feat(dev-portal-web): DOMA-12705 add webhooks documentation…

[AleX83Xpert]

…and update ts-schema

Added comprehensive webhooks documentation for invoices in both English and Russian, including webhook setup, signature verification, retry policy, and best practices.

Summary by CodeRabbit

• Documentation

  • Added comprehensive webhook documentation for invoices in English and Russian, including setup instructions, payload examples, signature verification, and retry policies.

• New Features

  • B2B app configuration now supports development and production application URLs with filtering and sorting capabilities.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR adds comprehensive webhook documentation for invoice-related features in English and Russian, updates invoice documentation metadata to include webhook navigation entries, and extends the GraphQL schema with development and production app URL fields for B2BApp entities with filtering and sorting support.

Changes

Cohort / File(s)	Summary
Webhook Documentation Metadata apps/dev-portal-web/docs/api/examples/invoices/_meta.en.json, apps/dev-portal-web/docs/api/examples/invoices/_meta.ru.json	Added new "webhooks" navigation entry to invoice documentation metadata (English: "Webhooks", Russian: "Вебхуки")
Webhook Documentation apps/dev-portal-web/docs/api/examples/invoices/webhooks.en.mdx, apps/dev-portal-web/docs/api/examples/invoices/webhooks.ru.mdx	Added comprehensive webhook documentation covering setup, payload structure, supported payment statuses, signature verification with Node.js examples, retry policy, error handling, best practices, and GraphQL/JSON examples
GraphQL Schema Extensions apps/dev-portal-web/gql/index.ts	Extended B2BApp-related GraphQL input types (Create, Update, Where variants), where-input clauses with full set of comparison operators, and sorting enums to support developmentAppUrl and productionAppUrl fields

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10–15 minutes

• Webhook documentation is straightforward new content review
• GraphQL schema additions follow homogeneous, repetitive patterns (same field operators applied consistently across multiple types)
• Areas requiring attention: Verify that developmentAppUrl and productionAppUrl were added consistently across all relevant B2BApp input/where/enum types; confirm all filter operator variants are present

Possibly related PRs

• refactor(dev-portal-web): INFRA-1181 dev-portal tech debt refactoring #6638: Modifies the same generated GraphQL surface (apps/dev-portal-web/gql/index.ts) with B2B schema refactoring and generation changes
• feat(dev-portal): INFRA-1230 small refactor and init B2BApp schema #6738: Updates the same GraphQL client generation file (apps/dev-portal-web/gql/index.ts) to extend B2B app input and enum types with URL-related fields

Suggested reviewers

• SavelevMatthew
• Alexander-Turkin
• toplenboren

Poem

🐰 Webhooks dance through invoice lanes so bright,
With URLs for dev and prod in sight,
GraphQL schemas bloom with filters fine,
Documentation shines in every line,
The rabbit hops—this change is just right! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly summarizes the main change: adding webhooks documentation to the dev-portal-web application, which aligns with the file changes (webhooks.en.mdx, webhooks.ru.mdx, and metadata updates).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch docs/dev-portal-web/doma-12705/invoice-webhooks-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (3)

apps/dev-portal-web/gql/index.ts (1)

4722-4744: Consider exposing new URL fields in B2B app fragments/queries if needed

The B2BAppFragment and the createB2BApp / updateB2BApp operations still only select developerUrl and export IDs; they don’t include developmentAppUrl / productionAppUrl. If the UI needs to display or immediately re-use these URLs after create/update, you may want to extend the fragment and related queries to select them as well. If they’re only used server‑side, the current selection is fine.

Also applies to: 5094-5132

apps/dev-portal-web/docs/api/examples/invoices/webhooks.ru.mdx (2)

133-143: Consider adding input validation.

The signature verification function could benefit from explicit validation of required parameters to prevent runtime errors and provide clearer error messages.

 function verifyWebhookSignature(rawBody, signature, secret, algorithm) {
+    // Validate inputs
+    if (!rawBody || !signature || !secret || !algorithm) {
+        return false
+    }
+    
     const allowedAlgorithms = new Set(['sha256', 'sha384', 'sha512'])
     if (!allowedAlgorithms.has(algorithm)) return false

     const expectedSignature = crypto
         .createHmac(algorithm, secret)
         .update(rawBody)
         .digest('hex')
     
     return signature === expectedSignature
 }

---

146-166: Add error handling for robustness.

The middleware example lacks error handling for several failure scenarios: missing headers, JSON parsing errors, and failed secret retrieval. Adding these checks would make the example more production-ready.

 app.post('/webhook/payment', express.text({ type: 'application/json' }), (req, res) => {
     const signature = req.headers['x-webhook-signature']
     const algorithm = req.headers['x-webhook-signature-algorithm'] || 'sha256'
     const webhookId = req.headers['x-webhook-id']
     const rawBody = req.body
     
+    // Validate required headers
+    if (!signature || !webhookId) {
+        return res.status(400).json({ error: 'Missing required headers' })
+    }
+    
     // Получаем сохраненный секрет для этого счета
     const secret = getStoredSecretForInvoice(invoiceId)
+    
+    if (!secret) {
+        return res.status(500).json({ error: 'Failed to retrieve secret' })
+    }
     
     if (!verifyWebhookSignature(rawBody, signature, secret, algorithm)) {
         return res.status(401).json({ error: 'Invalid signature' })
     }
     
+    let payload
+    try {
-        const payload = JSON.parse(rawBody)
+        payload = JSON.parse(rawBody)
+    } catch (error) {
+        return res.status(400).json({ error: 'Invalid JSON payload' })
+    }
     
     // Обрабатываем вебхук
     console.log(`Статус платежа ${payload.id} изменен на ${payload.status}`)
     
     res.status(200).json({ status: 'ok' })
 })

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7fcaab9 and a30ba70.

📒 Files selected for processing (5)

• apps/dev-portal-web/docs/api/examples/invoices/_meta.en.json (1 hunks)
• apps/dev-portal-web/docs/api/examples/invoices/_meta.ru.json (1 hunks)
• apps/dev-portal-web/docs/api/examples/invoices/webhooks.en.mdx (1 hunks)
• apps/dev-portal-web/docs/api/examples/invoices/webhooks.ru.mdx (1 hunks)
• apps/dev-portal-web/gql/index.ts (14 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-06-25T07:34:53.845Z

Learnt from: YEgorLu
Repo: open-condo-software/condo PR: 6308
File: apps/condo/schema.graphql:2333-2333
Timestamp: 2025-06-25T07:34:53.845Z
Learning: In GraphQL schemas, update input types should typically have all fields optional to support partial updates. This allows clients to only provide the fields they want to change rather than being forced to provide all fields.

Applied to files:

• apps/dev-portal-web/gql/index.ts

🧬 Code graph analysis (1)

apps/dev-portal-web/gql/index.ts (1)

apps/condo/schema.ts (2)

• InputMaybe (5-5)
• Scalars (12-24)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build open-source part (ubuntu-22.04, 24.x, 3.14)
• GitHub Check: Lint source code (24.x)
• GitHub Check: Semgrep vulnerabilities check
• GitHub Check: Check dependencies integrity (24.x)

🔇 Additional comments (14)

apps/dev-portal-web/docs/api/examples/invoices/_meta.en.json (1)

4-5: LGTM!

The navigation metadata update correctly adds the new webhooks documentation entry with proper JSON formatting.

apps/dev-portal-web/docs/api/examples/invoices/webhooks.en.mdx (9)

1-22: LGTM!

The introduction, workflow steps, and field documentation are clear, well-organized, and provide a solid foundation for understanding webhook functionality.

---

24-70: LGTM!

The GraphQL mutation example and response are well-structured and demonstrate the correct usage of webhook fields. The security warning about storing the secret is an important reminder for developers.

---

72-100: LGTM!

The webhook payload example is comprehensive and clearly demonstrates the structure developers will receive, including nested organization and invoice objects.

---

102-110: LGTM!

The payment statuses are clearly documented with meaningful descriptions for each state.

---

112-121: LGTM!

The webhook headers are well-documented with clear descriptions and supported algorithm values.

---

168-174: LGTM!

The URL whitelist requirement is clearly communicated with a clear call to action for registration.

---

176-182: LGTM!

The best practices section provides solid, security-focused guidance covering all critical aspects of webhook implementation.

---

184-200: LGTM!

The retry policy is clearly documented with a reasonable exponential backoff schedule and explicit time limits.

---

202-208: LGTM!

The error handling guidance provides clear HTTP status code recommendations and explains which codes trigger retries.

apps/dev-portal-web/gql/index.ts (3)

53-73: B2B app URL fields on create/update/history inputs are consistent and optional

developmentAppUrl / productionAppUrl are added across B2B create/update/history inputs as InputMaybe<String>, matching existing patterns and keeping all update fields optional, which aligns with the partial‑update convention for input types. No issues from a schema/TS typing perspective.
Based on learnings, update inputs remain fully optional.

Also applies to: 75-99, 106-129, 377-397

---

131-362: URL filter operators mirror existing patterns

The new developmentAppUrl* and productionAppUrl* filters in B2BAppHistoryRecordWhereInput and B2BAppWhereInput replicate the full operator set used for developerUrl (plain, contains, contains_i, starts_with, ends_with, not_*, *_in, etc.), so filtering capabilities are consistent and predictable. No schema/TS issues spotted here.

Also applies to: 399-624

---

2889-2959: Sort enums extended correctly for new URL fields

SortB2BAppHistoryRecordsBy and SortB2BAppsBy now include DevelopmentAppUrlAsc/Desc and ProductionAppUrlAsc/Desc, aligned with the new fields and existing naming convention for sort keys. Enum values follow the same <field>_ASC/DESC pattern as the rest.

apps/dev-portal-web/docs/api/examples/invoices/_meta.ru.json (1)

2-5: New Russian meta entry for webhooks looks good

The "webhooks": "Вебхуки" entry is correctly added, keeps the JSON valid, and is consistent with existing labels.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud