Fix webhook sync session usage and add regression test (#90)

Author: shayancoin

backend/api/security.py

@@ -13,6 +13,17 @@
 
 from api.config import Settings, get_settings
 
+
+def _load_expected_write_token(settings: Settings) -> str:
+    """Resolve the configured API write token from settings or environment."""
+
+    token = getattr(settings, "api_write_token", None)
+    if isinstance(token, str) and token.strip():
+        return token.strip()
+    env_token = os.getenv("API_WRITE_TOKEN", "")
+    return env_token.strip()
+
+
 # Write token (admin) auth
 api_key_header = APIKeyHeader(name="Authorization", auto_error=False)
 

backend/tests/test_sync_routes_metrics.py

@@ -4,13 +4,15 @@
 import hmac
 import json
 import re
+import uuid
 
 import pytest
 from fastapi.testclient import TestClient
 from sqlalchemy import text
 
 from api.config import get_settings
 from api.main import app
+from api.routes_sync import settings as sync_settings
 
 
 def _sig(secret: str, body: bytes) -> str:
@@ -37,8 +39,9 @@ async def fake_pull_all(db, page_size=None):
 
     monkeypatch.setattr(svc.HygraphService, "pull_all", fake_pull_all)
 
-    body = json.dumps({"ping": "ok"}).encode()
-    sig = _sig("whsec", body)
+    unique_payload = {"ping": str(uuid.uuid4())}
+    body = json.dumps(unique_payload).encode()
+    sig = _sig(sync_settings.hygraph_webhook_secret, body)
 
     # First delivery -> 202 Accepted, background processing logs counts
     r1 = client.post("/api/sync/hygraph", data=body, headers={"x-hygraph-signature": sig})