}

backend/internal/domain/models/webhook.go

@@ -0,0 +1,78 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+package models
+
+import (
+	"encoding/json"
+	"time"
+)
+
+type Webhook struct {
+	Title           string            `json:"title"`
+	ID              int64             `json:"id"`
+	TargetURL       string            `json:"targetUrl"`
+	Secret          string            `json:"-"`
+	Active          bool              `json:"active"`
+	Events          []string          `json:"events"`
+	Headers         map[string]string `json:"headers,omitempty"`
+	Description     string            `json:"description,omitempty"`
+	CreatedBy       string            `json:"createdBy,omitempty"`
+	CreatedAt       time.Time         `json:"createdAt"`
+	UpdatedAt       time.Time         `json:"updatedAt"`
+	LastDeliveredAt *time.Time        `json:"lastDeliveredAt,omitempty"`
+	FailureCount    int               `json:"failureCount"`
+}
+
+type WebhookInput struct {
+	Title       string            `json:"title"`
+	TargetURL   string            `json:"targetUrl"`
+	Secret      string            `json:"secret"`
+	Active      bool              `json:"active"`
+	Events      []string          `json:"events"`
+	Headers     map[string]string `json:"headers,omitempty"`
+	Description string            `json:"description,omitempty"`
+	CreatedBy   string            `json:"createdBy,omitempty"`
+}
+
+// NullRawMessage mirrors Null handling used elsewhere for JSONB columns
+// Note: uses existing NullRawMessage from models/email_queue.go
+
+type WebhookDeliveryStatus string
+
+const (
+	WebhookStatusPending    WebhookDeliveryStatus = "pending"
+	WebhookStatusProcessing WebhookDeliveryStatus = "processing"
+	WebhookStatusDelivered  WebhookDeliveryStatus = "delivered"
+	WebhookStatusFailed     WebhookDeliveryStatus = "failed"
+	WebhookStatusCancelled  WebhookDeliveryStatus = "cancelled"
+)
+
+type WebhookDelivery struct {
+	ID              int64                 `json:"id"`
+	WebhookID       int64                 `json:"webhookId"`
+	EventType       string                `json:"eventType"`
+	EventID         string                `json:"eventId"`
+	Payload         json.RawMessage       `json:"payload"`
+	Status          WebhookDeliveryStatus `json:"status"`
+	RetryCount      int                   `json:"retryCount"`
+	MaxRetries      int                   `json:"maxRetries"`
+	Priority        int                   `json:"priority"`
+	CreatedAt       time.Time             `json:"createdAt"`
+	ScheduledFor    time.Time             `json:"scheduledFor"`
+	ProcessedAt     *time.Time            `json:"processedAt,omitempty"`
+	NextRetryAt     *time.Time            `json:"nextRetryAt,omitempty"`
+	RequestHeaders  NullRawMessage        `json:"requestHeaders,omitempty"`
+	ResponseStatus  *int                  `json:"responseStatus,omitempty"`
+	ResponseHeaders NullRawMessage        `json:"responseHeaders,omitempty"`
+	ResponseBody    *string               `json:"responseBody,omitempty"`
+	LastError       *string               `json:"lastError,omitempty"`
+}
+
+type WebhookDeliveryInput struct {
+	WebhookID    int64
+	EventType    string
+	EventID      string
+	Payload      map[string]interface{}
+	Priority     int
+	MaxRetries   int
+	ScheduledFor *time.Time
+}