feat: Final deployment updates with tracking notifications and shipping webhooks

Author: lead-matrix

.env.example

@@ -28,6 +28,7 @@ SMTP_FROM=Your Store <support@your-domain.com>
 
 # ── SHIPPO — Shipping Labels (Required for fulfillment) ──────────────────────
 SHIPPO_API_KEY=shippo_live_...
+SHIPPO_WEBHOOK_SECRET=your_token_here
 
 # ── WAREHOUSE / SENDER ADDRESS (Required for Shippo label generation) ────────
 WAREHOUSE_NAME=Your Store Name

MASTER.sql

@@ -560,6 +560,8 @@ CREATE TABLE IF NOT EXISTS public.orders (
                 'pending',
                 'paid',
                 'shipped',
+                'out_for_delivery',
+                'delivered',
                 'cancelled',
                 'refunded'
             )
@@ -569,10 +571,16 @@ CREATE TABLE IF NOT EXISTS public.orders (
         billing_address jsonb,
         stripe_session_id text UNIQUE,
         tracking_number text,
+        carrier text,
+        shippo_tracking_status text,
         metadata jsonb,
         created_at timestamptz NOT NULL DEFAULT now(),
         updated_at timestamptz NOT NULL DEFAULT now()
 );
+-- Ensure existing constraint is updated
+ALTER TABLE public.orders DROP CONSTRAINT IF EXISTS orders_status_check;
+ALTER TABLE public.orders ADD CONSTRAINT orders_status_check CHECK (status IN ('pending', 'paid', 'shipped', 'out_for_delivery', 'delivered', 'cancelled', 'refunded'));
+
 ALTER TABLE public.orders
 ADD COLUMN IF NOT EXISTS user_id uuid;
 
@@ -719,6 +727,17 @@ CREATE TABLE IF NOT EXISTS public.user_profiles (
     created_at timestamptz NOT NULL DEFAULT now(),
     updated_at timestamptz NOT NULL DEFAULT now()
 );
+-- 1L. order_tracking_history — real-time carrier updates
+CREATE TABLE IF NOT EXISTS public.order_tracking_history (
+    id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    order_id uuid NOT NULL REFERENCES public.orders(id) ON DELETE CASCADE,
+    status text NOT NULL,
+    details text,
+    location text,
+    shippo_event_id text UNIQUE,
+    object_created timestamptz NOT NULL,
+    created_at timestamptz NOT NULL DEFAULT now()
+);
 -- ───────────────────────────────────────────────────────────────
 -- §2  CMS TABLES
 -- ───────────────────────────────────────────────────────────────
@@ -817,6 +836,7 @@ ALTER TABLE public.navigation_menus ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.cms_pages ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.cms_sections ENABLE ROW LEVEL SECURITY;
 ALTER TABLE public.theme_settings ENABLE ROW LEVEL SECURITY;
+ALTER TABLE public.order_tracking_history ENABLE ROW LEVEL SECURITY;
 -- ───────────────────────────────────────────────────────────────
 -- §4  NUCLEAR DROP — every public RLS policy
 --     Guarantees zero duplicates and removes all stale/rogue
@@ -1255,6 +1275,26 @@ CREATE POLICY "cms_sections_delete" ON public.cms_sections FOR DELETE USING (
         SELECT public.is_admin()
     )
 );
+-- 5.21 ORDER_TRACKING_HISTORY — users see their own, admins see all
+CREATE POLICY "order_tracking_history_select" ON public.order_tracking_history FOR SELECT USING (
+    EXISTS (
+        SELECT 1 FROM public.orders o
+        WHERE o.id = order_tracking_history.order_id
+        AND (
+            (SELECT auth.uid()) = o.user_id
+            OR (SELECT public.is_admin())
+        )
+    )
+);
+CREATE POLICY "order_tracking_history_insert" ON public.order_tracking_history FOR INSERT WITH CHECK (
+    (SELECT public.is_admin())
+);
+CREATE POLICY "order_tracking_history_update" ON public.order_tracking_history FOR UPDATE USING (
+    (SELECT public.is_admin())
+);
+CREATE POLICY "order_tracking_history_delete" ON public.order_tracking_history FOR DELETE USING (
+    (SELECT public.is_admin())
+);
 -- ───────────────────────────────────────────────────────────────
 -- §6  TRIGGERS  — updated_at + auto-profile on signup
 -- ───────────────────────────────────────────────────────────────
@@ -1437,6 +1477,8 @@ CREATE INDEX IF NOT EXISTS idx_product_variants_sku ON public.product_variants(s
 CREATE INDEX IF NOT EXISTS idx_profiles_role ON public.profiles(role);
 -- Keep: is_admin() runs on every authenticated request via middleware.
 CREATE INDEX IF NOT EXISTS idx_newsletter_email ON public.newsletter_subscribers(email);
+-- Add index for tracking history
+CREATE INDEX IF NOT EXISTS idx_tracking_order_id ON public.order_tracking_history(order_id);
 -- Keep: uniqueness enforcement + duplicate-check on subscribe.
 -- ───────────────────────────────────────────────────────────────
 -- §9  SEED DATA  (idempotent — ON CONFLICT DO UPDATE)

app/api/webhook/shippo/route.ts

@@ -1,169 +1,146 @@
-import { NextRequest, NextResponse } from "next/server";
-import { createClient } from "@/lib/supabase/admin";
-import {
-  sendShippingNotificationEmail,
-  sendDeliveryNotificationEmail,
-} from "@/lib/utils/email";
-
-import type { OrderItem, OrderRecord } from "@/types/order";
-
-// Incoming Shippo webhook body format
-interface ShippoTrackingStatus {
-  status: string;
-  status_details: string;
-  status_date: string;
-}
-
-interface ShippoWebhookBody {
-  event: string;
-  data: {
-    tracking_number: string;
-    tracking_status: ShippoTrackingStatus;
-    carrier: string;
-  };
-}
-
-// Main webhook handler
-export async function POST(req: NextRequest) {
-  try {
-    const body = (await req.json()) as ShippoWebhookBody;
+import { NextRequest, NextResponse } from 'next/server';
+import { createClient } from '@/lib/supabase/admin';
+import { verifyShippoSignature } from '@/lib/utils/shippo';
+import { 
+    sendShippingNotificationEmail, 
+    sendOutForDeliveryNotificationEmail, 
+    sendDeliveryNotificationEmail 
+} from '@/lib/utils/email';
 
-    // Only respond to track_updated events
-    if (body.event !== "track_updated") {
-      return NextResponse.json({ ignored: true });
+export async function POST(req: NextRequest) {
+    const bodyText = await req.text();
+    const signature = req.headers.get('x-shippo-signature') || '';
+
+    const searchParams = req.nextUrl.searchParams;
+    const urlToken = searchParams.get('token');
+    const secret = process.env.SHIPPO_WEBHOOK_SECRET;
+
+    // 1. Verify via URL Token (Method B) OR HMAC Signature (Method A)
+    const isValid = (urlToken && urlToken === secret) || (await verifyShippoSignature(bodyText, signature));
+    
+    if (!isValid) {
+        console.error('[Shippo Webhook] Unauthorized access attempt');
+        return NextResponse.json({ error: 'Invalid security token' }, { status: 401 });
     }
 
-    const { tracking_number, tracking_status } = body.data || {};
+    const payload = JSON.parse(bodyText);
+    const event = payload.event;
+    const data = payload.data;
 
-    if (!tracking_number || !tracking_status) {
-      return NextResponse.json({ error: "Invalid payload" }, { status: 400 });
+    if (event !== 'track_updated') {
+        return NextResponse.json({ message: 'Event ignored' });
     }
 
-    const supabase = await createClient();
-
-    // Idempotency: skip duplicates
-    const eventId = `${tracking_number}_${tracking_status.status}_${tracking_status.status_date}`;
-
-    const { data: existing } = await supabase
-      .from("shippo_events")
-      .select("id")
-      .eq("id", eventId)
-      .maybeSingle();
+    const trackingNumber = data.tracking_number;
+    const carrier = data.carrier;
+    const trackingStatus = data.tracking_status; // Latest status object
 
-    if (existing) {
-      return NextResponse.json({ duplicate: true });
+    if (!trackingNumber || !trackingStatus) {
+        return NextResponse.json({ error: 'Missing tracking data' }, { status: 400 });
     }
 
-    // Map Shippo status → internal
-    let newStatus = "shipped";
-
-    switch (tracking_status.status) {
-      case "DELIVERED":
-        newStatus = "delivered";
-        break;
-      case "RETURNED":
-        newStatus = "returned";
-        break;
-      case "FAILURE":
-        newStatus = "failed";
-        break;
-      case "OUT_FOR_DELIVERY":
-        newStatus = "out_for_delivery";
-        break;
-      case "TRANSIT":
-      case "PRE_TRANSIT":
-        newStatus = "shipped";
-        break;
-    }
-
-    // Fetch order, including total_amount and items
-    const { data: orderResponse, error: findError } = await supabase
-      .from("orders")
-      .select("id, customer_email, billing_address, fulfillment_status, total_amount, items")
-      .eq("tracking_number", tracking_number)
-      .maybeSingle();
+    const supabase = await createClient();
 
-    const order = orderResponse as OrderRecord | null;
+    // 2. Find Order
+    const { data: order, error: orderError } = await supabase
+        .from('orders')
+        .select('*')
+        .eq('tracking_number', trackingNumber)
+        .maybeSingle();
 
-    if (findError || !order) {
-      console.error("Order not found:", tracking_number);
-      return NextResponse.json({ notFound: true });
+    if (orderError || !order) {
+        console.warn(`[Shippo Webhook] Order not found for tracking: ${trackingNumber}`);
+        return NextResponse.json({ message: 'Order not found' });
     }
 
-    // Skip if no status change
-    if (order.fulfillment_status === newStatus) {
-      await supabase.from("shippo_events").insert({
-        id: eventId,
-        status: "skipped_duplicate_status",
-      });
-
-      return NextResponse.json({ skipped: true });
+    // 3. Update Order Status
+    let nextStatus: string = order.status;
+    let fulfillmentStatus: string = order.fulfillment_status;
+
+    // Map Shippo statuses to our Order statuses
+    // SHippo statuses: UNKNOWN, PRE_TRANSIT, TRANSIT, OUT_FOR_DELIVERY, DELIVERED, RETURNED, FAILURE
+    const shippoStatus = trackingStatus.status;
+
+    if (shippoStatus === 'DELIVERED') {
+        nextStatus = 'delivered';
+        fulfillmentStatus = 'delivered';
+    } else if (shippoStatus === 'OUT_FOR_DELIVERY') {
+        nextStatus = 'out_for_delivery';
+        fulfillmentStatus = 'out_for_delivery';
+    } else if (shippoStatus === 'TRANSIT') {
+        // Only update to 'shipped' if it wasn't already 'out_for_delivery' or 'delivered'
+        if (order.status !== 'delivered' && order.status !== 'out_for_delivery') {
+            nextStatus = 'shipped';
+            fulfillmentStatus = 'shipped';
+        }
     }
 
-    // Update status & last tracking update
     const { error: updateError } = await supabase
-      .from("orders")
-      .update({
-        fulfillment_status: newStatus,
-        last_tracking_update: tracking_status.status_date,
-      })
-      .eq("id", order.id);
-
-    if (updateError) throw updateError;
-
-    const customerName = order.billing_address?.name || "Customer";
-
-    // Trigger controlled emails
-    if (newStatus === "shipped") {
-      const totalAmount =
-        order.total_amount ??
-        (order.items as OrderItem[])?.reduce((sum: number, item: OrderItem) => {
-          return sum + item.price * item.quantity;
-        }, 0) ??
-        0;
-
-      await sendShippingNotificationEmail({
-        customerEmail: order.customer_email,
-        customerName,
-        orderId: order.id,
-        totalAmount,
-      });
+        .from('orders')
+        .update({
+            status: nextStatus as any,
+            fulfillment_status: fulfillmentStatus as any,
+            shippo_tracking_status: shippoStatus,
+            carrier: carrier,
+            updated_at: new Date().toISOString()
+        })
+        .eq('id', order.id);
+
+    if (updateError) {
+        console.error('[Shippo Webhook] Update Order Error:', updateError);
+    }
+
+    // 4. Record Tracking History
+    // Shippo tracking status objects have an 'object_id' which is unique for that specific update
+    const eventId = trackingStatus.object_id;
+    
+    if (eventId) {
+        await supabase
+            .from('order_tracking_history')
+            .upsert({
+                order_id: order.id,
+                status: shippoStatus,
+                details: trackingStatus.status_details,
+                location: trackingStatus.location 
+                    ? `${trackingStatus.location.city || ''}, ${trackingStatus.location.state || ''} ${trackingStatus.location.country || ''}`.trim().replace(/^,/, '').trim()
+                    : null,
+                shippo_event_id: eventId,
+                object_created: trackingStatus.object_created,
+            }, { onConflict: 'shippo_event_id' });
     }
 
-    if (newStatus === "delivered") {
-      const totalAmount =
-        order.total_amount ??
-        (order.items as OrderItem[])?.reduce((sum: number, item: OrderItem) => {
-          return sum + item.price * item.quantity;
-        }, 0) ??
-        0;
-
-      await sendDeliveryNotificationEmail({
-        customerEmail: order.customer_email,
-        customerName,
-        orderId: order.id,
-        totalAmount,
-      });
+    // 5. Trigger Emails on State Changes
+    if (nextStatus !== order.status) {
+        const customerName = order.shipping_address?.name || 'Valued Customer';
+        const customerEmail = order.customer_email || order.shipping_address?.email;
+
+        if (customerEmail) {
+            if (nextStatus === 'shipped' && order.status === 'paid') {
+                await sendShippingNotificationEmail({
+                    customerEmail,
+                    customerName,
+                    trackingNumber,
+                    orderId: order.id,
+                    totalAmount: order.amount_total
+                });
+            } else if (nextStatus === 'out_for_delivery') {
+                await sendOutForDeliveryNotificationEmail({
+                    customerEmail,
+                    customerName,
+                    trackingNumber,
+                    orderId: order.id,
+                    totalAmount: order.amount_total
+                });
+            } else if (nextStatus === 'delivered') {
+                await sendDeliveryNotificationEmail({
+                    customerEmail,
+                    customerName,
+                    orderId: order.id,
+                    totalAmount: order.amount_total
+                });
+            }
+        }
     }
 
-    // Log event
-    await supabase.from("shippo_events").insert({
-      id: eventId,
-      order_id: order.id,
-      status: newStatus,
-    });
-
-    return NextResponse.json({
-      success: true,
-      orderId: order.id,
-      status: newStatus,
-    });
-  } catch (error: any) {
-    console.error("Shippo webhook failed:", error);
-
-    return NextResponse.json(
-      { error: error.message },
-      { status: 500 }
-    );
-  }
+    return NextResponse.json({ success: true });
 }