Implement webhook for create/update event

[odkhang]

This PR closes/references issue #XX. It does so by …

How has this been tested?

Checklist

• I have added tests to cover my changes.

Summary by Sourcery

Implement webhooks to handle create, update, and delete actions for organisers, teams, and events, and add corresponding URL routes to the application.

New Features:

• Introduce webhooks for handling create, update, and delete actions for organisers, teams, and events, allowing external systems to trigger these actions via HTTP requests.

Enhancements:

• Add URL routes for organiser, team, and event webhooks to the Django application, enabling the new webhook functionality.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request implements webhooks for create/update events in the pretalx application. It adds new URL patterns for webhook endpoints, introduces task processing for organiser, team, and event webhooks, and implements webhook handler functions with JWT authentication and permission checks.

File-Level Changes

Change	Details	Files
Added new URL patterns for webhook endpoints	Added URL patterns for organiser, team, and event webhooks	src/pretalx/eventyay_common/urls.py
Implemented task processing for webhooks	Created shared tasks for processing organiser, team, and event webhooks Implemented logic for creating, updating, and deleting organisers Implemented logic for creating, updating, and deleting teams Implemented logic for creating and updating events	src/pretalx/eventyay_common/tasks.py
Implemented webhook handler functions	Created webhook handlers for organiser, team, and event webhooks Implemented JWT token validation and permission checks Added CSRF exemption for webhook endpoints Implemented error handling for invalid tokens and permissions	src/pretalx/eventyay_common/webhooks.py

---

Tips

• Trigger a new Sourcery review by commenting @sourcery-ai review on the pull request.
• Continue your discussion with Sourcery by replying directly to review comments.
• You can change your review settings at any time by accessing your dashboard:
  • Enable or disable the Sourcery-generated pull request summary or reviewer's guide;
  • Change the review language;
• You can always contact us if you have any questions or feedback.

[sourcery-ai]

Hey @odkhang - I've reviewed your changes - here's some feedback:

Overall Comments:

• Consider improving error handling in webhook processing tasks. Currently, exceptions are logged but not handled, which could lead to silent failures.
• While JWT validation is a good start, consider implementing additional security measures such as rate limiting and IP whitelisting for the webhook endpoints.
• To prevent potential race conditions in asynchronous tasks, consider using database transactions when creating or updating objects.
• The PR lacks tests. Please add comprehensive unit and integration tests for the new webhook functionality to ensure reliability and ease of maintenance.

Here's what I looked at during the review

• 🟡 General issues: 2 issues found
• 🟡 Security: 1 issue found
• 🟢 Testing: all looks good
• 🟡 Complexity: 1 issue found
• 🟢 Documentation: all looks good

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment to tell me if it was helpful.}

[sourcery-ai]

🚨 issue (security): Potential security risk with setattr in loop

Using setattr in a loop with user-provided data could be dangerous if team_data contains unexpected fields. Consider explicitly updating only allowed fields.

[sourcery-ai]

suggestion: Refactor duplicate code in webhook handlers

There's significant code duplication in the three webhook handler functions for checking the Authorization header and token. Consider refactoring this into a decorator or middleware to reduce duplication.

def webhook_auth_required(view_func):
    @wraps(view_func)
    def wrapper(request, *args, **kwargs):
        auth_header = request.headers.get('Authorization')
        if not auth_header or not auth_header.startswith('Bearer '):
            return JsonResponse({'error': 'Invalid Authorization header'}, status=401)
        token = auth_header.split()[1]
        # Token validation logic here
        return view_func(request, *args, **kwargs)
    return wrapper

@csrf_exempt
@webhook_auth_required
def organiser_webhook(request):

[sourcery-ai]

suggestion: Separate team creation logic

Consider moving the logic for creating the 'Administrators' team into a separate function for better separation of concerns.

def create_administrator_team(organiser):
    TeamForm(organiser=organiser).save()

# Create an Administrator team for new organiser
create_administrator_team(organiser)

[sourcery-ai]

issue (complexity): Consider refactoring the webhook processing logic into a more generic structure.

The current implementation introduces unnecessary complexity through repetitive code structures. Consider the following improvements:

1. Replace the Action class with string constants:

CREATE = "create"
UPDATE = "update"
DELETE = "delete"

2. Create a generic process_webhook function:

@shared_task
def process_webhook(entity_type, data):
    try:
        action = data.get("action")
        if action not in (CREATE, UPDATE, DELETE):
            logger.error(f"Unknown action: {action}")
            return

        entity_handlers = {
            "organiser": handle_organiser,
            "team": handle_team,
            "event": handle_event,
        }
        handler = entity_handlers.get(entity_type)
        if not handler:
            logger.error(f"Unknown entity type: {entity_type}")
            return

        handler(action, data)
    except ValidationError as e:
        logger.error("Validation error:", e.message_dict)
    except Exception as e:
        logger.error(f"Error processing {entity_type}:", e)

3. Implement entity-specific handler functions:

def handle_organiser(action, data):
    if action == CREATE:
        organiser = Organiser(name=data.get("name"), slug=data.get("slug"))
        organiser.full_clean()
        organiser.save()
        create_admin_team(organiser)
    elif action == UPDATE:
        organiser = Organiser.objects.get(slug=data.get("slug"))
        organiser.name = data.get("name")
        organiser.full_clean()
        organiser.save()
    elif action == DELETE:
        # Implement delete logic here
        pass

    logger.info(f"Organiser {data.get('name')} {action}d successfully.")

# Implement similar handlers for team and event

This approach reduces code duplication, improves maintainability, and allows for easier addition of new entity types in the future. The generic process_webhook function handles common logic, while entity-specific functions manage unique processing steps.