app/models/agents/webhook_agent.rb

module Agents
  class WebhookAgent < Agent
    include EventHeadersConcern
    include WebRequestConcern  # to make reCAPTCHA verification requests

    cannot_be_scheduled!
    cannot_receive_events!

    description do
      <<~MD
        The Webhook Agent will create events by receiving webhooks from any source. In order to create events with this agent, make a POST request to:

        ```
        https://#{ENV['DOMAIN']}/users/#{user.id}/web_requests/#{id || ':id'}/#{options['secret'] || ':secret'}
        ```

        #{'The placeholder symbols above will be replaced by their values once the agent is saved.' unless id}

        Options:

        * `secret` - A token that the host will provide for authentication.
        * `expected_receive_period_in_days` - How often you expect to receive
          events this way. Used to determine if the agent is working.
        * `payload_path` - JSONPath of the attribute in the POST body to be
          used as the Event payload.  Set to `.` to return the entire message.
          If `payload_path` points to an array, Events will be created for each element.
        * `event_headers` - Comma-separated list of HTTP headers your agent will include in the payload.
        * `event_headers_key` - The key to use to store all the headers received
        * `verbs` - Comma-separated list of http verbs your agent will accept.
          For example, "post,get" will enable POST and GET requests. Defaults
          to "post".
        * `response` - The response message to the request. Defaults to 'Event Created'.
        * `response_headers` - An object with any custom response headers. (example: `{"Access-Control-Allow-Origin": "*"}`)
        * `code` - The response code to the request. Defaults to '201'. If the code is '301' or '302' the request will automatically be redirected to the url defined in "response".
        * `recaptcha_secret` - Setting this to a reCAPTCHA "secret" key makes your agent verify incoming requests with reCAPTCHA.  Don't forget to embed a reCAPTCHA snippet including your "site" key in the originating form(s).
        * `recaptcha_send_remote_addr` - Set this to true if your server is properly configured to set REMOTE_ADDR to the IP address of each visitor (instead of that of a proxy server).
        * `score_threshold` - Setting this when using reCAPTCHA v3 to define the treshold when a submission is verified. Defaults to 0.5
      MD
    end

    event_description do
      <<~MD
        The event payload is based on the value of the `payload_path` option,
        which is set to `#{interpolated['payload_path']}`.
      MD
    end

    def default_options
      {
        "secret" => SecureRandom.uuid,
        "expected_receive_period_in_days" => 1,
        "payload_path" => ".",
        "event_headers" => "",
        "event_headers_key" => "headers",
        "score_threshold" => 0.5
      }
    end

    def receive_web_request(request)
      # check the secret
      secret = request.path_parameters[:secret]
      return ["Not Authorized", 401] unless secret == interpolated['secret']

      params = request.query_parameters.dup
      begin
        params.update(request.request_parameters)
      rescue EOFError
      end

      method = request.method_symbol.to_s
      headers = request.headers.each_with_object({}) { |(name, value), hash|
        case name
        when /\AHTTP_([A-Z0-9_]+)\z/
          hash[$1.tr('_', '-').gsub(/[^-]+/, &:capitalize)] = value
        end
      }

      # check the verbs
      verbs = (interpolated['verbs'] || 'post').split(/,/).map { |x| x.strip.downcase }.select { |x| x.present? }
      return ["Please use #{verbs.join('/').upcase} requests only", 401] unless verbs.include?(method)

      # check the code
      code = (interpolated['code'].presence || 201).to_i

      # check the reCAPTCHA response if required
      if recaptcha_secret = interpolated['recaptcha_secret'].presence
        recaptcha_response = params.delete('g-recaptcha-response') or
          return ["Not Authorized", 401]

        parameters = {
          secret: recaptcha_secret,
          response: recaptcha_response,
        }

        if boolify(interpolated['recaptcha_send_remote_addr'])
          parameters[:remoteip] = request.env['REMOTE_ADDR']
        end

        begin
          response = faraday.post('https://www.google.com/recaptcha/api/siteverify',
                                  parameters)
        rescue StandardError => e
          error "Verification failed: #{e.message}"
          return ["Not Authorized", 401]
        end

        body = JSON.parse(response.body)
        if interpolated['score_threshold'].present? && body['score'].present?
          body['score'] > interpolated['score_threshold'].to_f or
            return ["Not Authorized", 401]
        else
          body['success'] or
            return ["Not Authorized", 401]
        end
      end

      [payload_for(params)].flatten.each do |payload|
        create_event(payload: payload.merge(event_headers_payload(headers)))
      end

      if interpolated['response_headers'].presence
        [
          interpolated(params)['response'] || 'Event Created',
          code,
          "text/plain",
          interpolated['response_headers'].presence
        ]
      else
        [
          interpolated(params)['response'] || 'Event Created',
          code
        ]
      end
    end

    def working?
      event_created_within?(interpolated['expected_receive_period_in_days']) && !recent_error_logs?
    end

    def validate_options
      unless options['secret'].present?
        errors.add(:base, "Must specify a secret for 'Authenticating' requests")
      end

      if options['code'].present? && options['code'].to_s !~ /\A\s*(\d+|\{.*)\s*\z/
        errors.add(:base, "Must specify a code for request responses")
      end

      if options['code'].to_s.in?(['301', '302']) && !options['response'].present?
        errors.add(:base, "Must specify a url for request redirect")
      end

      validate_event_headers_options!
    end

    def payload_for(params)
      Utils.value_at(params, interpolated['payload_path']) || {}
    end
  end
end