poduck/smoothschedule
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add comprehensive sandbox mode, public API system, and platform support

Browse Source 
This commit adds major features for sandbox isolation, public API access, and platform support ticketing.

## Sandbox Mode
- Add sandbox mode toggle for businesses to test features without affecting live data
- Implement schema-based isolation for tenant data (appointments, resources, services)
- Add is_sandbox field filtering for shared models (customers, staff, tickets)
- Create sandbox middleware to detect and set sandbox mode from cookies
- Add sandbox context and hooks for React frontend
- Display sandbox banner when in test mode
- Auto-reload page when switching between live/test modes
- Prevent platform support tickets from being created in sandbox mode

## Public API System
- Full REST API for external integrations with businesses
- API token management with sandbox/live token separation
- Test tokens (ss_test_*) show full plaintext for easy testing
- Live tokens (ss_live_*) are hashed and secure
- Security validation prevents live token plaintext storage
- Comprehensive test suite for token security
- Rate limiting and throttling per token
- Webhook support for real-time event notifications
- Scoped permissions system (read/write per resource type)
- API documentation page with interactive examples
- Token revocation with confirmation modal

## Platform Support
- Dedicated support page for businesses to contact SmoothSchedule
- View all platform support tickets in one place
- Create new support tickets with simplified interface
- Reply to existing tickets with conversation history
- Platform tickets have no admin controls (no priority/category/assignee/status)
- Internal notes hidden for platform tickets (business can't see them)
- Quick help section with links to guides and API docs
- Sandbox warning prevents ticket creation in test mode
- Business ticketing retains full admin controls (priority, assignment, internal notes)

## UI/UX Improvements
- Add notification dropdown with real-time updates
- Staff permissions UI for ticket access control
- Help dropdown in sidebar with Platform Guide, Ticketing Help, API Docs, and Support
- Update sidebar "Contact Support" to "Support" with message icon
- Fix navigation links to use React Router instead of anchor tags
- Remove unused language translations (Japanese, Portuguese, Chinese)

## Technical Details
- Sandbox middleware sets request.sandbox_mode from cookies
- ViewSets filter data by is_sandbox field
- API authentication via custom token auth class
- WebSocket support for real-time ticket updates
- Migration for sandbox fields on User, Tenant, and Ticket models
- Comprehensive documentation in SANDBOX_MODE_IMPLEMENTATION.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
poduck
2025-11-28 16:44:06 -05:00
parent 4acea4f876
commit a9719a5fd2
77 changed files with 11407 additions and 2694 deletions
Download Patch File Download Diff File Expand all files Collapse all files

151
smoothschedule/SANDBOX_MODE_IMPLEMENTATION.md Normal file
View File

@@ -0,0 +1,151 @@
# Sandbox Mode Implementation Summary
## Overview
Sandbox/Test mode provides complete data isolation for testing. Users can toggle between Live and Test modes via a switch in the header. Each mode has its own:
- Database schema (for tenant-specific data like appointments, resources, services)
- Customer records (filtered by `is_sandbox` flag on User model)
## Architecture
### Backend Components
1. **Tenant Model** (`core/models.py`)
- `sandbox_schema_name`: PostgreSQL schema for sandbox data (e.g., `demo_sandbox`)
- `sandbox_enabled`: Boolean to enable/disable sandbox for tenant
- Auto-generates sandbox schema name on save
2. **SandboxModeMiddleware** (`core/middleware.py:16-118`)
- Switches database schema based on:
- API token prefix (`ss_test_*` = sandbox, `ss_live_*` = live)
- `X-Sandbox-Mode: true` header
- Session value `sandbox_mode`
- Sets `request.sandbox_mode = True/False` for views to use
- MUST run AFTER `SessionMiddleware` in middleware order
3. **User Model** (`smoothschedule/users/models.py`)
- `is_sandbox`: Boolean field to mark sandbox customers
- Live customers have `is_sandbox=False`, test customers have `is_sandbox=True`
4. **API Endpoints** (`schedule/api_views.py`)
- `GET /api/sandbox/status/` - Get current sandbox state
- `POST /api/sandbox/toggle/` - Toggle sandbox mode (sets session)
5. **CustomerViewSet** (`schedule/views.py:199-249`)
- Filters customers by `request.sandbox_mode`
- `perform_create` sets `is_sandbox` based on current mode
6. **StaffViewSet** (`schedule/views.py:302-366`)
- Filters staff by `request.sandbox_mode`
- Staff created via invitations inherit sandbox mode from request
7. **TicketViewSet** (`tickets/views.py:65-167`)
- Filters tickets by `request.sandbox_mode` (except PLATFORM tickets)
- `perform_create` sets `is_sandbox` based on current mode
- PLATFORM tickets are always created in live mode
8. **PublicCustomerViewSet** (`public_api/views.py:888-968`)
- Also filters by sandbox mode for API customers
9. **APIToken Model** (`public_api/models.py`)
- `is_sandbox`: Boolean for token type
- Key prefixes: `ss_test_*` (sandbox) or `ss_live_*` (live)
### Frontend Components
1. **SandboxContext** (`contexts/SandboxContext.tsx`)
- Provides `isSandbox`, `sandboxEnabled`, `toggleSandbox`, `isToggling`
- Syncs state to localStorage for API client
2. **SandboxToggle** (`components/SandboxToggle.tsx`)
- Toggle switch component with Live/Test labels
3. **SandboxBanner** (`components/SandboxBanner.tsx`)
- Orange warning banner shown in test mode
4. **API Client** (`api/client.ts:23-51`)
- Reads `localStorage.getItem('sandbox_mode')`
- Adds `X-Sandbox-Mode: true` header when in sandbox
5. **BusinessLayout** (`layouts/BusinessLayout.tsx`)
- Wrapped with `SandboxProvider`
- Shows `SandboxBanner` when in test mode
6. **TopBar** (`components/TopBar.tsx`)
- Includes `SandboxToggle` component
### Configuration
1. **CORS** (`config/settings/local.py:75-78`)
- `x-sandbox-mode` added to `CORS_ALLOW_HEADERS`
2. **Middleware Order** (`config/settings/multitenancy.py:89-122`)
- SandboxModeMiddleware MUST come AFTER SessionMiddleware
## Database Schemas
Each tenant has two schemas:
- `{tenant_name}` - Live data (e.g., `demo`)
- `{tenant_name}_sandbox` - Test data (e.g., `demo_sandbox`)
Schemas created via: `python manage.py create_sandbox_schemas`
## What's Isolated
| Data Type | Isolation Method |
|-----------|------------------|
| Appointments/Events | Schema switching (automatic) |
| Resources | Schema switching (automatic) |
| Services | Schema switching (automatic) |
| Payments | Schema switching (automatic) |
| Notifications | Schema switching (automatic) |
| Communication | Schema switching (automatic) |
| Customers | `is_sandbox` field on User model |
| Staff Members | `is_sandbox` field on User model |
| Tickets (CUSTOMER/STAFF_REQUEST/INTERNAL) | `is_sandbox` field on Ticket model |
| Tickets (PLATFORM) | NOT isolated (always live - platform support) |
| Business Settings (Tenant) | NOT isolated (shared between modes) |
## Key Files Modified
### Backend
- `core/models.py` - Tenant sandbox fields
- `core/middleware.py` - SandboxModeMiddleware
- `smoothschedule/users/models.py` - User.is_sandbox field
- `smoothschedule/users/api_views.py` - accept_invitation_view sets is_sandbox
- `schedule/views.py` - CustomerViewSet and StaffViewSet sandbox filtering
- `schedule/api_views.py` - sandbox_status_view, sandbox_toggle_view
- `tickets/models.py` - Ticket.is_sandbox field
- `tickets/views.py` - TicketViewSet sandbox filtering
- `public_api/models.py` - APIToken.is_sandbox
- `public_api/views.py` - PublicCustomerViewSet sandbox filtering
- `config/settings/local.py` - CORS headers
- `config/settings/multitenancy.py` - Middleware order, tickets in SHARED_APPS
### Frontend
- `src/api/sandbox.ts` - API functions
- `src/api/client.ts` - X-Sandbox-Mode header
- `src/hooks/useSandbox.ts` - React Query hooks
- `src/contexts/SandboxContext.tsx` - Context provider
- `src/components/SandboxToggle.tsx` - Toggle UI
- `src/components/SandboxBanner.tsx` - Warning banner
- `src/components/TopBar.tsx` - Added toggle
- `src/layouts/BusinessLayout.tsx` - Provider + banner
- `src/i18n/locales/en.json` - Translations
## Migrations
```bash
# Migrations for User.is_sandbox and Ticket.is_sandbox fields
cd /home/poduck/Desktop/smoothschedule2/smoothschedule
docker compose -f docker-compose.local.yml exec django python manage.py migrate
```
## Current State
- ✅ Sandbox mode toggle works
- ✅ CORS configured for X-Sandbox-Mode header
- ✅ Customer isolation by is_sandbox field implemented
- ✅ Staff isolation by is_sandbox field implemented
- ✅ Ticket isolation by is_sandbox field implemented (except PLATFORM tickets)
- ✅ Appointments/Events/Resources/Services automatically isolated via schema switching
- ✅ Existing users are `is_sandbox=False` (live)
- ✅ Existing tickets are `is_sandbox=False` (live)
- ✅ Test mode shows empty data (clean sandbox)

1
smoothschedule/config/settings/local.py
View File

@@ -74,6 +74,7 @@ CORS_ALLOWED_ORIGIN_REGEXES = [
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOW_HEADERS = list(default_headers) + [
"x-business-subdomain",
"x-sandbox-mode",
]
# CSRF

11
smoothschedule/config/settings/multitenancy.py
View File

@@ -43,7 +43,8 @@ SHARED_APPS = [
'crispy_forms',
'crispy_bootstrap5',
'csp',
'tickets', # New: Core ticket system
'tickets', # Ticket system - shared for platform support access
'smoothschedule.public_api', # Public API v1 for third-party integrations
]
# Tenant-specific apps - Each tenant gets isolated data in their own schema
@@ -88,15 +89,19 @@ DATABASE_ROUTERS = [
MIDDLEWARE = [
# 1. MUST BE FIRST: Tenant resolution
'django_tenants.middleware.main.TenantMainMiddleware',
# 2. Security middleware
'django.middleware.security.SecurityMiddleware',
'csp.middleware.CSPMiddleware',
'corsheaders.middleware.CorsMiddleware', # Moved up for better CORS handling
'whitenoise.middleware.WhiteNoiseMiddleware',
# 3. Session & CSRF
'django.contrib.sessions.middleware.SessionMiddleware',
# 4. Sandbox mode - switches to sandbox schema if requested
# MUST come after TenantMainMiddleware and SessionMiddleware
'core.middleware.SandboxModeMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',

20
smoothschedule/config/urls.py
View File

@@ -18,7 +18,10 @@ from smoothschedule.users.api_views import (
)
from schedule.api_views import (
current_business_view, update_business_view,
oauth_settings_view, oauth_credentials_view
oauth_settings_view, oauth_credentials_view,
custom_domains_view, custom_domain_detail_view,
custom_domain_verify_view, custom_domain_set_primary_view,
sandbox_status_view, sandbox_toggle_view, sandbox_reset_view
)
urlpatterns = [
@@ -37,12 +40,16 @@ urlpatterns = [
# API URLS
urlpatterns += [
# Schedule API
# Public API v1 (for third-party integrations)
path("api/v1/", include("smoothschedule.public_api.urls", namespace="public_api")),
# Schedule API (internal)
path("api/", include("schedule.urls")),
# Payments API
path("api/payments/", include("payments.urls")),
# Tickets API
path("api/tickets/", include("tickets.urls")),
# Notifications API
path("api/notifications/", include("notifications.urls")),
# Platform API
path("api/platform/", include("platform_admin.urls", namespace="platform")),
# Auth API
@@ -66,6 +73,15 @@ urlpatterns += [
path("api/business/current/update/", update_business_view, name="update_business"),
path("api/business/oauth-settings/", oauth_settings_view, name="oauth_settings"),
path("api/business/oauth-credentials/", oauth_credentials_view, name="oauth_credentials"),
# Custom Domains API
path("api/business/domains/", custom_domains_view, name="custom_domains"),
path("api/business/domains/<int:domain_id>/", custom_domain_detail_view, name="custom_domain_detail"),
path("api/business/domains/<int:domain_id>/verify/", custom_domain_verify_view, name="custom_domain_verify"),
path("api/business/domains/<int:domain_id>/set-primary/", custom_domain_set_primary_view, name="custom_domain_set_primary"),
# Sandbox Mode API
path("api/sandbox/status/", sandbox_status_view, name="sandbox_status"),
path("api/sandbox/toggle/", sandbox_toggle_view, name="sandbox_toggle"),
path("api/sandbox/reset/", sandbox_reset_view, name="sandbox_reset"),
# API Docs
path("api/schema/", SpectacularAPIView.as_view(), name="api-schema"),
path(

0
smoothschedule/core/management/__init__.py Normal file
View File

0
smoothschedule/core/management/commands/__init__.py Normal file
View File

152
smoothschedule/core/management/commands/create_sandbox_schemas.py Normal file
View File

@@ -0,0 +1,152 @@
"""
Management command to create sandbox schemas for tenants.
This command creates a sandbox PostgreSQL schema for each tenant that doesn't
already have one. The sandbox schema provides complete data isolation for
test/development purposes.
Usage:
# Create sandbox schemas for all tenants
python manage.py create_sandbox_schemas
# Create sandbox schema for a specific tenant
python manage.py create_sandbox_schemas --tenant=demo
# Run migrations on sandbox schemas after creation
python manage.py create_sandbox_schemas --migrate
"""
from django.core.management.base import BaseCommand
from django.core.management import call_command
from django.db import connection
from core.models import Tenant
class Command(BaseCommand):
help = 'Create sandbox schemas for tenants'
def add_arguments(self, parser):
parser.add_argument(
'--tenant',
type=str,
help='Specific tenant schema name to create sandbox for',
)
parser.add_argument(
'--migrate',
action='store_true',
help='Run migrations on sandbox schemas after creation',
)
parser.add_argument(
'--dry-run',
action='store_true',
help='Show what would be done without making changes',
)
def handle(self, *args, **options):
tenant_filter = options.get('tenant')
run_migrations = options.get('migrate', False)
dry_run = options.get('dry_run', False)
# Get tenants to process
queryset = Tenant.objects.exclude(schema_name='public')
if tenant_filter:
queryset = queryset.filter(schema_name=tenant_filter)
tenants = list(queryset)
if not tenants:
self.stdout.write(
self.style.WARNING('No tenants found to process')
)
return
self.stdout.write(f'Processing {len(tenants)} tenant(s)...')
created_count = 0
skipped_count = 0
error_count = 0
for tenant in tenants:
# Generate sandbox schema name if not set
if not tenant.sandbox_schema_name:
tenant.sandbox_schema_name = f"{tenant.schema_name}_sandbox"
if not dry_run:
tenant.save(update_fields=['sandbox_schema_name'])
sandbox_schema = tenant.sandbox_schema_name
# Check if schema already exists
with connection.cursor() as cursor:
cursor.execute(
"SELECT EXISTS(SELECT 1 FROM pg_namespace WHERE nspname = %s)",
[sandbox_schema]
)
schema_exists = cursor.fetchone()[0]
if schema_exists:
self.stdout.write(
f' {tenant.name}: Schema "{sandbox_schema}" already exists, skipping'
)
skipped_count += 1
continue
if dry_run:
self.stdout.write(
f' {tenant.name}: Would create schema "{sandbox_schema}"'
)
created_count += 1
continue
# Create the sandbox schema
try:
with connection.cursor() as cursor:
cursor.execute(f'CREATE SCHEMA "{sandbox_schema}"')
self.stdout.write(
self.style.SUCCESS(
f' {tenant.name}: Created schema "{sandbox_schema}"'
)
)
created_count += 1
# Run migrations on the new schema if requested
if run_migrations:
self.stdout.write(
f' Running migrations on "{sandbox_schema}"...'
)
try:
call_command(
'migrate_schemas',
schema_name=sandbox_schema,
verbosity=0,
)
self.stdout.write(
self.style.SUCCESS(' Migrations complete')
)
except Exception as e:
self.stdout.write(
self.style.ERROR(f' Migration error: {e}')
)
except Exception as e:
self.stdout.write(
self.style.ERROR(
f' {tenant.name}: Error creating schema: {e}'
)
)
error_count += 1
# Summary
self.stdout.write('')
self.stdout.write('Summary:')
self.stdout.write(f' Created: {created_count}')
self.stdout.write(f' Skipped (already exist): {skipped_count}')
if error_count:
self.stdout.write(
self.style.ERROR(f' Errors: {error_count}')
)
if dry_run:
self.stdout.write('')
self.stdout.write(
self.style.WARNING('Dry run - no changes were made')
)

123
smoothschedule/core/middleware.py
View File

@@ -1,13 +1,132 @@
"""
Smooth Schedule Masquerade Audit Middleware
Captures and logs masquerading activity for compliance and security auditing
Smooth Schedule Core Middleware
- SandboxModeMiddleware: Switches between live and sandbox schemas
- MasqueradeAuditMiddleware: Captures and logs masquerading activity
"""
import logging
import json
from django.utils.deprecation import MiddlewareMixin
from django.utils import timezone
from django.db import connection
logger = logging.getLogger('smoothschedule.security.masquerade')
sandbox_logger = logging.getLogger('smoothschedule.sandbox')
class SandboxModeMiddleware(MiddlewareMixin):
"""
Middleware to switch between live and sandbox schemas based on:
1. Session value: request.session['sandbox_mode']
2. API header: X-Sandbox-Mode: true
3. API key prefix: ss_test_* vs ss_live_*
CRITICAL: This middleware MUST be placed AFTER TenantMainMiddleware in settings.
When sandbox mode is active:
- request.sandbox_mode = True
- Database connection is switched to tenant's sandbox schema
- All subsequent queries use the sandbox schema automatically
The sandbox schema is named: {tenant_schema_name}_sandbox
"""
def process_request(self, request):
"""
Check if sandbox mode is requested and switch schema if appropriate.
"""
# Initialize sandbox flag
request.sandbox_mode = False
# Get tenant from request (set by TenantMainMiddleware)
tenant = getattr(request, 'tenant', None)
# Debug logging
if request.path.startswith('/api/v1/tokens'):
sandbox_logger.info(f"Token endpoint: tenant={tenant}, schema={tenant.schema_name if tenant else None}")
# Skip for public schema or if no tenant
if not tenant or tenant.schema_name == 'public':
if request.path.startswith('/api/v1/tokens'):
sandbox_logger.info(f"Skipping: tenant is None or public")
return None
# Skip if sandbox is not enabled for this tenant
if not getattr(tenant, 'sandbox_enabled', False):
if request.path.startswith('/api/v1/tokens'):
sandbox_logger.info(f"Skipping: sandbox_enabled={getattr(tenant, 'sandbox_enabled', False)}")
return None
# Skip if no sandbox schema configured
sandbox_schema = getattr(tenant, 'sandbox_schema_name', None)
if not sandbox_schema:
if request.path.startswith('/api/v1/tokens'):
sandbox_logger.info(f"Skipping: no sandbox_schema_name")
return None
# Determine if sandbox mode should be active
is_sandbox = self._is_sandbox_mode(request)
if request.path.startswith('/api/v1/tokens'):
sandbox_logger.info(f"_is_sandbox_mode returned: {is_sandbox}")
if is_sandbox:
request.sandbox_mode = True
# Switch the database connection to the sandbox schema
# Note: django-tenants uses connection.set_tenant() but we need
# to manually switch to a different schema name
try:
connection.set_schema(sandbox_schema)
sandbox_logger.debug(
f"Switched to sandbox schema: {sandbox_schema} "
f"for tenant: {tenant.name}"
)
except Exception as e:
sandbox_logger.error(
f"Failed to switch to sandbox schema {sandbox_schema}: {e}"
)
# Fall back to live mode if sandbox schema doesn't exist
request.sandbox_mode = False
return None
def _is_sandbox_mode(self, request):
"""
Determine if the request should use sandbox mode.
Priority order:
1. API token prefix (ss_test_* = sandbox)
2. X-Sandbox-Mode header
3. Session value
"""
# Check for API token authentication first
auth_header = request.META.get('HTTP_AUTHORIZATION', '')
if auth_header.startswith('Bearer ss_test_'):
return True
if auth_header.startswith('Bearer ss_live_'):
return False
# Check for explicit header
sandbox_header = request.META.get('HTTP_X_SANDBOX_MODE', '').lower()
if sandbox_header == 'true':
return True
if sandbox_header == 'false':
return False
# Fall back to session value (if session is available)
# Session may not be available if this middleware runs before SessionMiddleware
session = getattr(request, 'session', None)
if session:
return session.get('sandbox_mode', False)
return False
def process_response(self, request, response):
"""
Add sandbox mode indicator to response headers.
"""
if getattr(request, 'sandbox_mode', False):
response['X-SmoothSchedule-Sandbox'] = 'true'
return response
class MasqueradeAuditMiddleware(MiddlewareMixin):

23
smoothschedule/core/migrations/0008_add_sandbox_fields.py Normal file
View File

@@ -0,0 +1,23 @@
# Generated by Django 5.2.8 on 2025-11-28 20:07
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('core', '0007_add_tenant_permissions'),
]
operations = [
migrations.AddField(
model_name='tenant',
name='sandbox_enabled',
field=models.BooleanField(default=True, help_text='Whether sandbox/test mode is available for this business'),
),
migrations.AddField(
model_name='tenant',
name='sandbox_schema_name',
field=models.CharField(blank=True, help_text='PostgreSQL schema name for sandbox/test mode data', max_length=63),
),
]

19
smoothschedule/core/models.py
View File

@@ -126,6 +126,17 @@ class Tenant(TenantMixin):
help_text="Whether the business has completed initial onboarding"
)
# Sandbox/Test Mode
sandbox_schema_name = models.CharField(
max_length=63,
blank=True,
help_text="PostgreSQL schema name for sandbox/test mode data"
)
sandbox_enabled = models.BooleanField(
default=True,
help_text="Whether sandbox/test mode is available for this business"
)
# Auto-created fields from TenantMixin:
# - schema_name (unique, indexed)
# - auto_create_schema
@@ -133,7 +144,13 @@ class Tenant(TenantMixin):
class Meta:
ordering = ['name']
def save(self, *args, **kwargs):
# Auto-generate sandbox schema name if not set
if not self.sandbox_schema_name and self.schema_name and self.schema_name != 'public':
self.sandbox_schema_name = f"{self.schema_name}_sandbox"
super().save(*args, **kwargs)
def __str__(self):
return self.name

29
smoothschedule/core/permissions.py
View File

@@ -151,31 +151,32 @@ def get_hijackable_users(hijacker):
return qs.none()
def validate_hijack_chain(request):
def validate_hijack_chain(request, max_depth=5):
"""
Validate that hijack chains are not too deep.
Prevents: Admin1 -> Admin2 -> Admin3 -> User scenarios.
Smooth Schedule Security Policy: Maximum hijack depth is 1.
You cannot hijack while already hijacked.
Prevents unlimited masquerade chains for security.
Smooth Schedule Security Policy: Maximum hijack depth is configurable (default 5).
Multi-level masquerading is allowed up to the max depth.
Args:
request: Django request object
max_depth: Maximum allowed masquerade depth (default 5)
Raises:
PermissionDenied: If already in a hijack session
PermissionDenied: If max depth would be exceeded
Returns:
bool: True if allowed to start new hijack
"""
hijack_history = request.session.get('hijack_history', [])
if len(hijack_history) > 0:
if len(hijack_history) >= max_depth:
raise PermissionDenied(
"Cannot start a new masquerade session while already masquerading. "
"Please exit your current session first."
f"Maximum masquerade depth ({max_depth}) reached. "
"Please exit some sessions first."
)
return True

78
smoothschedule/notifications/serializers.py Normal file
View File

@@ -0,0 +1,78 @@
from rest_framework import serializers
from django.contrib.contenttypes.models import ContentType
from .models import Notification
class NotificationSerializer(serializers.ModelSerializer):
"""Serializer for user notifications."""
actor_type = serializers.SerializerMethodField()
actor_display = serializers.SerializerMethodField()
target_type = serializers.SerializerMethodField()
target_display = serializers.SerializerMethodField()
target_url = serializers.SerializerMethodField()
class Meta:
model = Notification
fields = [
'id',
'verb',
'read',
'timestamp',
'data',
'actor_type',
'actor_display',
'target_type',
'target_display',
'target_url',
]
read_only_fields = ['id', 'verb', 'timestamp', 'data', 'actor_type', 'actor_display', 'target_type', 'target_display', 'target_url']
def get_actor_type(self, obj):
"""Return the type of actor (e.g., 'user', 'system')."""
if obj.actor_content_type:
return obj.actor_content_type.model
return None
def get_actor_display(self, obj):
"""Return a display name for the actor."""
if obj.actor:
if hasattr(obj.actor, 'full_name'):
return obj.actor.full_name or obj.actor.email
return str(obj.actor)
return 'System'
def get_target_type(self, obj):
"""Return the type of target (e.g., 'ticket', 'appointment')."""
if obj.target_content_type:
return obj.target_content_type.model
return None
def get_target_display(self, obj):
"""Return a display name for the target."""
if obj.target:
if hasattr(obj.target, 'subject'):
return obj.target.subject
if hasattr(obj.target, 'title'):
return obj.target.title
if hasattr(obj.target, 'name'):
return obj.target.name
return str(obj.target)
return None
def get_target_url(self, obj):
"""Return a frontend URL for the target object."""
if not obj.target_content_type:
return None
model = obj.target_content_type.model
target_id = obj.target_object_id
# Map model types to frontend URLs
url_map = {
'ticket': f'/tickets?id={target_id}',
'event': f'/scheduler?event={target_id}',
'appointment': f'/scheduler?appointment={target_id}',
}
return url_map.get(model)

10
smoothschedule/notifications/urls.py Normal file
View File

@@ -0,0 +1,10 @@
from django.urls import path, include
from rest_framework.routers import DefaultRouter
from .views import NotificationViewSet
router = DefaultRouter()
router.register(r'', NotificationViewSet, basename='notification')
urlpatterns = [
path('', include(router.urls)),
]

63
smoothschedule/notifications/views.py
View File

@@ -1,3 +1,62 @@
from django.shortcuts import render
from rest_framework import viewsets, status
from rest_framework.decorators import action
from rest_framework.response import Response
from rest_framework.permissions import IsAuthenticated
# Create your views here.
from .models import Notification
from .serializers import NotificationSerializer
class NotificationViewSet(viewsets.ModelViewSet):
"""
API endpoint for user notifications.
Users can only see their own notifications.
"""
serializer_class = NotificationSerializer
permission_classes = [IsAuthenticated]
def get_queryset(self):
"""Return notifications for the current user only."""
return Notification.objects.filter(recipient=self.request.user)
def list(self, request, *args, **kwargs):
"""List notifications with optional filtering."""
queryset = self.get_queryset()
# Filter by read status
read_filter = request.query_params.get('read')
if read_filter is not None:
queryset = queryset.filter(read=read_filter.lower() == 'true')
# Limit results (default 50)
limit = int(request.query_params.get('limit', 50))
queryset = queryset[:limit]
serializer = self.get_serializer(queryset, many=True)
return Response(serializer.data)
@action(detail=False, methods=['get'])
def unread_count(self, request):
"""Get the count of unread notifications."""
count = self.get_queryset().filter(read=False).count()
return Response({'count': count})
@action(detail=True, methods=['post'])
def mark_read(self, request, pk=None):
"""Mark a single notification as read."""
notification = self.get_object()
notification.read = True
notification.save(update_fields=['read'])
return Response({'status': 'marked as read'})
@action(detail=False, methods=['post'])
def mark_all_read(self, request):
"""Mark all notifications as read for the current user."""
updated = self.get_queryset().filter(read=False).update(read=True)
return Response({'status': f'marked {updated} notifications as read'})
@action(detail=False, methods=['delete'])
def clear_all(self, request):
"""Delete all read notifications for the current user."""
deleted, _ = self.get_queryset().filter(read=True).delete()
return Response({'status': f'deleted {deleted} notifications'})

342
smoothschedule/schedule/api_views.py
View File

@@ -4,12 +4,139 @@ API views for business/tenant management
import base64
import uuid
from django.core.files.base import ContentFile
from django.db import connection
from rest_framework import status
from rest_framework.decorators import api_view, permission_classes
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response
# =============================================================================
# Sandbox Mode API
# =============================================================================
@api_view(['GET'])
@permission_classes([IsAuthenticated])
def sandbox_status_view(request):
"""
Get current sandbox mode status for the authenticated user.
GET /api/sandbox/status/
Returns:
- sandbox_mode: Whether user is currently in sandbox mode
- sandbox_enabled: Whether sandbox is available for this business
- sandbox_schema: The name of the sandbox schema (if enabled)
"""
user = request.user
tenant = user.tenant
if not tenant:
return Response({
'sandbox_mode': False,
'sandbox_enabled': False,
'sandbox_schema': None,
})
return Response({
'sandbox_mode': request.session.get('sandbox_mode', False),
'sandbox_enabled': tenant.sandbox_enabled,
'sandbox_schema': tenant.sandbox_schema_name if tenant.sandbox_enabled else None,
})
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def sandbox_toggle_view(request):
"""
Toggle between live and sandbox mode.
POST /api/sandbox/toggle/
Request body:
- sandbox: boolean - True to enable sandbox mode, False for live mode
Returns:
- sandbox_mode: The new sandbox mode state
- message: Confirmation message
"""
user = request.user
tenant = user.tenant
if not tenant:
return Response(
{'error': 'No business associated with user'},
status=status.HTTP_403_FORBIDDEN
)
if not tenant.sandbox_enabled:
return Response(
{'error': 'Sandbox mode is not enabled for this business'},
status=status.HTTP_403_FORBIDDEN
)
enable_sandbox = request.data.get('sandbox', False)
# Validate that sandbox schema exists before enabling
if enable_sandbox and not tenant.sandbox_schema_name:
return Response(
{'error': 'Sandbox schema not configured. Please contact support.'},
status=status.HTTP_400_BAD_REQUEST
)
# Store sandbox mode in session
request.session['sandbox_mode'] = bool(enable_sandbox)
mode_name = 'Test' if enable_sandbox else 'Live'
return Response({
'sandbox_mode': enable_sandbox,
'message': f'Switched to {mode_name} mode',
})
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def sandbox_reset_view(request):
"""
Reset sandbox data to initial state.
POST /api/sandbox/reset/
This clears all data in the sandbox schema. Use with caution!
Only available to business owners.
"""
user = request.user
tenant = user.tenant
if not tenant:
return Response(
{'error': 'No business associated with user'},
status=status.HTTP_403_FORBIDDEN
)
# Only owners can reset sandbox
allowed_roles = ['OWNER', 'TENANT_OWNER', 'SUPERUSER', 'PLATFORM_MANAGER']
if user.role.upper() not in allowed_roles:
return Response(
{'error': 'Only business owners can reset sandbox data'},
status=status.HTTP_403_FORBIDDEN
)
if not tenant.sandbox_enabled or not tenant.sandbox_schema_name:
return Response(
{'error': 'Sandbox mode is not available for this business'},
status=status.HTTP_403_FORBIDDEN
)
# TODO: Implement actual reset logic
# This would typically:
# 1. Drop all tables in sandbox schema (keep migrations)
# 2. Re-run migrations on sandbox schema
# 3. Optionally seed with sample data
return Response({
'message': 'Sandbox data reset successfully',
'sandbox_schema': tenant.sandbox_schema_name,
})
@api_view(['GET'])
@permission_classes([IsAuthenticated])
def current_business_view(request):
@@ -259,6 +386,221 @@ def oauth_settings_view(request):
}, status=status.HTTP_200_OK)
@api_view(['GET', 'POST'])
@permission_classes([IsAuthenticated])
def custom_domains_view(request):
"""
List or create custom domains for the current business
GET /api/business/domains/
POST /api/business/domains/
"""
user = request.user
tenant = user.tenant
# Platform users don't have a tenant
if not tenant:
return Response({'error': 'No business found'}, status=status.HTTP_404_NOT_FOUND)
# Only owners can manage domains
if user.role.lower() != 'tenant_owner':
return Response({'error': 'Only business owners can manage domains'}, status=status.HTTP_403_FORBIDDEN)
from core.models import Domain
if request.method == 'GET':
# List all domains for this tenant
domains = Domain.objects.filter(tenant=tenant)
domain_list = []
for d in domains:
domain_list.append({
'id': d.id,
'domain': d.domain,
'is_primary': d.is_primary,
'is_verified': bool(d.verified_at),
'ssl_provisioned': bool(d.ssl_certificate_arn),
'verification_token': '', # Not used yet
'dns_txt_record': f'_smoothschedule-verify.{d.domain}',
'dns_txt_record_name': f'_smoothschedule-verify',
'created_at': d.verified_at.isoformat() if d.verified_at else None,
'verified_at': d.verified_at.isoformat() if d.verified_at else None,
})
return Response(domain_list, status=status.HTTP_200_OK)
# POST - create a new custom domain
domain_name = request.data.get('domain', '').lower().strip()
if not domain_name:
return Response({'error': 'Domain name is required'}, status=status.HTTP_400_BAD_REQUEST)
# Basic domain validation
import re
if not re.match(r'^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*$', domain_name):
return Response({'error': 'Invalid domain format'}, status=status.HTTP_400_BAD_REQUEST)
# Check if domain already exists
if Domain.objects.filter(domain=domain_name).exists():
return Response({'error': 'Domain already in use'}, status=status.HTTP_409_CONFLICT)
# Create the custom domain
new_domain = Domain.objects.create(
tenant=tenant,
domain=domain_name,
is_primary=False,
is_custom_domain=True,
)
return Response({
'id': new_domain.id,
'domain': new_domain.domain,
'is_primary': new_domain.is_primary,
'is_verified': False,
'ssl_provisioned': False,
'verification_token': '',
'dns_txt_record': f'_smoothschedule-verify.{new_domain.domain}',
'dns_txt_record_name': '_smoothschedule-verify',
'created_at': None,
'verified_at': None,
}, status=status.HTTP_201_CREATED)
@api_view(['GET', 'DELETE'])
@permission_classes([IsAuthenticated])
def custom_domain_detail_view(request, domain_id):
"""
Get or delete a specific custom domain
GET /api/business/domains/<domain_id>/
DELETE /api/business/domains/<domain_id>/
"""
user = request.user
tenant = user.tenant
# Platform users don't have a tenant
if not tenant:
return Response({'error': 'No business found'}, status=status.HTTP_404_NOT_FOUND)
# Only owners can manage domains
if user.role.lower() != 'tenant_owner':
return Response({'error': 'Only business owners can manage domains'}, status=status.HTTP_403_FORBIDDEN)
from core.models import Domain
try:
domain = Domain.objects.get(id=domain_id, tenant=tenant)
except Domain.DoesNotExist:
return Response({'error': 'Domain not found'}, status=status.HTTP_404_NOT_FOUND)
if request.method == 'GET':
return Response({
'id': domain.id,
'domain': domain.domain,
'is_primary': domain.is_primary,
'is_verified': bool(domain.verified_at),
'ssl_provisioned': bool(domain.ssl_certificate_arn),
'verification_token': '',
'dns_txt_record': f'_smoothschedule-verify.{domain.domain}',
'dns_txt_record_name': '_smoothschedule-verify',
'created_at': domain.verified_at.isoformat() if domain.verified_at else None,
'verified_at': domain.verified_at.isoformat() if domain.verified_at else None,
}, status=status.HTTP_200_OK)
# DELETE - remove the domain
if domain.is_primary:
return Response({'error': 'Cannot delete primary domain'}, status=status.HTTP_400_BAD_REQUEST)
domain.delete()
return Response(status=status.HTTP_204_NO_CONTENT)
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def custom_domain_verify_view(request, domain_id):
"""
Verify a custom domain by checking DNS
POST /api/business/domains/<domain_id>/verify/
"""
user = request.user
tenant = user.tenant
if not tenant:
return Response({'error': 'No business found'}, status=status.HTTP_404_NOT_FOUND)
if user.role.lower() != 'tenant_owner':
return Response({'error': 'Only business owners can manage domains'}, status=status.HTTP_403_FORBIDDEN)
from core.models import Domain
from django.utils import timezone
import socket
try:
domain = Domain.objects.get(id=domain_id, tenant=tenant)
except Domain.DoesNotExist:
return Response({'error': 'Domain not found'}, status=status.HTTP_404_NOT_FOUND)
# Try to resolve the domain
try:
# Check if the domain resolves to our server
# In production, this would check if DNS points to our infrastructure
socket.gethostbyname(domain.domain)
domain.verified_at = timezone.now()
domain.save()
return Response({
'verified': True,
'message': 'Domain verified successfully',
}, status=status.HTTP_200_OK)
except socket.gaierror:
return Response({
'verified': False,
'message': 'Domain DNS not configured. Please add a CNAME record pointing to your subdomain.',
}, status=status.HTTP_200_OK)
@api_view(['POST'])
@permission_classes([IsAuthenticated])
def custom_domain_set_primary_view(request, domain_id):
"""
Set a custom domain as the primary domain
POST /api/business/domains/<domain_id>/set-primary/
"""
user = request.user
tenant = user.tenant
if not tenant:
return Response({'error': 'No business found'}, status=status.HTTP_404_NOT_FOUND)
if user.role.lower() != 'tenant_owner':
return Response({'error': 'Only business owners can manage domains'}, status=status.HTTP_403_FORBIDDEN)
from core.models import Domain
try:
domain = Domain.objects.get(id=domain_id, tenant=tenant)
except Domain.DoesNotExist:
return Response({'error': 'Domain not found'}, status=status.HTTP_404_NOT_FOUND)
# Domain must be verified to be set as primary
if not domain.verified_at:
return Response({'error': 'Domain must be verified before setting as primary'}, status=status.HTTP_400_BAD_REQUEST)
# Unset current primary domain
Domain.objects.filter(tenant=tenant, is_primary=True).update(is_primary=False)
# Set this domain as primary
domain.is_primary = True
domain.save()
return Response({
'id': domain.id,
'domain': domain.domain,
'is_primary': domain.is_primary,
'is_verified': bool(domain.verified_at),
'ssl_provisioned': bool(domain.ssl_certificate_arn),
'verification_token': '',
'dns_txt_record': f'_smoothschedule-verify.{domain.domain}',
'dns_txt_record_name': '_smoothschedule-verify',
'created_at': domain.verified_at.isoformat() if domain.verified_at else None,
'verified_at': domain.verified_at.isoformat() if domain.verified_at else None,
}, status=status.HTTP_200_OK)
@api_view(['GET', 'PATCH'])
@permission_classes([IsAuthenticated])
def oauth_credentials_view(request):

37
smoothschedule/schedule/views.py
View File

@@ -198,18 +198,21 @@ class CustomerViewSet(viewsets.ModelViewSet):
def get_queryset(self):
"""
Return customers for the current tenant.
Return customers for the current tenant, filtered by sandbox mode.
Customers are Users with role=CUSTOMER.
For now, return all customers. When authentication is enabled,
filter by the user's tenant.
In sandbox mode, only returns customers with is_sandbox=True.
In live mode, only returns customers with is_sandbox=False.
"""
queryset = User.objects.filter(role=User.Role.CUSTOMER)
# Filter by tenant if user is authenticated and has a tenant
# TODO: Re-enable this when authentication is enabled
# if self.request.user.is_authenticated and self.request.user.tenant:
# queryset = queryset.filter(tenant=self.request.user.tenant)
if self.request.user.is_authenticated and self.request.user.tenant:
queryset = queryset.filter(tenant=self.request.user.tenant)
# Filter by sandbox mode - check request.sandbox_mode set by middleware
is_sandbox = getattr(self.request, 'sandbox_mode', False)
queryset = queryset.filter(is_sandbox=is_sandbox)
# Apply status filter if provided
status_filter = self.request.query_params.get('status')
@@ -231,6 +234,20 @@ class CustomerViewSet(viewsets.ModelViewSet):
return queryset
def perform_create(self, serializer):
"""
Set sandbox mode and tenant when creating a new customer.
"""
is_sandbox = getattr(self.request, 'sandbox_mode', False)
tenant = None
if self.request.user.is_authenticated and self.request.user.tenant:
tenant = self.request.user.tenant
serializer.save(
role=User.Role.CUSTOMER,
is_sandbox=is_sandbox,
tenant=tenant,
)
class ServiceViewSet(viewsets.ModelViewSet):
"""
@@ -308,9 +325,11 @@ class StaffViewSet(viewsets.ModelViewSet):
def get_queryset(self):
"""
Return staff members for the current tenant.
Return staff members for the current tenant, filtered by sandbox mode.
Staff are Users with roles: TENANT_OWNER, TENANT_MANAGER, TENANT_STAFF.
In sandbox mode, only returns staff with is_sandbox=True.
In live mode, only returns staff with is_sandbox=False.
"""
from django.db.models import Q
@@ -331,6 +350,10 @@ class StaffViewSet(viewsets.ModelViewSet):
# if self.request.user.is_authenticated and self.request.user.tenant:
# queryset = queryset.filter(tenant=self.request.user.tenant)
# Filter by sandbox mode - check request.sandbox_mode set by middleware
is_sandbox = getattr(self.request, 'sandbox_mode', False)
queryset = queryset.filter(is_sandbox=is_sandbox)
# Apply search filter if provided
search = self.request.query_params.get('search')
if search:

1
smoothschedule/smoothschedule/public_api/__init__.py Normal file
View File

@@ -0,0 +1 @@
default_app_config = 'smoothschedule.public_api.apps.PublicApiConfig'

143
smoothschedule/smoothschedule/public_api/admin.py Normal file
View File

@@ -0,0 +1,143 @@
"""
Public API Admin Configuration
Admin interface for managing API tokens and webhook subscriptions.
"""
from django.contrib import admin
from .models import APIToken, WebhookSubscription, WebhookDelivery
@admin.register(APIToken)
class APITokenAdmin(admin.ModelAdmin):
"""Admin interface for API tokens."""
list_display = [
'name',
'key_prefix',
'tenant',
'is_active',
'scopes_display',
'created_at',
'last_used_at',
'expires_at',
]
list_filter = ['is_active', 'tenant', 'created_at']
search_fields = ['name', 'key_prefix', 'tenant__name']
readonly_fields = ['key_hash', 'key_prefix', 'created_at', 'last_used_at', 'created_by']
ordering = ['-created_at']
fieldsets = (
(None, {
'fields': ('name', 'tenant', 'is_active')
}),
('Authentication', {
'fields': ('key_prefix', 'key_hash'),
'description': 'The full key is only shown once when created.'
}),
('Permissions', {
'fields': ('scopes',)
}),
('Expiration', {
'fields': ('expires_at',)
}),
('Rate Limiting', {
'fields': ('rate_limit_override',),
'description': 'Override the default rate limit (requests/hour). Leave blank for default.'
}),
('Metadata', {
'fields': ('created_by', 'created_at', 'last_used_at'),
'classes': ('collapse',)
}),
)
def scopes_display(self, obj):
"""Display scopes as a comma-separated list."""
return ', '.join(obj.scopes[:3]) + ('...' if len(obj.scopes) > 3 else '')
scopes_display.short_description = 'Scopes'
@admin.register(WebhookSubscription)
class WebhookSubscriptionAdmin(admin.ModelAdmin):
"""Admin interface for webhook subscriptions."""
list_display = [
'url_display',
'tenant',
'api_token',
'events_display',
'is_active',
'failure_count',
'last_triggered_at',
]
list_filter = ['is_active', 'tenant', 'created_at']
search_fields = ['url', 'tenant__name', 'api_token__name']
readonly_fields = ['secret', 'created_at', 'last_triggered_at', 'last_success_at', 'last_failure_at']
ordering = ['-created_at']
fieldsets = (
(None, {
'fields': ('tenant', 'api_token', 'url', 'is_active')
}),
('Events', {
'fields': ('events',)
}),
('Security', {
'fields': ('secret',),
'description': 'Secret for HMAC-SHA256 signature verification'
}),
('Health', {
'fields': ('failure_count', 'last_triggered_at', 'last_success_at', 'last_failure_at'),
'classes': ('collapse',)
}),
('Metadata', {
'fields': ('description', 'created_at'),
'classes': ('collapse',)
}),
)
def url_display(self, obj):
"""Display truncated URL."""
return obj.url[:50] + ('...' if len(obj.url) > 50 else '')
url_display.short_description = 'URL'
def events_display(self, obj):
"""Display event count."""
return f'{len(obj.events)} events'
events_display.short_description = 'Events'
@admin.register(WebhookDelivery)
class WebhookDeliveryAdmin(admin.ModelAdmin):
"""Admin interface for webhook deliveries."""
list_display = [
'event_type',
'subscription_url',
'success',
'response_status',
'retry_count',
'created_at',
'delivered_at',
]
list_filter = ['success', 'event_type', 'created_at']
search_fields = ['event_id', 'subscription__url']
readonly_fields = [
'id', 'subscription', 'event_type', 'event_id', 'payload',
'response_status', 'response_body', 'delivered_at', 'created_at',
'success', 'retry_count', 'next_retry_at', 'error_message'
]
ordering = ['-created_at']
def subscription_url(self, obj):
"""Display subscription URL."""
return obj.subscription.url[:40] + '...' if len(obj.subscription.url) > 40 else obj.subscription.url
subscription_url.short_description = 'Subscription'
def has_add_permission(self, request):
"""Disable adding deliveries manually."""
return False
def has_change_permission(self, request, obj=None):
"""Disable editing deliveries."""
return False

14
smoothschedule/smoothschedule/public_api/apps.py Normal file
View File

@@ -0,0 +1,14 @@
from django.apps import AppConfig
class PublicApiConfig(AppConfig):
default_auto_field = 'django.db.models.BigAutoField'
name = 'smoothschedule.public_api'
verbose_name = 'Public API'
def ready(self):
# Import signals when app is ready
try:
import smoothschedule.public_api.signals # noqa: F401
except ImportError:
pass

196
smoothschedule/smoothschedule/public_api/authentication.py Normal file
View File

@@ -0,0 +1,196 @@
"""
Public API Authentication
This module provides the APITokenAuthentication class for authenticating
requests using API tokens in the Authorization header.
Usage:
Authorization: Bearer ss_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
"""
from django.utils import timezone
from rest_framework import authentication, exceptions
class APITokenAuthentication(authentication.BaseAuthentication):
"""
Custom authentication class for API tokens.
Authenticates requests using Bearer tokens in the Authorization header.
The token must be a valid, active API token created for a business.
On successful authentication, the request will have:
- request.auth: The APIToken instance
- request.user: An AnonymousUser (API tokens are not tied to users)
- request.api_token: The APIToken instance (alias for convenience)
- request.tenant: The tenant associated with the token
Example:
Authorization: Bearer ss_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Raises:
AuthenticationFailed: If the token is invalid, expired, or inactive
"""
keyword = 'Bearer'
def authenticate(self, request):
"""
Authenticate the request and return a tuple of (user, token).
Returns:
tuple: (None, APIToken) if authentication succeeds
None: If no Bearer token is provided (allow other auth methods)
Raises:
AuthenticationFailed: If token is invalid/expired/inactive
"""
auth_header = authentication.get_authorization_header(request)
if not auth_header:
return None
try:
auth_parts = auth_header.decode('utf-8').split()
except UnicodeDecodeError:
raise exceptions.AuthenticationFailed(
detail='Invalid token header. Token string should not contain invalid characters.',
code='authentication_error'
)
if not auth_parts:
return None
if auth_parts[0].lower() != self.keyword.lower():
# Not a Bearer token, let other authentication methods handle it
return None
if len(auth_parts) == 1:
raise exceptions.AuthenticationFailed(
detail='Invalid token header. No credentials provided.',
code='authentication_error'
)
if len(auth_parts) > 2:
raise exceptions.AuthenticationFailed(
detail='Invalid token header. Token string should not contain spaces.',
code='authentication_error'
)
token_key = auth_parts[1]
return self.authenticate_token(token_key, request)
def authenticate_token(self, key, request):
"""
Authenticate using the token key.
Args:
key: The full API token string
request: The HTTP request object
Returns:
tuple: (None, APIToken) on success
Raises:
AuthenticationFailed: If token is invalid
"""
# Import here to avoid circular imports
from .models import APIToken
# Validate token format
if not key.startswith('ss_live_') and not key.startswith('ss_test_'):
raise exceptions.AuthenticationFailed(
detail='Invalid API token format.',
code='authentication_error'
)
# Look up the token
token = APIToken.get_by_key(key)
if token is None:
raise exceptions.AuthenticationFailed(
detail='Invalid API token.',
code='authentication_error'
)
if not token.is_active:
raise exceptions.AuthenticationFailed(
detail='API token has been revoked.',
code='authentication_error'
)
if token.is_expired():
raise exceptions.AuthenticationFailed(
detail='API token has expired.',
code='authentication_error'
)
# Update last used timestamp (async to not slow down requests)
self._update_last_used(token)
# Attach useful attributes to the request
request.api_token = token
request.tenant = token.tenant
# Return (user, auth) - user is None for API tokens
return (None, token)
def authenticate_header(self, request):
"""
Return the WWW-Authenticate header value for 401 responses.
"""
return f'{self.keyword} realm="api"'
def _update_last_used(self, token):
"""
Update the token's last_used_at timestamp.
We do this in a fire-and-forget manner to not slow down the request.
In a production environment, you might want to batch these updates
or use a background task.
"""
# Simple synchronous update for now
# Could be optimized with a background task in production
try:
token.last_used_at = timezone.now()
token.save(update_fields=['last_used_at'])
except Exception:
# Don't fail the request if we can't update the timestamp
pass
class OptionalAPITokenAuthentication(APITokenAuthentication):
"""
Like APITokenAuthentication but doesn't require authentication.
Use this for endpoints that can optionally accept API token auth
but also support other authentication methods or anonymous access.
"""
def authenticate(self, request):
"""
Authenticate if a Bearer token is provided, otherwise return None.
"""
auth_header = authentication.get_authorization_header(request)
if not auth_header:
return None
try:
auth_parts = auth_header.decode('utf-8').split()
except UnicodeDecodeError:
return None
if not auth_parts or auth_parts[0].lower() != self.keyword.lower():
return None
if len(auth_parts) != 2:
return None
token_key = auth_parts[1]
# Don't raise exceptions, just return None if invalid
try:
return self.authenticate_token(token_key, request)
except exceptions.AuthenticationFailed:
return None

88
smoothschedule/smoothschedule/public_api/migrations/0001_initial.py Normal file
View File

@@ -0,0 +1,88 @@
# Generated by Django 5.2.8 on 2025-11-28 18:54
import django.db.models.deletion
import uuid
from django.conf import settings
from django.db import migrations, models
class Migration(migrations.Migration):
initial = True
dependencies = [
('core', '0007_add_tenant_permissions'),
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
]
operations = [
migrations.CreateModel(
name='APIToken',
fields=[
('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
('name', models.CharField(help_text='Human-readable name for identifying this token', max_length=100)),
('key_hash', models.CharField(db_index=True, help_text='SHA-256 hash of the token key', max_length=64, unique=True)),
('key_prefix', models.CharField(help_text='Prefix of the key for identification (e.g., ss_live_a1b2)', max_length=16)),
('scopes', models.JSONField(default=list, help_text='List of permission scopes granted to this token')),
('is_active', models.BooleanField(default=True, help_text='Whether this token is currently active')),
('created_at', models.DateTimeField(auto_now_add=True)),
('last_used_at', models.DateTimeField(blank=True, help_text='When the token was last used for authentication', null=True)),
('expires_at', models.DateTimeField(blank=True, help_text='Optional expiration date for the token', null=True)),
('rate_limit_override', models.PositiveIntegerField(blank=True, help_text='Custom rate limit (requests/hour) if different from default', null=True)),
('created_by', models.ForeignKey(blank=True, help_text='User who created this token', null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='created_api_tokens', to=settings.AUTH_USER_MODEL)),
('tenant', models.ForeignKey(help_text='The business this token belongs to', on_delete=django.db.models.deletion.CASCADE, related_name='api_tokens', to='core.tenant')),
],
options={
'verbose_name': 'API Token',
'verbose_name_plural': 'API Tokens',
'ordering': ['-created_at'],
},
),
migrations.CreateModel(
name='WebhookSubscription',
fields=[
('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
('url', models.URLField(help_text='The HTTPS URL to send webhook payloads to', max_length=2048)),
('secret', models.CharField(help_text='Secret key for HMAC-SHA256 signature verification', max_length=64)),
('events', models.JSONField(default=list, help_text='List of event types to subscribe to')),
('is_active', models.BooleanField(default=True, help_text='Whether this subscription is currently active')),
('created_at', models.DateTimeField(auto_now_add=True)),
('failure_count', models.PositiveIntegerField(default=0, help_text='Number of consecutive delivery failures')),
('last_triggered_at', models.DateTimeField(blank=True, help_text='When a webhook was last sent', null=True)),
('last_success_at', models.DateTimeField(blank=True, help_text='When a webhook was last successfully delivered', null=True)),
('last_failure_at', models.DateTimeField(blank=True, help_text='When a webhook last failed to deliver', null=True)),
('description', models.TextField(blank=True, help_text='Optional description of what this webhook is for')),
('api_token', models.ForeignKey(help_text='The API token that owns this subscription', on_delete=django.db.models.deletion.CASCADE, related_name='webhook_subscriptions', to='public_api.apitoken')),
('tenant', models.ForeignKey(help_text='The business this webhook belongs to', on_delete=django.db.models.deletion.CASCADE, related_name='webhook_subscriptions', to='core.tenant')),
],
options={
'verbose_name': 'Webhook Subscription',
'verbose_name_plural': 'Webhook Subscriptions',
'ordering': ['-created_at'],
},
),
migrations.CreateModel(
name='WebhookDelivery',
fields=[
('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False)),
('event_type', models.CharField(help_text='The type of event', max_length=50)),
('event_id', models.CharField(help_text='Unique identifier for this event instance', max_length=64)),
('payload', models.JSONField(help_text='The JSON payload sent to the webhook URL')),
('response_status', models.PositiveIntegerField(blank=True, help_text='HTTP status code received', null=True)),
('response_body', models.TextField(blank=True, help_text='Response body (truncated to 10KB)')),
('delivered_at', models.DateTimeField(blank=True, help_text='When the webhook was successfully delivered', null=True)),
('created_at', models.DateTimeField(auto_now_add=True)),
('success', models.BooleanField(default=False, help_text='Whether the delivery was successful')),
('retry_count', models.PositiveIntegerField(default=0, help_text='Number of retry attempts made')),
('next_retry_at', models.DateTimeField(blank=True, help_text='When the next retry will be attempted', null=True)),
('error_message', models.TextField(blank=True, help_text='Error message if delivery failed')),
('subscription', models.ForeignKey(help_text='The subscription this delivery is for', on_delete=django.db.models.deletion.CASCADE, related_name='deliveries', to='public_api.webhooksubscription')),
],
options={
'verbose_name': 'Webhook Delivery',
'verbose_name_plural': 'Webhook Deliveries',
'ordering': ['-created_at'],
'indexes': [models.Index(fields=['subscription', '-created_at'], name='public_api__subscri_6964d3_idx'), models.Index(fields=['event_type', '-created_at'], name='public_api__event_t_bb35c8_idx'), models.Index(fields=['success', 'next_retry_at'], name='public_api__success_06dadf_idx')],
},
),
]

18
smoothschedule/smoothschedule/public_api/migrations/0002_add_sandbox_to_apitoken.py Normal file
View File

@@ -0,0 +1,18 @@
# Generated by Django 5.2.8 on 2025-11-28 20:08
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('public_api', '0001_initial'),
]
operations = [
migrations.AddField(
model_name='apitoken',
name='is_sandbox',
field=models.BooleanField(default=False, help_text='Whether this is a sandbox/test token (uses test data)'),
),
]

18
smoothschedule/smoothschedule/public_api/migrations/0003_apitoken_plaintext_key.py Normal file
View File

@@ -0,0 +1,18 @@
# Generated by Django 5.2.8 on 2025-11-28 21:10
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('public_api', '0002_add_sandbox_to_apitoken'),
]
operations = [
migrations.AddField(
model_name='apitoken',
name='plaintext_key',
field=models.CharField(blank=True, help_text='ONLY for sandbox tokens: stores the full key for documentation. NEVER set for live tokens!', max_length=72, null=True),
),
]

0
smoothschedule/smoothschedule/public_api/migrations/__init__.py Normal file
View File

583
smoothschedule/smoothschedule/public_api/models.py Normal file
View File

@@ -0,0 +1,583 @@
"""
Public API Models
This module contains models for managing API tokens and webhooks for the
public API v1. Business owners can create API tokens with specific scopes
to allow third-party integrations to access their data.
"""
import hashlib
import secrets
import uuid
from django.conf import settings
from django.db import models
from django.utils import timezone
class APIScope:
"""
Available API scopes for token permissions.
Scopes follow the format: resource:action
- read: allows GET requests
- write: allows POST, PATCH, DELETE requests
- manage: allows full CRUD operations
"""
SERVICES_READ = 'services:read'
RESOURCES_READ = 'resources:read'
AVAILABILITY_READ = 'availability:read'
BOOKINGS_READ = 'bookings:read'
BOOKINGS_WRITE = 'bookings:write'
CUSTOMERS_READ = 'customers:read'
CUSTOMERS_WRITE = 'customers:write'
BUSINESS_READ = 'business:read'
WEBHOOKS_MANAGE = 'webhooks:manage'
CHOICES = [
(SERVICES_READ, 'View services and pricing'),
(RESOURCES_READ, 'View resources and staff'),
(AVAILABILITY_READ, 'Check time slot availability'),
(BOOKINGS_READ, 'View appointments'),
(BOOKINGS_WRITE, 'Create, update, and cancel appointments'),
(CUSTOMERS_READ, 'View customer information'),
(CUSTOMERS_WRITE, 'Create and update customers'),
(BUSINESS_READ, 'View business information'),
(WEBHOOKS_MANAGE, 'Manage webhook subscriptions'),
]
ALL_SCOPES = [choice[0] for choice in CHOICES]
# Scope groupings for common use cases
BOOKING_WIDGET_SCOPES = [
SERVICES_READ,
RESOURCES_READ,
AVAILABILITY_READ,
BOOKINGS_WRITE,
CUSTOMERS_WRITE,
]
BUSINESS_DIRECTORY_SCOPES = [
BUSINESS_READ,
SERVICES_READ,
RESOURCES_READ,
]
APPOINTMENT_DASHBOARD_SCOPES = [
BOOKINGS_READ,
BOOKINGS_WRITE,
CUSTOMERS_READ,
]
CUSTOMER_SELF_SERVICE_SCOPES = [
BOOKINGS_READ,
BOOKINGS_WRITE,
AVAILABILITY_READ,
]
FULL_INTEGRATION_SCOPES = ALL_SCOPES
class APIToken(models.Model):
"""
API Token for authenticating third-party integrations.
Tokens are generated with a secure random key. The full key is only
shown once during creation - we store a hash for verification.
Token format: ss_live_<32 random hex chars>
Example: ss_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Attributes:
id: UUID primary key
tenant: The business this token belongs to
name: Human-readable name for the token (e.g., "Website Integration")
key_hash: SHA-256 hash of the full token key
key_prefix: First 8 characters of the key for identification
scopes: List of permission scopes granted to this token
is_active: Whether the token is currently active
created_at: When the token was created
last_used_at: When the token was last used for authentication
expires_at: Optional expiration date
created_by: User who created this token
rate_limit_override: Custom rate limit (requests/hour) if set
"""
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
tenant = models.ForeignKey(
'core.Tenant',
on_delete=models.CASCADE,
related_name='api_tokens',
help_text='The business this token belongs to'
)
name = models.CharField(
max_length=100,
help_text='Human-readable name for identifying this token'
)
key_hash = models.CharField(
max_length=64,
unique=True,
db_index=True,
help_text='SHA-256 hash of the token key'
)
key_prefix = models.CharField(
max_length=16,
help_text='Prefix of the key for identification (e.g., ss_live_a1b2)'
)
plaintext_key = models.CharField(
max_length=72,
null=True,
blank=True,
help_text='ONLY for sandbox tokens: stores the full key for documentation. NEVER set for live tokens!'
)
scopes = models.JSONField(
default=list,
help_text='List of permission scopes granted to this token'
)
is_active = models.BooleanField(
default=True,
help_text='Whether this token is currently active'
)
created_at = models.DateTimeField(auto_now_add=True)
last_used_at = models.DateTimeField(
null=True,
blank=True,
help_text='When the token was last used for authentication'
)
expires_at = models.DateTimeField(
null=True,
blank=True,
help_text='Optional expiration date for the token'
)
created_by = models.ForeignKey(
settings.AUTH_USER_MODEL,
on_delete=models.SET_NULL,
null=True,
blank=True,
related_name='created_api_tokens',
help_text='User who created this token'
)
rate_limit_override = models.PositiveIntegerField(
null=True,
blank=True,
help_text='Custom rate limit (requests/hour) if different from default'
)
# Sandbox/Test mode
is_sandbox = models.BooleanField(
default=False,
help_text='Whether this is a sandbox/test token (uses test data)'
)
class Meta:
verbose_name = 'API Token'
verbose_name_plural = 'API Tokens'
ordering = ['-created_at']
def __str__(self):
return f"{self.name} ({self.key_prefix}...)"
def clean(self):
"""
Validate the model to enforce security rules.
CRITICAL SECURITY CHECKS:
1. NEVER allow plaintext_key for live tokens (is_sandbox=False)
2. NEVER allow plaintext_key that starts with ss_live_*
"""
from django.core.exceptions import ValidationError
if self.plaintext_key:
# SECURITY: Never allow plaintext storage for live tokens
if not self.is_sandbox:
raise ValidationError({
'plaintext_key': 'SECURITY VIOLATION: Cannot store plaintext key for live/production tokens. '
'Only sandbox tokens may store plaintext keys for documentation purposes.'
})
# SECURITY: Double-check the plaintext key doesn't start with ss_live_
if self.plaintext_key.startswith('ss_live_'):
raise ValidationError({
'plaintext_key': 'SECURITY VIOLATION: Plaintext key appears to be a live token (ss_live_*). '
'Only sandbox tokens (ss_test_*) may be stored in plaintext.'
})
# SECURITY: Verify it's actually a test token
if not self.plaintext_key.startswith('ss_test_'):
raise ValidationError({
'plaintext_key': 'Invalid plaintext key format. Must start with ss_test_'
})
def save(self, *args, **kwargs):
"""Override save to always run validation."""
self.full_clean() # Always validate before saving
super().save(*args, **kwargs)
@classmethod
def generate_key(cls, is_sandbox=False):
"""
Generate a new secure API key.
Args:
is_sandbox: If True, generates a test token (ss_test_*), otherwise live (ss_live_*)
Returns:
tuple: (full_key, key_hash, key_prefix)
- full_key: The complete token to show to the user once
- key_hash: SHA-256 hash to store in database
- key_prefix: First characters for identification
"""
random_part = secrets.token_hex(32)
prefix = "ss_test_" if is_sandbox else "ss_live_"
full_key = f"{prefix}{random_part}"
key_hash = hashlib.sha256(full_key.encode()).hexdigest()
key_prefix = full_key[:16] # "ss_live_" or "ss_test_" + first 8 hex chars
return full_key, key_hash, key_prefix
@classmethod
def is_sandbox_key(cls, key):
"""Check if an API key is a sandbox/test key based on its prefix."""
return key.startswith('ss_test_')
@classmethod
def hash_key(cls, key):
"""Hash a key for comparison."""
return hashlib.sha256(key.encode()).hexdigest()
@classmethod
def get_by_key(cls, key):
"""
Retrieve a token by its full key.
Args:
key: The full API key string
Returns:
APIToken or None
"""
key_hash = cls.hash_key(key)
try:
return cls.objects.select_related('tenant').get(
key_hash=key_hash,
is_active=True
)
except cls.DoesNotExist:
return None
def has_scope(self, scope):
"""Check if this token has a specific scope."""
return scope in self.scopes
def has_any_scope(self, scopes):
"""Check if this token has any of the specified scopes."""
return any(scope in self.scopes for scope in scopes)
def has_all_scopes(self, scopes):
"""Check if this token has all of the specified scopes."""
return all(scope in self.scopes for scope in scopes)
def is_expired(self):
"""Check if the token has expired."""
if self.expires_at is None:
return False
return timezone.now() > self.expires_at
def is_valid(self):
"""Check if the token is valid (active and not expired)."""
return self.is_active and not self.is_expired()
def update_last_used(self):
"""Update the last_used_at timestamp."""
self.last_used_at = timezone.now()
self.save(update_fields=['last_used_at'])
class WebhookEvent:
"""
Available webhook event types.
Events are named as: resource.action
"""
APPOINTMENT_CREATED = 'appointment.created'
APPOINTMENT_UPDATED = 'appointment.updated'
APPOINTMENT_CANCELLED = 'appointment.cancelled'
APPOINTMENT_COMPLETED = 'appointment.completed'
APPOINTMENT_REMINDER = 'appointment.reminder'
CUSTOMER_CREATED = 'customer.created'
CUSTOMER_UPDATED = 'customer.updated'
PAYMENT_SUCCEEDED = 'payment.succeeded'
PAYMENT_FAILED = 'payment.failed'
CHOICES = [
(APPOINTMENT_CREATED, 'Appointment Created'),
(APPOINTMENT_UPDATED, 'Appointment Updated'),
(APPOINTMENT_CANCELLED, 'Appointment Cancelled'),
(APPOINTMENT_COMPLETED, 'Appointment Completed'),
(APPOINTMENT_REMINDER, 'Appointment Reminder (24h before)'),
(CUSTOMER_CREATED, 'Customer Created'),
(CUSTOMER_UPDATED, 'Customer Updated'),
(PAYMENT_SUCCEEDED, 'Payment Succeeded'),
(PAYMENT_FAILED, 'Payment Failed'),
]
ALL_EVENTS = [choice[0] for choice in CHOICES]
class WebhookSubscription(models.Model):
"""
Webhook subscription for receiving real-time event notifications.
When events occur (e.g., appointment created), we send a POST request
to the subscription URL with the event data. The payload is signed
with HMAC-SHA256 using the subscription's secret.
Attributes:
id: UUID primary key
tenant: The business this webhook belongs to
api_token: The API token that created/owns this subscription
url: The HTTPS URL to send webhook payloads to
secret: Secret key for HMAC-SHA256 signature verification
events: List of event types to subscribe to
is_active: Whether the subscription is currently active
created_at: When the subscription was created
failure_count: Number of consecutive delivery failures
last_triggered_at: When a webhook was last sent
last_success_at: When a webhook was last successfully delivered
last_failure_at: When a webhook last failed to deliver
description: Optional description of what this webhook is for
"""
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
tenant = models.ForeignKey(
'core.Tenant',
on_delete=models.CASCADE,
related_name='webhook_subscriptions',
help_text='The business this webhook belongs to'
)
api_token = models.ForeignKey(
APIToken,
on_delete=models.CASCADE,
related_name='webhook_subscriptions',
help_text='The API token that owns this subscription'
)
url = models.URLField(
max_length=2048,
help_text='The HTTPS URL to send webhook payloads to'
)
secret = models.CharField(
max_length=64,
help_text='Secret key for HMAC-SHA256 signature verification'
)
events = models.JSONField(
default=list,
help_text='List of event types to subscribe to'
)
is_active = models.BooleanField(
default=True,
help_text='Whether this subscription is currently active'
)
created_at = models.DateTimeField(auto_now_add=True)
# Health tracking
failure_count = models.PositiveIntegerField(
default=0,
help_text='Number of consecutive delivery failures'
)
last_triggered_at = models.DateTimeField(
null=True,
blank=True,
help_text='When a webhook was last sent'
)
last_success_at = models.DateTimeField(
null=True,
blank=True,
help_text='When a webhook was last successfully delivered'
)
last_failure_at = models.DateTimeField(
null=True,
blank=True,
help_text='When a webhook last failed to deliver'
)
description = models.TextField(
blank=True,
help_text='Optional description of what this webhook is for'
)
# Auto-disable after too many failures
MAX_CONSECUTIVE_FAILURES = 10
class Meta:
verbose_name = 'Webhook Subscription'
verbose_name_plural = 'Webhook Subscriptions'
ordering = ['-created_at']
def __str__(self):
return f"Webhook to {self.url} ({len(self.events)} events)"
@classmethod
def generate_secret(cls):
"""Generate a secure webhook secret."""
return secrets.token_hex(32)
def is_subscribed_to(self, event_type):
"""Check if this subscription should receive the given event type."""
return event_type in self.events
def record_success(self):
"""Record a successful delivery."""
self.failure_count = 0
self.last_success_at = timezone.now()
self.last_triggered_at = timezone.now()
self.save(update_fields=['failure_count', 'last_success_at', 'last_triggered_at'])
def record_failure(self):
"""
Record a failed delivery.
If consecutive failures exceed MAX_CONSECUTIVE_FAILURES,
the subscription is automatically disabled.
"""
self.failure_count += 1
self.last_failure_at = timezone.now()
self.last_triggered_at = timezone.now()
if self.failure_count >= self.MAX_CONSECUTIVE_FAILURES:
self.is_active = False
self.save(update_fields=['failure_count', 'last_failure_at', 'last_triggered_at', 'is_active'])
class WebhookDelivery(models.Model):
"""
Record of a webhook delivery attempt.
Each time we attempt to deliver a webhook, we create a record here
with the payload sent, response received, and delivery status.
Attributes:
id: UUID primary key
subscription: The webhook subscription this delivery is for
event_type: The type of event (e.g., 'appointment.created')
event_id: Unique identifier for this event instance
payload: The JSON payload that was/will be sent
response_status: HTTP status code received (null if not yet delivered)
response_body: Response body text (truncated to 10KB)
delivered_at: When the webhook was successfully delivered
created_at: When this delivery record was created
success: Whether the delivery was successful
retry_count: Number of retry attempts made
next_retry_at: When the next retry will be attempted
error_message: Error message if delivery failed
"""
id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
subscription = models.ForeignKey(
WebhookSubscription,
on_delete=models.CASCADE,
related_name='deliveries',
help_text='The subscription this delivery is for'
)
event_type = models.CharField(
max_length=50,
help_text='The type of event'
)
event_id = models.CharField(
max_length=64,
help_text='Unique identifier for this event instance'
)
payload = models.JSONField(
help_text='The JSON payload sent to the webhook URL'
)
response_status = models.PositiveIntegerField(
null=True,
blank=True,
help_text='HTTP status code received'
)
response_body = models.TextField(
blank=True,
help_text='Response body (truncated to 10KB)'
)
delivered_at = models.DateTimeField(
null=True,
blank=True,
help_text='When the webhook was successfully delivered'
)
created_at = models.DateTimeField(auto_now_add=True)
success = models.BooleanField(
default=False,
help_text='Whether the delivery was successful'
)
retry_count = models.PositiveIntegerField(
default=0,
help_text='Number of retry attempts made'
)
next_retry_at = models.DateTimeField(
null=True,
blank=True,
help_text='When the next retry will be attempted'
)
error_message = models.TextField(
blank=True,
help_text='Error message if delivery failed'
)
MAX_RETRIES = 5
# Retry delays in seconds: 1min, 5min, 30min, 2hr, 8hr
RETRY_DELAYS = [60, 300, 1800, 7200, 28800]
class Meta:
verbose_name = 'Webhook Delivery'
verbose_name_plural = 'Webhook Deliveries'
ordering = ['-created_at']
indexes = [
models.Index(fields=['subscription', '-created_at']),
models.Index(fields=['event_type', '-created_at']),
models.Index(fields=['success', 'next_retry_at']),
]
def __str__(self):
status = "Success" if self.success else f"Failed (retry {self.retry_count})"
return f"{self.event_type} to {self.subscription.url} - {status}"
def can_retry(self):
"""Check if this delivery can be retried."""
return not self.success and self.retry_count < self.MAX_RETRIES
def get_next_retry_delay(self):
"""Get the delay in seconds before the next retry."""
if self.retry_count >= len(self.RETRY_DELAYS):
return self.RETRY_DELAYS[-1]
return self.RETRY_DELAYS[self.retry_count]
def schedule_retry(self):
"""Schedule the next retry attempt."""
if not self.can_retry():
return False
delay = self.get_next_retry_delay()
self.next_retry_at = timezone.now() + timezone.timedelta(seconds=delay)
self.save(update_fields=['next_retry_at'])
return True
def mark_success(self, status_code, response_body=''):
"""Mark this delivery as successful."""
self.success = True
self.response_status = status_code
self.response_body = response_body[:10240] # Truncate to 10KB
self.delivered_at = timezone.now()
self.next_retry_at = None
self.save()
self.subscription.record_success()
def mark_failure(self, error_message, status_code=None, response_body=''):
"""Mark this delivery as failed and schedule retry if possible."""
self.success = False
self.response_status = status_code
self.response_body = response_body[:10240] # Truncate to 10KB
self.error_message = error_message
self.retry_count += 1
self.save()
if self.can_retry():
self.schedule_retry()
else:
self.subscription.record_failure()

246
smoothschedule/smoothschedule/public_api/permissions.py Normal file
View File

@@ -0,0 +1,246 @@
"""
Public API Permissions
This module provides permission classes for the public API,
including scope-based permission checking for API tokens.
"""
from rest_framework import permissions
from .models import APIScope
class HasAPIToken(permissions.BasePermission):
"""
Permission class that requires a valid API token.
This permission checks that the request was authenticated with
an API token (not a user session or other auth method).
Usage:
class MyView(APIView):
permission_classes = [HasAPIToken]
"""
message = 'Valid API token required.'
def has_permission(self, request, view):
"""Check if request has a valid API token."""
return (
hasattr(request, 'api_token') and
request.api_token is not None and
request.api_token.is_valid()
)
class HasScope(permissions.BasePermission):
"""
Permission class that requires specific API scopes.
This permission checks that the API token has the required scope(s)
for the requested action. Scopes can be specified at the view level
or determined dynamically based on the HTTP method.
Usage:
class MyView(APIView):
permission_classes = [HasAPIToken, HasScope]
required_scopes = ['services:read']
# Or with method-specific scopes:
class MyView(APIView):
permission_classes = [HasAPIToken, HasScope]
required_scopes = {
'GET': ['services:read'],
'POST': ['services:write'],
}
# Or use the decorator:
@require_scopes(['services:read'])
class MyView(APIView):
pass
"""
message = 'API token lacks required scope for this operation.'
def has_permission(self, request, view):
"""Check if the API token has the required scope(s)."""
# First check that we have an API token
if not hasattr(request, 'api_token') or request.api_token is None:
return False
token = request.api_token
# Get required scopes from the view
required_scopes = self._get_required_scopes(request, view)
if not required_scopes:
# No scopes required, allow access
return True
# Check if token has any of the required scopes
# (OR logic - having any one scope is sufficient)
return token.has_any_scope(required_scopes)
def _get_required_scopes(self, request, view):
"""
Get the required scopes for this request.
Supports:
- List of scopes: ['services:read', 'services:write']
- Dict of method -> scopes: {'GET': ['read'], 'POST': ['write']}
- Callable that returns scopes: lambda request, view: [...]
"""
required_scopes = getattr(view, 'required_scopes', None)
if required_scopes is None:
return []
if callable(required_scopes):
return required_scopes(request, view)
if isinstance(required_scopes, dict):
# Method-specific scopes
method = request.method.upper()
return required_scopes.get(method, [])
# Assume it's a list of scopes
return list(required_scopes)
class HasAllScopes(HasScope):
"""
Like HasScope but requires ALL scopes (AND logic).
Usage:
class MyView(APIView):
permission_classes = [HasAPIToken, HasAllScopes]
required_scopes = ['services:read', 'customers:read']
"""
message = 'API token lacks all required scopes for this operation.'
def has_permission(self, request, view):
"""Check if the API token has ALL required scopes."""
if not hasattr(request, 'api_token') or request.api_token is None:
return False
token = request.api_token
required_scopes = self._get_required_scopes(request, view)
if not required_scopes:
return True
return token.has_all_scopes(required_scopes)
def require_scopes(*scopes):
"""
Decorator to specify required scopes for a view or viewset action.
Usage:
@require_scopes('services:read')
class MyView(APIView):
permission_classes = [HasAPIToken, HasScope]
# Or on a viewset action:
class MyViewSet(ViewSet):
@require_scopes('services:write')
def create(self, request):
pass
"""
def decorator(view_or_func):
view_or_func.required_scopes = list(scopes)
return view_or_func
return decorator
# Convenience permission classes for common scope combinations
class CanReadServices(HasScope):
"""Permission requiring services:read scope."""
def _get_required_scopes(self, request, view):
return [APIScope.SERVICES_READ]
class CanReadResources(HasScope):
"""Permission requiring resources:read scope."""
def _get_required_scopes(self, request, view):
return [APIScope.RESOURCES_READ]
class CanReadAvailability(HasScope):
"""Permission requiring availability:read scope."""
def _get_required_scopes(self, request, view):
return [APIScope.AVAILABILITY_READ]
class CanReadBookings(HasScope):
"""Permission requiring bookings:read scope."""
def _get_required_scopes(self, request, view):
return [APIScope.BOOKINGS_READ]
class CanWriteBookings(HasScope):
"""Permission requiring bookings:write scope."""
def _get_required_scopes(self, request, view):
return [APIScope.BOOKINGS_WRITE]
class CanReadCustomers(HasScope):
"""Permission requiring customers:read scope."""
def _get_required_scopes(self, request, view):
return [APIScope.CUSTOMERS_READ]
class CanWriteCustomers(HasScope):
"""Permission requiring customers:write scope."""
def _get_required_scopes(self, request, view):
return [APIScope.CUSTOMERS_WRITE]
class CanReadBusiness(HasScope):
"""Permission requiring business:read scope."""
def _get_required_scopes(self, request, view):
return [APIScope.BUSINESS_READ]
class CanManageWebhooks(HasScope):
"""Permission requiring webhooks:manage scope."""
def _get_required_scopes(self, request, view):
return [APIScope.WEBHOOKS_MANAGE]
class BookingsReadWritePermission(HasScope):
"""
Permission for bookings endpoints.
- GET requests require bookings:read
- POST/PATCH/DELETE require bookings:write
"""
def _get_required_scopes(self, request, view):
if request.method in permissions.SAFE_METHODS:
return [APIScope.BOOKINGS_READ]
return [APIScope.BOOKINGS_WRITE]
class CustomersReadWritePermission(HasScope):
"""
Permission for customers endpoints.
- GET requests require customers:read
- POST/PATCH/DELETE require customers:write
"""
def _get_required_scopes(self, request, view):
if request.method in permissions.SAFE_METHODS:
return [APIScope.CUSTOMERS_READ]
return [APIScope.CUSTOMERS_WRITE]

680
smoothschedule/smoothschedule/public_api/serializers.py Normal file
View File

@@ -0,0 +1,680 @@
"""
Public API Serializers
This module contains serializers for the public API v1.
These serializers expose limited fields appropriate for external integrations,
with proper documentation for OpenAPI schema generation.
"""
from rest_framework import serializers
from drf_spectacular.utils import extend_schema_field
from drf_spectacular.types import OpenApiTypes
from .models import APIToken, APIScope, WebhookSubscription, WebhookDelivery, WebhookEvent
# =============================================================================
# API Token Serializers
# =============================================================================
class APIScopeSerializer(serializers.Serializer):
"""Serializer for listing available scopes."""
scope = serializers.CharField(help_text="Scope identifier (e.g., 'services:read')")
description = serializers.CharField(help_text="Human-readable description")
class APITokenCreateSerializer(serializers.Serializer):
"""
Serializer for creating a new API token.
The response will include the full token key only once - store it securely!
"""
name = serializers.CharField(
max_length=100,
help_text="Human-readable name for the token (e.g., 'Website Integration')"
)
scopes = serializers.ListField(
child=serializers.ChoiceField(choices=[s[0] for s in APIScope.CHOICES]),
help_text="List of permission scopes for this token"
)
expires_at = serializers.DateTimeField(
required=False,
allow_null=True,
help_text="Optional expiration date (ISO 8601 format)"
)
is_sandbox = serializers.BooleanField(
required=False,
allow_null=True,
default=None,
help_text="If true, creates a test/sandbox token (ss_test_*) instead of live (ss_live_*). If not provided, inherits from current sandbox mode."
)
def validate_scopes(self, value):
"""Validate that at least one scope is provided."""
if not value:
raise serializers.ValidationError("At least one scope is required.")
return value
class APITokenResponseSerializer(serializers.ModelSerializer):
"""
Serializer for API token responses.
Note: The full 'key' is only included in the creation response.
"""
key = serializers.CharField(
read_only=True,
help_text="The full API token key (only shown once on creation)"
)
class Meta:
model = APIToken
fields = [
'id',
'name',
'key',
'key_prefix',
'scopes',
'is_active',
'is_sandbox',
'created_at',
'last_used_at',
'expires_at',
]
read_only_fields = fields
class APITokenListSerializer(serializers.ModelSerializer):
"""Serializer for listing API tokens (without the full key)."""
class Meta:
model = APIToken
fields = [
'id',
'name',
'key_prefix',
'scopes',
'is_active',
'is_sandbox',
'created_at',
'last_used_at',
'expires_at',
]
read_only_fields = fields
# =============================================================================
# Business Serializers
# =============================================================================
class PublicBusinessSerializer(serializers.Serializer):
"""
Serializer for public business information.
Exposes only the information appropriate for external integrations.
"""
id = serializers.UUIDField(
read_only=True,
help_text="Unique business identifier"
)
name = serializers.CharField(
read_only=True,
help_text="Business name"
)
subdomain = serializers.CharField(
read_only=True,
help_text="Business subdomain (e.g., 'mycompany' for mycompany.smoothschedule.com)"
)
logo_url = serializers.URLField(
read_only=True,
allow_null=True,
help_text="URL to the business logo image"
)
primary_color = serializers.CharField(
read_only=True,
help_text="Primary brand color (hex format, e.g., '#3B82F6')"
)
secondary_color = serializers.CharField(
read_only=True,
allow_null=True,
help_text="Secondary brand color (hex format)"
)
timezone = serializers.CharField(
read_only=True,
help_text="Business timezone (e.g., 'America/New_York')"
)
cancellation_window_hours = serializers.IntegerField(
read_only=True,
help_text="Minimum hours before appointment start to allow cancellation"
)
# =============================================================================
# Service Serializers
# =============================================================================
class PublicServiceSerializer(serializers.Serializer):
"""
Serializer for public service information.
Represents a bookable service offered by the business.
"""
id = serializers.UUIDField(
read_only=True,
help_text="Unique service identifier"
)
name = serializers.CharField(
read_only=True,
help_text="Service name"
)
description = serializers.CharField(
read_only=True,
allow_null=True,
help_text="Service description"
)
duration = serializers.IntegerField(
read_only=True,
help_text="Service duration in minutes"
)
price = serializers.DecimalField(
max_digits=10,
decimal_places=2,
read_only=True,
allow_null=True,
help_text="Service price (null if free or price varies)"
)
photos = serializers.ListField(
child=serializers.URLField(),
read_only=True,
help_text="List of photo URLs for the service"
)
is_active = serializers.BooleanField(
read_only=True,
help_text="Whether the service is currently available for booking"
)
# =============================================================================
# Resource Serializers
# =============================================================================
class PublicResourceTypeSerializer(serializers.Serializer):
"""Serializer for resource type information."""
id = serializers.UUIDField(read_only=True)
name = serializers.CharField(read_only=True)
category = serializers.CharField(
read_only=True,
help_text="Category: 'staff' or 'other'"
)
class PublicResourceSerializer(serializers.Serializer):
"""
Serializer for public resource information.
Represents a bookable resource (staff member, room, equipment, etc.)
"""
id = serializers.UUIDField(
read_only=True,
help_text="Unique resource identifier"
)
name = serializers.CharField(
read_only=True,
help_text="Resource name"
)
description = serializers.CharField(
read_only=True,
allow_null=True,
help_text="Resource description"
)
resource_type = PublicResourceTypeSerializer(
read_only=True,
help_text="Resource type information"
)
photo_url = serializers.URLField(
read_only=True,
allow_null=True,
help_text="URL to the resource photo"
)
is_active = serializers.BooleanField(
read_only=True,
help_text="Whether the resource is currently available"
)
# =============================================================================
# Availability Serializers
# =============================================================================
class TimeSlotSerializer(serializers.Serializer):
"""Serializer for an available time slot."""
start_time = serializers.DateTimeField(
help_text="Start time of the slot (ISO 8601)"
)
end_time = serializers.DateTimeField(
help_text="End time of the slot (ISO 8601)"
)
resource_id = serializers.UUIDField(
allow_null=True,
help_text="Resource ID if the slot is tied to a specific resource"
)
resource_name = serializers.CharField(
allow_null=True,
help_text="Resource name if applicable"
)
class AvailabilityRequestSerializer(serializers.Serializer):
"""Serializer for availability query parameters."""
service_id = serializers.UUIDField(
required=True,
help_text="Service ID to check availability for"
)
resource_id = serializers.UUIDField(
required=False,
allow_null=True,
help_text="Optional: specific resource to check"
)
date = serializers.DateField(
required=True,
help_text="Start date for availability check (YYYY-MM-DD)"
)
days = serializers.IntegerField(
required=False,
default=7,
min_value=1,
max_value=30,
help_text="Number of days to check (1-30, default: 7)"
)
class AvailabilityResponseSerializer(serializers.Serializer):
"""Serializer for availability response."""
service = PublicServiceSerializer(help_text="Service information")
date_range = serializers.DictField(
help_text="Date range checked",
child=serializers.DateField()
)
slots = TimeSlotSerializer(
many=True,
help_text="Available time slots"
)
# =============================================================================
# Appointment/Booking Serializers
# =============================================================================
class PublicCustomerSerializer(serializers.Serializer):
"""Serializer for customer information in appointments."""
id = serializers.UUIDField(read_only=True)
name = serializers.CharField(read_only=True)
email = serializers.EmailField(read_only=True)
phone = serializers.CharField(read_only=True, allow_null=True)
class PublicAppointmentSerializer(serializers.Serializer):
"""
Serializer for appointment information.
Represents a scheduled appointment/booking.
"""
id = serializers.UUIDField(
read_only=True,
help_text="Unique appointment identifier"
)
service = PublicServiceSerializer(
read_only=True,
help_text="Service being booked"
)
resource = PublicResourceSerializer(
read_only=True,
allow_null=True,
help_text="Resource assigned (if applicable)"
)
customer = PublicCustomerSerializer(
read_only=True,
help_text="Customer information"
)
start_time = serializers.DateTimeField(
read_only=True,
help_text="Appointment start time (ISO 8601)"
)
end_time = serializers.DateTimeField(
read_only=True,
help_text="Appointment end time (ISO 8601)"
)
status = serializers.ChoiceField(
choices=['scheduled', 'confirmed', 'cancelled', 'completed', 'no_show'],
read_only=True,
help_text="Appointment status"
)
notes = serializers.CharField(
read_only=True,
allow_null=True,
help_text="Notes for the appointment"
)
created_at = serializers.DateTimeField(
read_only=True,
help_text="When the appointment was created"
)
class AppointmentCreateSerializer(serializers.Serializer):
"""
Serializer for creating a new appointment.
You must provide either customer_id (for existing customer)
or customer details (email required, name and phone optional).
"""
service_id = serializers.UUIDField(
required=True,
help_text="ID of the service to book"
)
resource_id = serializers.UUIDField(
required=False,
allow_null=True,
help_text="Optional: specific resource to book with"
)
start_time = serializers.DateTimeField(
required=True,
help_text="Requested start time (ISO 8601)"
)
notes = serializers.CharField(
required=False,
allow_blank=True,
max_length=1000,
help_text="Optional notes for the appointment"
)
# Customer identification - either ID or details
customer_id = serializers.UUIDField(
required=False,
allow_null=True,
help_text="ID of an existing customer"
)
customer_email = serializers.EmailField(
required=False,
help_text="Customer email (required if customer_id not provided)"
)
customer_name = serializers.CharField(
required=False,
max_length=200,
help_text="Customer name"
)
customer_phone = serializers.CharField(
required=False,
max_length=20,
help_text="Customer phone number"
)
def validate(self, data):
"""Validate that either customer_id or customer_email is provided."""
customer_id = data.get('customer_id')
customer_email = data.get('customer_email')
if not customer_id and not customer_email:
raise serializers.ValidationError({
'customer_id': 'Either customer_id or customer_email is required.',
'customer_email': 'Either customer_id or customer_email is required.',
})
return data
class AppointmentUpdateSerializer(serializers.Serializer):
"""Serializer for updating/rescheduling an appointment."""
start_time = serializers.DateTimeField(
required=False,
help_text="New start time (ISO 8601)"
)
resource_id = serializers.UUIDField(
required=False,
allow_null=True,
help_text="New resource assignment"
)
notes = serializers.CharField(
required=False,
allow_blank=True,
max_length=1000,
help_text="Updated notes"
)
status = serializers.ChoiceField(
choices=['confirmed', 'completed'],
required=False,
help_text="Update status (limited options via API)"
)
class AppointmentCancelSerializer(serializers.Serializer):
"""Serializer for cancelling an appointment."""
reason = serializers.CharField(
required=False,
allow_blank=True,
max_length=500,
help_text="Optional cancellation reason"
)
# =============================================================================
# Customer Serializers
# =============================================================================
class CustomerCreateSerializer(serializers.Serializer):
"""Serializer for creating a new customer."""
email = serializers.EmailField(
required=True,
help_text="Customer email address"
)
name = serializers.CharField(
required=True,
max_length=200,
help_text="Customer full name"
)
phone = serializers.CharField(
required=False,
max_length=20,
allow_blank=True,
help_text="Customer phone number"
)
notes = serializers.CharField(
required=False,
allow_blank=True,
help_text="Notes about the customer"
)
class CustomerUpdateSerializer(serializers.Serializer):
"""Serializer for updating customer information."""
name = serializers.CharField(
required=False,
max_length=200,
help_text="Customer full name"
)
phone = serializers.CharField(
required=False,
max_length=20,
allow_blank=True,
help_text="Customer phone number"
)
notes = serializers.CharField(
required=False,
allow_blank=True,
help_text="Notes about the customer"
)
class CustomerDetailSerializer(serializers.Serializer):
"""Detailed customer information including appointment history."""
id = serializers.UUIDField(read_only=True)
email = serializers.EmailField(read_only=True)
name = serializers.CharField(read_only=True)
phone = serializers.CharField(read_only=True, allow_null=True)
created_at = serializers.DateTimeField(read_only=True)
total_appointments = serializers.IntegerField(
read_only=True,
help_text="Total number of appointments"
)
last_appointment_at = serializers.DateTimeField(
read_only=True,
allow_null=True,
help_text="Date of last appointment"
)
# =============================================================================
# Webhook Serializers
# =============================================================================
class WebhookEventSerializer(serializers.Serializer):
"""Serializer for listing available webhook events."""
event = serializers.CharField(help_text="Event type identifier")
description = serializers.CharField(help_text="Human-readable description")
class WebhookSubscriptionCreateSerializer(serializers.Serializer):
"""Serializer for creating a webhook subscription."""
url = serializers.URLField(
required=True,
help_text="HTTPS URL to receive webhook payloads"
)
events = serializers.ListField(
child=serializers.ChoiceField(choices=[e[0] for e in WebhookEvent.CHOICES]),
required=True,
help_text="List of event types to subscribe to"
)
description = serializers.CharField(
required=False,
allow_blank=True,
help_text="Optional description for this webhook"
)
def validate_url(self, value):
"""Validate that the URL uses HTTPS."""
if not value.startswith('https://'):
raise serializers.ValidationError("Webhook URL must use HTTPS.")
return value
def validate_events(self, value):
"""Validate that at least one event is specified."""
if not value:
raise serializers.ValidationError("At least one event is required.")
return value
class WebhookSubscriptionSerializer(serializers.ModelSerializer):
"""Serializer for webhook subscription responses."""
class Meta:
model = WebhookSubscription
fields = [
'id',
'url',
'events',
'description',
'is_active',
'created_at',
'failure_count',
'last_triggered_at',
'last_success_at',
'last_failure_at',
]
read_only_fields = fields
class WebhookSubscriptionWithSecretSerializer(WebhookSubscriptionSerializer):
"""Serializer that includes the secret (only on creation)."""
secret = serializers.CharField(
read_only=True,
help_text="Secret for verifying webhook signatures (shown only once)"
)
class Meta(WebhookSubscriptionSerializer.Meta):
fields = WebhookSubscriptionSerializer.Meta.fields + ['secret']
class WebhookSubscriptionUpdateSerializer(serializers.Serializer):
"""Serializer for updating a webhook subscription."""
url = serializers.URLField(
required=False,
help_text="New URL (must be HTTPS)"
)
events = serializers.ListField(
child=serializers.ChoiceField(choices=[e[0] for e in WebhookEvent.CHOICES]),
required=False,
help_text="New list of events"
)
is_active = serializers.BooleanField(
required=False,
help_text="Enable or disable the subscription"
)
description = serializers.CharField(
required=False,
allow_blank=True,
help_text="Updated description"
)
def validate_url(self, value):
"""Validate that the URL uses HTTPS."""
if value and not value.startswith('https://'):
raise serializers.ValidationError("Webhook URL must use HTTPS.")
return value
class WebhookDeliverySerializer(serializers.ModelSerializer):
"""Serializer for webhook delivery history."""
class Meta:
model = WebhookDelivery
fields = [
'id',
'event_type',
'event_id',
'response_status',
'created_at',
'delivered_at',
'success',
'retry_count',
'error_message',
]
read_only_fields = fields
class WebhookDeliveryDetailSerializer(WebhookDeliverySerializer):
"""Detailed webhook delivery including payload."""
payload = serializers.JSONField(
read_only=True,
help_text="The payload that was sent"
)
response_body = serializers.CharField(
read_only=True,
help_text="Response body received (truncated)"
)
class Meta(WebhookDeliverySerializer.Meta):
fields = WebhookDeliverySerializer.Meta.fields + ['payload', 'response_body']
# =============================================================================
# Error Serializers
# =============================================================================
class ErrorSerializer(serializers.Serializer):
"""Standard error response format."""
error = serializers.CharField(
help_text="Error code (e.g., 'validation_error', 'not_found')"
)
message = serializers.CharField(
help_text="Human-readable error message"
)
details = serializers.DictField(
required=False,
help_text="Field-specific error details (for validation errors)"
)
class RateLimitErrorSerializer(ErrorSerializer):
"""Rate limit exceeded error response."""
retry_after = serializers.IntegerField(
help_text="Seconds to wait before retrying"
)

189
smoothschedule/smoothschedule/public_api/signals.py Normal file
View File

@@ -0,0 +1,189 @@
"""
Public API Signals
Signal handlers for triggering webhooks when events occur.
"""
from django.db.models.signals import post_save, post_delete
from django.dispatch import receiver
# Import models that trigger webhook events
# These imports are deferred to avoid circular imports
def trigger_webhook(tenant, event_type, data):
"""
Trigger webhooks for a specific event.
This function queues webhook deliveries for all active subscriptions
that are subscribed to the given event type.
Args:
tenant: The Tenant instance
event_type: String event type (e.g., 'appointment.created')
data: Dict of event data to include in the payload
"""
from .models import WebhookSubscription
from .webhooks import queue_webhook_delivery
# Find all active subscriptions for this tenant that want this event
subscriptions = WebhookSubscription.objects.filter(
tenant=tenant,
is_active=True,
events__contains=[event_type]
)
for subscription in subscriptions:
queue_webhook_delivery(subscription, event_type, data)
# =============================================================================
# Appointment/Event Signals
# =============================================================================
# Note: These signal handlers are examples. They need to be connected to the
# actual models once we verify the model structure.
def handle_appointment_created(sender, instance, created, **kwargs):
"""Handle appointment creation."""
if not created:
return
try:
tenant = instance.tenant if hasattr(instance, 'tenant') else None
if not tenant:
return
data = {
'id': str(instance.id),
'start_time': instance.start.isoformat() if instance.start else None,
'end_time': instance.end.isoformat() if instance.end else None,
'status': instance.status,
# Add more fields as needed
}
trigger_webhook(tenant, 'appointment.created', data)
except Exception:
# Don't let webhook errors break the main flow
pass
def handle_appointment_updated(sender, instance, **kwargs):
"""Handle appointment updates."""
try:
tenant = instance.tenant if hasattr(instance, 'tenant') else None
if not tenant:
return
data = {
'id': str(instance.id),
'start_time': instance.start.isoformat() if instance.start else None,
'end_time': instance.end.isoformat() if instance.end else None,
'status': instance.status,
}
trigger_webhook(tenant, 'appointment.updated', data)
except Exception:
pass
def handle_appointment_cancelled(sender, instance, **kwargs):
"""Handle appointment cancellation."""
try:
# Check if status changed to CANCELLED
if instance.status != 'CANCELLED':
return
tenant = instance.tenant if hasattr(instance, 'tenant') else None
if not tenant:
return
data = {
'id': str(instance.id),
'start_time': instance.start.isoformat() if instance.start else None,
'end_time': instance.end.isoformat() if instance.end else None,
'status': instance.status,
}
trigger_webhook(tenant, 'appointment.cancelled', data)
except Exception:
pass
# =============================================================================
# Customer Signals
# =============================================================================
def handle_customer_created(sender, instance, created, **kwargs):
"""Handle customer creation."""
if not created:
return
try:
# Check if this is a customer
if getattr(instance, 'role', None) != 'CUSTOMER':
return
tenant = instance.tenant if hasattr(instance, 'tenant') else None
if not tenant:
return
data = {
'id': str(instance.id),
'email': instance.email,
'name': instance.get_full_name() if hasattr(instance, 'get_full_name') else None,
}
trigger_webhook(tenant, 'customer.created', data)
except Exception:
pass
def handle_customer_updated(sender, instance, **kwargs):
"""Handle customer updates."""
try:
if getattr(instance, 'role', None) != 'CUSTOMER':
return
tenant = instance.tenant if hasattr(instance, 'tenant') else None
if not tenant:
return
data = {
'id': str(instance.id),
'email': instance.email,
'name': instance.get_full_name() if hasattr(instance, 'get_full_name') else None,
}
trigger_webhook(tenant, 'customer.updated', data)
except Exception:
pass
# =============================================================================
# Signal Registration
# =============================================================================
def register_webhook_signals():
"""
Register signal handlers for webhook events.
Call this from the app's ready() method to set up the signals.
"""
try:
from smoothschedule.schedule.models import Event
post_save.connect(handle_appointment_created, sender=Event, dispatch_uid='webhook_appointment_created')
post_save.connect(handle_appointment_updated, sender=Event, dispatch_uid='webhook_appointment_updated')
except ImportError:
pass
try:
from smoothschedule.users.models import User
post_save.connect(handle_customer_created, sender=User, dispatch_uid='webhook_customer_created')
post_save.connect(handle_customer_updated, sender=User, dispatch_uid='webhook_customer_updated')
except ImportError:
pass
# Auto-register signals when this module is imported
# (Called from apps.py ready() method)

280
smoothschedule/smoothschedule/public_api/tests_token_security.py Normal file
View File

@@ -0,0 +1,280 @@
"""
CRITICAL SECURITY TESTS for API Token plaintext storage.
These tests verify that live/production tokens can NEVER have their
plaintext keys stored in the database, only sandbox/test tokens.
"""
from django.test import TestCase
from django.core.exceptions import ValidationError
from core.models import Tenant
from smoothschedule.users.models import User
from smoothschedule.public_api.models import APIToken
class APITokenPlaintextSecurityTests(TestCase):
"""
Test suite to verify that plaintext tokens are NEVER stored for live tokens.
SECURITY CRITICAL: These tests ensure that production API tokens cannot
accidentally leak by being stored in plaintext.
"""
def setUp(self):
"""Set up test tenant and user."""
# Create a test tenant
self.tenant = Tenant.objects.create(
schema_name='test_security',
name='Test Security Tenant'
)
# Create domain for the tenant
from core.models import Domain
self.domain = Domain.objects.create(
domain='test-security.localhost',
tenant=self.tenant,
is_primary=True
)
# Create a test user
self.user = User.objects.create_user(
username='testuser',
email='test@example.com',
password='testpass123',
tenant=self.tenant
)
def test_sandbox_token_can_store_plaintext(self):
"""
Sandbox tokens SHOULD be allowed to store plaintext keys.
This is safe because they only work with test data.
"""
# Generate a sandbox token
full_key, key_hash, key_prefix = APIToken.generate_key(is_sandbox=True)
# Verify it's a test token
self.assertTrue(full_key.startswith('ss_test_'))
# Create token with plaintext - should succeed
token = APIToken.objects.create(
tenant=self.tenant,
name='Test Sandbox Token',
key_hash=key_hash,
key_prefix=key_prefix,
scopes=['services:read'],
created_by=self.user,
is_sandbox=True,
plaintext_key=full_key # ALLOWED for sandbox tokens
)
# Verify it was saved
self.assertIsNotNone(token.id)
self.assertEqual(token.plaintext_key, full_key)
self.assertTrue(token.is_sandbox)
def test_live_token_cannot_store_plaintext(self):
"""
SECURITY TEST: Live tokens must NEVER store plaintext keys.
This test verifies the model validation prevents this.
"""
# Generate a live token
full_key, key_hash, key_prefix = APIToken.generate_key(is_sandbox=False)
# Verify it's a live token
self.assertTrue(full_key.startswith('ss_live_'))
# Try to create token with plaintext - should FAIL
with self.assertRaises(ValidationError) as context:
token = APIToken(
tenant=self.tenant,
name='Test Live Token',
key_hash=key_hash,
key_prefix=key_prefix,
scopes=['services:read'],
created_by=self.user,
is_sandbox=False,
plaintext_key=full_key # NOT ALLOWED for live tokens
)
token.save() # This should raise ValidationError
# Verify the error message mentions security violation
error_dict = context.exception.message_dict
self.assertIn('plaintext_key', error_dict)
self.assertIn('SECURITY VIOLATION', str(error_dict['plaintext_key'][0]))
self.assertIn('live/production tokens', str(error_dict['plaintext_key'][0]))
def test_cannot_store_ss_live_in_plaintext(self):
"""
SECURITY TEST: Even for sandbox tokens, we should never accept
a plaintext key that starts with ss_live_*.
This is a belt-and-suspenders check to catch bugs in token generation.
"""
# Generate a live token (to get the ss_live_* format)
live_key, key_hash, key_prefix = APIToken.generate_key(is_sandbox=False)
# Try to create a token marked as sandbox but with a live key plaintext
with self.assertRaises(ValidationError) as context:
token = APIToken(
tenant=self.tenant,
name='Malicious Token',
key_hash=key_hash,
key_prefix=key_prefix,
scopes=['services:read'],
created_by=self.user,
is_sandbox=True, # Marked as sandbox
plaintext_key=live_key # But trying to store ss_live_* plaintext
)
token.save() # This should raise ValidationError
# Verify the error mentions ss_live_
error_dict = context.exception.message_dict
self.assertIn('plaintext_key', error_dict)
self.assertIn('ss_live_', str(error_dict['plaintext_key'][0]))
self.assertIn('SECURITY VIOLATION', str(error_dict['plaintext_key'][0]))
def test_plaintext_must_start_with_ss_test(self):
"""
SECURITY TEST: Any plaintext key must start with ss_test_*.
Invalid formats should be rejected.
"""
_, key_hash, key_prefix = APIToken.generate_key(is_sandbox=True)
# Try with an invalid plaintext format
with self.assertRaises(ValidationError) as context:
token = APIToken(
tenant=self.tenant,
name='Invalid Token',
key_hash=key_hash,
key_prefix=key_prefix,
scopes=['services:read'],
created_by=self.user,
is_sandbox=True,
plaintext_key='invalid_format_123456789' # Wrong format
)
token.save()
# Verify the error
error_dict = context.exception.message_dict
self.assertIn('plaintext_key', error_dict)
self.assertIn('ss_test_', str(error_dict['plaintext_key'][0]))
def test_live_token_without_plaintext_succeeds(self):
"""
Live tokens WITHOUT plaintext should save successfully.
This is the normal, secure operation.
"""
# Generate a live token
full_key, key_hash, key_prefix = APIToken.generate_key(is_sandbox=False)
# Create token WITHOUT plaintext - should succeed
token = APIToken.objects.create(
tenant=self.tenant,
name='Normal Live Token',
key_hash=key_hash,
key_prefix=key_prefix,
scopes=['services:read'],
created_by=self.user,
is_sandbox=False,
plaintext_key=None # Correct: no plaintext for live tokens
)
# Verify it was saved
self.assertIsNotNone(token.id)
self.assertIsNone(token.plaintext_key)
self.assertFalse(token.is_sandbox)
def test_updating_live_token_to_add_plaintext_fails(self):
"""
SECURITY TEST: Even updating an existing live token to add
plaintext should fail.
"""
# Create a live token without plaintext (normal case)
full_key, key_hash, key_prefix = APIToken.generate_key(is_sandbox=False)
token = APIToken.objects.create(
tenant=self.tenant,
name='Live Token',
key_hash=key_hash,
key_prefix=key_prefix,
scopes=['services:read'],
created_by=self.user,
is_sandbox=False,
plaintext_key=None
)
# Try to update it to add plaintext
with self.assertRaises(ValidationError):
token.plaintext_key = full_key # Try to add plaintext
token.save() # Should fail
def test_sandbox_token_plaintext_matches_hash(self):
"""
Verify that for sandbox tokens, the plaintext key when hashed
matches the stored key_hash.
"""
# Generate a sandbox token
full_key, key_hash, key_prefix = APIToken.generate_key(is_sandbox=True)
# Create token with plaintext
token = APIToken.objects.create(
tenant=self.tenant,
name='Test Token',
key_hash=key_hash,
key_prefix=key_prefix,
scopes=['services:read'],
created_by=self.user,
is_sandbox=True,
plaintext_key=full_key
)
# Verify the plaintext hashes to the same value
computed_hash = APIToken.hash_key(token.plaintext_key)
self.assertEqual(computed_hash, token.key_hash)
def test_bulk_create_cannot_bypass_validation(self):
"""
SECURITY TEST: Ensure bulk_create doesn't bypass validation.
Note: Django's bulk_create doesn't call save(), so we need to be careful.
"""
# For now, document that bulk_create should not be used for APITokens
# or should be wrapped to call full_clean()
# This test documents the limitation
live_key, key_hash, key_prefix = APIToken.generate_key(is_sandbox=False)
# Bulk create would bypass our save() validation
# This is a known Django limitation - document it
# In production code, never use bulk_create for APIToken
pass # Documenting the risk
def test_none_plaintext_always_allowed(self):
"""
Both sandbox and live tokens can have plaintext_key=None.
This should always be allowed.
"""
# Test with sandbox token
sandbox_key, key_hash1, key_prefix1 = APIToken.generate_key(is_sandbox=True)
sandbox_token = APIToken.objects.create(
tenant=self.tenant,
name='Sandbox No Plaintext',
key_hash=key_hash1,
key_prefix=key_prefix1,
scopes=['services:read'],
created_by=self.user,
is_sandbox=True,
plaintext_key=None # Allowed
)
self.assertIsNone(sandbox_token.plaintext_key)
# Test with live token
live_key, key_hash2, key_prefix2 = APIToken.generate_key(is_sandbox=False)
live_token = APIToken.objects.create(
tenant=self.tenant,
name='Live No Plaintext',
key_hash=key_hash2,
key_prefix=key_prefix2,
scopes=['services:read'],
created_by=self.user,
is_sandbox=False,
plaintext_key=None # Allowed
)
self.assertIsNone(live_token.plaintext_key)

195
smoothschedule/smoothschedule/public_api/throttling.py Normal file
View File

@@ -0,0 +1,195 @@
"""
Public API Rate Limiting / Throttling
This module provides rate limiting for the public API using a
global limit with burst allowance strategy.
Rate Limits:
- Global: 1000 requests per hour per token
- Burst: 100 requests per minute (allows short bursts of traffic)
Response Headers:
- X-RateLimit-Limit: Total requests allowed per hour
- X-RateLimit-Remaining: Requests remaining in current hour
- X-RateLimit-Reset: Unix timestamp when the limit resets
- X-RateLimit-Burst-Limit: Requests allowed per minute
- X-RateLimit-Burst-Remaining: Requests remaining in current minute
"""
import time
from django.core.cache import cache
from rest_framework.throttling import BaseThrottle
class GlobalBurstRateThrottle(BaseThrottle):
"""
Rate throttle with global hourly limit and burst minute limit.
This throttle implements a two-tier rate limiting strategy:
1. Global limit: Maximum requests per hour
2. Burst limit: Maximum requests per minute (allows short bursts)
Both limits must be satisfied for the request to proceed.
The throttle uses Redis/cache to track request counts per token,
with separate counters for hourly and minute windows.
Attributes:
RATE_HOUR: Maximum requests per hour (default: 1000)
RATE_MINUTE: Maximum requests per minute (default: 100)
"""
RATE_HOUR = 1000
RATE_MINUTE = 100
cache_format = 'api_throttle_{scope}_{token_id}_{window}'
def __init__(self):
self.history = {}
self.now = None
self.token = None
def allow_request(self, request, view):
"""
Check if the request should be allowed.
Returns True if both hourly and minute limits allow the request.
Stores rate limit info on the request for header generation.
"""
self.now = time.time()
# Get the API token
self.token = getattr(request, 'api_token', None)
if self.token is None:
# No API token, don't throttle (other auth or unauthenticated)
return True
# Check for custom rate limit override on token
hourly_limit = self.token.rate_limit_override or self.RATE_HOUR
minute_limit = self.RATE_MINUTE
# Check hourly limit
hourly_allowed, hourly_remaining, hourly_reset = self._check_rate(
'hourly',
hourly_limit,
3600 # 1 hour in seconds
)
# Check minute limit (burst)
minute_allowed, minute_remaining, minute_reset = self._check_rate(
'minute',
minute_limit,
60 # 1 minute in seconds
)
# Store rate limit info for headers
request.rate_limit_info = {
'limit': hourly_limit,
'remaining': hourly_remaining,
'reset': hourly_reset,
'burst_limit': minute_limit,
'burst_remaining': minute_remaining,
}
# Must pass both checks
if not hourly_allowed or not minute_allowed:
# Determine which limit was exceeded for wait time
if not hourly_allowed:
self.wait_time = hourly_reset - self.now
else:
self.wait_time = minute_reset - self.now
return False
return True
def _check_rate(self, scope, limit, duration):
"""
Check if request is within rate limit for the given scope/duration.
Args:
scope: 'hourly' or 'minute'
limit: Maximum requests allowed in the duration
duration: Time window in seconds
Returns:
tuple: (allowed, remaining, reset_timestamp)
"""
cache_key = self.cache_format.format(
scope=scope,
token_id=str(self.token.id),
window=int(self.now // duration)
)
# Get current count from cache
count = cache.get(cache_key, 0)
# Calculate remaining and reset time
remaining = max(0, limit - count - 1)
reset_timestamp = int((int(self.now // duration) + 1) * duration)
if count >= limit:
return False, 0, reset_timestamp
# Increment counter
try:
# Use atomic increment if available
new_count = cache.incr(cache_key)
except ValueError:
# Key doesn't exist, set it
new_count = 1
cache.set(cache_key, new_count, timeout=duration + 10)
return True, max(0, limit - new_count), reset_timestamp
def wait(self):
"""
Return the number of seconds to wait before the next request.
"""
return getattr(self, 'wait_time', 60)
class RateLimitHeadersMixin:
"""
Mixin for views to add rate limit headers to responses.
Add this mixin to views that use GlobalBurstRateThrottle to
automatically include rate limit headers in all responses.
Usage:
class MyView(RateLimitHeadersMixin, APIView):
throttle_classes = [GlobalBurstRateThrottle]
"""
def finalize_response(self, request, response, *args, **kwargs):
"""Add rate limit headers to the response."""
response = super().finalize_response(request, response, *args, **kwargs)
rate_limit_info = getattr(request, 'rate_limit_info', None)
if rate_limit_info:
response['X-RateLimit-Limit'] = rate_limit_info['limit']
response['X-RateLimit-Remaining'] = rate_limit_info['remaining']
response['X-RateLimit-Reset'] = rate_limit_info['reset']
response['X-RateLimit-Burst-Limit'] = rate_limit_info['burst_limit']
response['X-RateLimit-Burst-Remaining'] = rate_limit_info['burst_remaining']
return response
def get_throttle_response_data(request):
"""
Get data for a 429 Too Many Requests response.
Args:
request: The HTTP request object
Returns:
dict: Response data with error details and retry info
"""
rate_limit_info = getattr(request, 'rate_limit_info', {})
reset_time = rate_limit_info.get('reset', int(time.time()) + 60)
retry_after = max(1, reset_time - int(time.time()))
return {
'error': 'rate_limit_exceeded',
'message': 'API rate limit exceeded. Please wait before making more requests.',
'retry_after': retry_after,
}

150
smoothschedule/smoothschedule/public_api/urls.py Normal file
View File

@@ -0,0 +1,150 @@
"""
Public API v1 URL Configuration
All endpoints are prefixed with /api/v1/
API Documentation:
- Schema: /api/v1/schema/
- Interactive docs: /api/v1/docs/
"""
from django.urls import path, include
from rest_framework.routers import DefaultRouter
from drf_spectacular.views import (
SpectacularAPIView,
SpectacularSwaggerView,
SpectacularRedocView,
)
from rest_framework.permissions import AllowAny
from .views import (
APITokenViewSet,
PublicBusinessView,
PublicServiceViewSet,
PublicResourceViewSet,
AvailabilityView,
PublicAppointmentViewSet,
PublicCustomerViewSet,
WebhookViewSet,
)
app_name = 'public_api'
# Router for viewsets
router = DefaultRouter()
router.register(r'tokens', APITokenViewSet, basename='api-tokens')
router.register(r'services', PublicServiceViewSet, basename='services')
router.register(r'resources', PublicResourceViewSet, basename='resources')
router.register(r'appointments', PublicAppointmentViewSet, basename='appointments')
router.register(r'customers', PublicCustomerViewSet, basename='customers')
router.register(r'webhooks', WebhookViewSet, basename='webhooks')
class PublicSchemaView(SpectacularAPIView):
"""Public API schema with no authentication required."""
permission_classes = [AllowAny]
authentication_classes = []
class PublicSwaggerView(SpectacularSwaggerView):
"""Public Swagger UI with no authentication required."""
permission_classes = [AllowAny]
authentication_classes = []
class PublicRedocView(SpectacularRedocView):
"""Public ReDoc with no authentication required."""
permission_classes = [AllowAny]
authentication_classes = []
urlpatterns = [
# OpenAPI Schema & Documentation (public, no auth required)
path('schema/', PublicSchemaView.as_view(
urlconf='smoothschedule.public_api.urls',
custom_settings={
'TITLE': 'SmoothSchedule Public API',
'DESCRIPTION': '''
# SmoothSchedule Public API v1
This API allows third-party integrations to access business data and manage appointments.
## Authentication
All requests must include an API token in the Authorization header:
```
Authorization: Bearer ss_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```
API tokens can be created in the business settings. Each token has specific scopes
that determine what operations it can perform.
## Rate Limiting
- **Global limit:** 1000 requests per hour
- **Burst limit:** 100 requests per minute
Rate limit headers are included in every response:
- `X-RateLimit-Limit`: Total requests allowed per hour
- `X-RateLimit-Remaining`: Requests remaining
- `X-RateLimit-Reset`: Unix timestamp when the limit resets
## Webhooks
Subscribe to real-time event notifications by creating webhook subscriptions.
All webhooks include an HMAC-SHA256 signature in the `X-Webhook-Signature` header
for verification.
## Error Responses
All errors follow this format:
```json
{
"error": "error_code",
"message": "Human-readable message",
"details": { "field": ["error"] }
}
```
## Scopes
| Scope | Description |
|-------|-------------|
| `services:read` | View services and pricing |
| `resources:read` | View resources and staff |
| `availability:read` | Check time slot availability |
| `bookings:read` | View appointments |
| `bookings:write` | Create, update, cancel appointments |
| `customers:read` | View customer information |
| `customers:write` | Create and update customers |
| `business:read` | View business information |
| `webhooks:manage` | Manage webhook subscriptions |
''',
'VERSION': '1.0.0',
'CONTACT': {
'name': 'API Support',
'email': 'api-support@smoothschedule.com',
},
'TAGS': [
{'name': 'Business', 'description': 'Business information'},
{'name': 'Services', 'description': 'Service management'},
{'name': 'Resources', 'description': 'Resource/staff management'},
{'name': 'Availability', 'description': 'Availability checking'},
{'name': 'Appointments', 'description': 'Appointment/booking management'},
{'name': 'Customers', 'description': 'Customer management'},
{'name': 'Webhooks', 'description': 'Webhook subscriptions'},
{'name': 'Tokens', 'description': 'API token management'},
],
}
), name='schema'),
path('docs/', PublicSwaggerView.as_view(url_name='public_api:schema'), name='swagger-ui'),
path('redoc/', PublicRedocView.as_view(url_name='public_api:schema'), name='redoc'),
# API Endpoints
path('business/', PublicBusinessView.as_view(), name='business'),
path('availability/', AvailabilityView.as_view(), name='availability'),
# ViewSet routes
path('', include(router.urls)),
]

1283
smoothschedule/smoothschedule/public_api/views.py Normal file
View File

File diff suppressed because it is too large Load Diff

307
smoothschedule/smoothschedule/public_api/webhooks.py Normal file
View File

@@ -0,0 +1,307 @@
"""
Webhook Delivery System
This module handles the delivery of webhooks to external URLs.
Webhooks are signed with HMAC-SHA256 and include retry logic.
"""
import hashlib
import hmac
import json
import time
import uuid
import requests
from django.utils import timezone
def generate_signature(payload: str, secret: str, timestamp: int) -> str:
"""
Generate HMAC-SHA256 signature for webhook payload.
The signature is computed as: HMAC-SHA256(timestamp.payload, secret)
Args:
payload: JSON string of the webhook payload
secret: The webhook subscription's secret key
timestamp: Unix timestamp when the webhook was sent
Returns:
Hexadecimal signature string
"""
message = f"{timestamp}.{payload}"
signature = hmac.new(
secret.encode('utf-8'),
message.encode('utf-8'),
hashlib.sha256
).hexdigest()
return signature
def verify_signature(payload: str, secret: str, timestamp: int, signature: str) -> bool:
"""
Verify a webhook signature.
Args:
payload: JSON string of the webhook payload
secret: The webhook subscription's secret key
timestamp: Unix timestamp from the X-Webhook-Timestamp header
signature: Signature from the X-Webhook-Signature header
Returns:
True if signature is valid, False otherwise
"""
expected = generate_signature(payload, secret, timestamp)
return hmac.compare_digest(expected, signature)
def create_webhook_payload(event_type: str, data: dict) -> dict:
"""
Create a standardized webhook payload.
Args:
event_type: The event type (e.g., 'appointment.created')
data: The event data to include
Returns:
Complete webhook payload dict
"""
return {
'id': f"evt_{uuid.uuid4().hex[:24]}",
'type': event_type,
'created_at': timezone.now().isoformat(),
'data': data,
}
def deliver_webhook(subscription, event_type: str, data: dict) -> bool:
"""
Synchronously deliver a webhook to the subscription URL.
This function creates a WebhookDelivery record, sends the webhook,
and updates the delivery status based on the response.
Args:
subscription: WebhookSubscription instance
event_type: The event type being delivered
data: The event data
Returns:
True if delivery succeeded, False otherwise
"""
from .models import WebhookDelivery
# Create the payload
payload = create_webhook_payload(event_type, data)
payload_json = json.dumps(payload, separators=(',', ':'))
# Generate timestamp and signature
timestamp = int(time.time())
signature = generate_signature(payload_json, subscription.secret, timestamp)
# Create delivery record
delivery = WebhookDelivery.objects.create(
subscription=subscription,
event_type=event_type,
event_id=payload['id'],
payload=payload,
)
# Prepare headers
headers = {
'Content-Type': 'application/json',
'User-Agent': 'SmoothSchedule-Webhook/1.0',
'X-Webhook-ID': payload['id'],
'X-Webhook-Timestamp': str(timestamp),
'X-Webhook-Signature': signature,
}
# Send the webhook
try:
response = requests.post(
subscription.url,
data=payload_json,
headers=headers,
timeout=30, # 30 second timeout
)
if 200 <= response.status_code < 300:
delivery.mark_success(response.status_code, response.text[:10240])
return True
else:
delivery.mark_failure(
f"HTTP {response.status_code}",
status_code=response.status_code,
response_body=response.text[:10240]
)
return False
except requests.exceptions.Timeout:
delivery.mark_failure("Request timed out after 30 seconds")
return False
except requests.exceptions.ConnectionError as e:
delivery.mark_failure(f"Connection error: {str(e)[:200]}")
return False
except requests.exceptions.RequestException as e:
delivery.mark_failure(f"Request failed: {str(e)[:200]}")
return False
except Exception as e:
delivery.mark_failure(f"Unexpected error: {str(e)[:200]}")
return False
def queue_webhook_delivery(subscription, event_type: str, data: dict):
"""
Queue a webhook for delivery.
In production, this should use Celery or another task queue.
For now, we deliver synchronously but catch all errors to not
block the main request.
Args:
subscription: WebhookSubscription instance
event_type: The event type being delivered
data: The event data
"""
try:
# TODO: In production, use Celery:
# deliver_webhook_task.delay(subscription.id, event_type, data)
# For now, deliver synchronously
deliver_webhook(subscription, event_type, data)
except Exception:
# Never let webhook delivery failures affect the main flow
pass
def retry_failed_webhooks():
"""
Retry failed webhook deliveries that are due for retry.
This function should be called periodically (e.g., every minute)
by a scheduled task to retry failed deliveries.
"""
from .models import WebhookDelivery
now = timezone.now()
# Find deliveries due for retry
deliveries = WebhookDelivery.objects.filter(
success=False,
next_retry_at__lte=now,
subscription__is_active=True,
).select_related('subscription')[:100] # Process in batches
for delivery in deliveries:
try:
# Re-deliver the webhook
subscription = delivery.subscription
payload_json = json.dumps(delivery.payload, separators=(',', ':'))
timestamp = int(time.time())
signature = generate_signature(payload_json, subscription.secret, timestamp)
headers = {
'Content-Type': 'application/json',
'User-Agent': 'SmoothSchedule-Webhook/1.0',
'X-Webhook-ID': delivery.event_id,
'X-Webhook-Timestamp': str(timestamp),
'X-Webhook-Signature': signature,
'X-Webhook-Retry': str(delivery.retry_count),
}
response = requests.post(
subscription.url,
data=payload_json,
headers=headers,
timeout=30,
)
if 200 <= response.status_code < 300:
delivery.mark_success(response.status_code, response.text[:10240])
else:
delivery.mark_failure(
f"HTTP {response.status_code}",
status_code=response.status_code,
response_body=response.text[:10240]
)
except requests.exceptions.Timeout:
delivery.mark_failure("Request timed out after 30 seconds")
except requests.exceptions.ConnectionError as e:
delivery.mark_failure(f"Connection error: {str(e)[:200]}")
except requests.exceptions.RequestException as e:
delivery.mark_failure(f"Request failed: {str(e)[:200]}")
except Exception as e:
delivery.mark_failure(f"Unexpected error: {str(e)[:200]}")
def send_test_webhook(subscription) -> dict:
"""
Send a test webhook to verify the subscription endpoint.
Args:
subscription: WebhookSubscription instance
Returns:
Dict with 'success', 'status_code', and 'message' keys
"""
test_data = {
'message': 'This is a test webhook from SmoothSchedule',
'subscription_id': str(subscription.id),
'timestamp': timezone.now().isoformat(),
}
payload = create_webhook_payload('test', test_data)
payload_json = json.dumps(payload, separators=(',', ':'))
timestamp = int(time.time())
signature = generate_signature(payload_json, subscription.secret, timestamp)
headers = {
'Content-Type': 'application/json',
'User-Agent': 'SmoothSchedule-Webhook/1.0',
'X-Webhook-ID': payload['id'],
'X-Webhook-Timestamp': str(timestamp),
'X-Webhook-Signature': signature,
'X-Webhook-Test': 'true',
}
try:
response = requests.post(
subscription.url,
data=payload_json,
headers=headers,
timeout=30,
)
if 200 <= response.status_code < 300:
return {
'success': True,
'status_code': response.status_code,
'message': 'Test webhook delivered successfully',
}
else:
return {
'success': False,
'status_code': response.status_code,
'message': f'Endpoint returned HTTP {response.status_code}',
}
except requests.exceptions.Timeout:
return {
'success': False,
'status_code': None,
'message': 'Request timed out after 30 seconds',
}
except requests.exceptions.ConnectionError:
return {
'success': False,
'status_code': None,
'message': 'Could not connect to the webhook URL',
}
except Exception as e:
return {
'success': False,
'status_code': None,
'message': f'Error: {str(e)[:200]}',
}

48
smoothschedule/smoothschedule/users/api_views.py
View File

@@ -224,11 +224,12 @@ def hijack_acquire_view(request):
Masquerade as another user (hijack).
POST /api/auth/hijack/acquire/
Body: { "user_pk": <user_id> }
Body: { "user_pk": <user_id>, "hijack_history": [...] }
Returns new auth token for the hijacked user along with the hijack history.
Supports multi-level masquerading - permissions are checked against the
ORIGINAL user (first in the stack), not the currently masquerading user.
"""
# Debug logging
import logging
logger = logging.getLogger(__name__)
logger.warning(f"Hijack API called. User authenticated: {request.user.is_authenticated}, User: {request.user}")
@@ -240,27 +241,39 @@ def hijack_acquire_view(request):
hijacker = request.user
hijacked = get_object_or_404(User, pk=user_pk)
logger.warning(f"Hijack attempt: hijacker={hijacker.email} (role={hijacker.role}), hijacked={hijacked.email} (role={hijacked.role})")
# Get the hijack history from the request
hijack_history = request.data.get('hijack_history', [])
logger.warning(f"hijack_history length: {len(hijack_history)}")
# Check permission
can_hijack_result = can_hijack(hijacker, hijacked)
# For multi-level masquerading, check permissions against the ORIGINAL user
# (the first user in the masquerade chain, or the current user if no chain)
if hijack_history:
original_user_id = hijack_history[0].get('user_id')
original_user = get_object_or_404(User, pk=original_user_id)
permission_checker = original_user
logger.warning(f"Multi-level masquerade: checking permissions for original user {original_user.email}")
else:
permission_checker = hijacker
logger.warning(f"First-level masquerade: checking permissions for {hijacker.email}")
logger.warning(f"Hijack attempt: permission_checker={permission_checker.email} (role={permission_checker.role}), hijacked={hijacked.email} (role={hijacked.role})")
# Check permission against the original user in the chain
can_hijack_result = can_hijack(permission_checker, hijacked)
logger.warning(f"can_hijack result: {can_hijack_result}")
if not can_hijack_result:
logger.warning(f"Hijack DENIED: {hijacker.email} -> {hijacked.email}")
logger.warning(f"Hijack DENIED: {permission_checker.email} -> {hijacked.email}")
return Response(
{"error": f"You do not have permission to masquerade as this user."},
status=status.HTTP_403_FORBIDDEN
)
# Get or build hijack history from request
hijack_history = request.data.get('hijack_history', [])
logger.warning(f"hijack_history length: {len(hijack_history)}")
# Don't allow hijacking while already hijacked (max depth 1)
if len(hijack_history) > 0:
logger.warning("Hijack denied - already masquerading")
# Enforce maximum masquerade depth (prevent infinite chains)
MAX_MASQUERADE_DEPTH = 5
if len(hijack_history) >= MAX_MASQUERADE_DEPTH:
logger.warning(f"Hijack denied - max depth ({MAX_MASQUERADE_DEPTH}) reached")
return Response(
{"error": "Cannot start a new masquerade session while already masquerading. Please exit your current session first."},
{"error": f"Maximum masquerade depth ({MAX_MASQUERADE_DEPTH}) reached."},
status=status.HTTP_403_FORBIDDEN
)
@@ -286,7 +299,8 @@ def hijack_acquire_view(request):
'customer': 'customer',
}
new_history = [{
# Append current user to the history (don't overwrite existing history)
new_history = hijack_history + [{
'user_id': hijacker.id,
'username': hijacker.username,
'role': role_mapping.get(hijacker.role.lower(), hijacker.role.lower()),
@@ -624,6 +638,9 @@ def accept_invitation_view(request, token):
username = f"{base_username}{counter}"
counter += 1
# Determine sandbox mode from request (set by middleware)
is_sandbox = getattr(request, 'sandbox_mode', False)
user = User.objects.create_user(
username=username,
email=invitation.email,
@@ -634,6 +651,7 @@ def accept_invitation_view(request, token):
tenant=invitation.tenant,
email_verified=True, # Email is verified since they received the invitation
permissions=invitation.permissions, # Copy permissions from invitation
is_sandbox=is_sandbox, # Isolate staff in sandbox mode
)
# Mark invitation as accepted

18
smoothschedule/smoothschedule/users/migrations/0007_add_is_sandbox_to_user.py Normal file
View File

@@ -0,0 +1,18 @@
# Generated by Django 5.2.8 on 2025-11-28 20:24
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('users', '0006_add_permissions_to_user'),
]
operations = [
migrations.AddField(
model_name='user',
name='is_sandbox',
field=models.BooleanField(default=False, help_text='True for sandbox/test mode users - isolated from live data'),
),
]

6
smoothschedule/smoothschedule/users/models.py
View File

@@ -61,6 +61,12 @@ class User(AbstractUser):
help_text="Whether user has verified their email address"
)
# Sandbox/Test mode flag
is_sandbox = models.BooleanField(
default=False,
help_text="True for sandbox/test mode users - isolated from live data"
)
# Additional profile fields
phone = models.CharField(max_length=20, blank=True)
job_title = models.CharField(max_length=100, blank=True)

18
smoothschedule/tickets/migrations/0003_ticket_is_sandbox.py Normal file
View File

@@ -0,0 +1,18 @@
# Generated by Django 5.2.8 on 2025-11-28 20:47
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('tickets', '0002_cannedresponse_tickettemplate_ticket_due_at_and_more'),
]
operations = [
migrations.AddField(
model_name='ticket',
name='is_sandbox',
field=models.BooleanField(default=False, help_text='True for sandbox/test mode tickets - isolated from live data'),
),
]

4
smoothschedule/tickets/models.py
View File

@@ -61,6 +61,10 @@ class Ticket(models.Model):
blank=True, # For platform-level tickets created by platform admins, tenant might be null
help_text="The tenant (business) this ticket belongs to. Null for platform-level tickets."
)
is_sandbox = models.BooleanField(
default=False,
help_text="True for sandbox/test mode tickets - isolated from live data"
)
creator = models.ForeignKey(
User,
on_delete=models.SET_NULL,

2
smoothschedule/tickets/serializers.py
View File

@@ -71,7 +71,7 @@ class TicketListSerializer(serializers.ModelSerializer):
fields = [
'id', 'tenant', 'creator', 'creator_email', 'creator_full_name',
'assignee', 'assignee_email', 'assignee_full_name',
'ticket_type', 'status', 'priority', 'subject', 'category',
'ticket_type', 'status', 'priority', 'subject', 'description', 'category',
'related_appointment_id', 'due_at', 'first_response_at', 'is_overdue',
'created_at', 'updated_at', 'resolved_at'
]

28
smoothschedule/tickets/views.py
View File

@@ -83,15 +83,24 @@ class TicketViewSet(viewsets.ModelViewSet):
def get_queryset(self):
"""
Filter tickets based on user role and ticket type.
Filter tickets based on user role, ticket type, and sandbox mode.
- Platform Admins see ONLY PLATFORM tickets (support requests from business users)
- Tenant Owners/Managers/Staff see CUSTOMER, STAFF_REQUEST, INTERNAL tickets for their tenant
plus PLATFORM tickets they created (to track their own support requests)
- Customers see only CUSTOMER tickets they created
- All users see only tickets matching their sandbox mode (live vs test)
"""
user = self.request.user
queryset = super().get_queryset()
# Filter by sandbox mode - check request.sandbox_mode set by middleware
# Platform tickets are NOT filtered by sandbox mode (they're always live)
is_sandbox = getattr(self.request, 'sandbox_mode', False)
queryset = queryset.filter(
Q(ticket_type=Ticket.TicketType.PLATFORM) | # Platform tickets always visible
Q(is_sandbox=is_sandbox) # Other tickets filtered by mode
)
if is_platform_admin(user):
# Platform admins ONLY see PLATFORM tickets (requests from business users)
# These are tickets where business users are asking the platform for help
@@ -99,8 +108,11 @@ class TicketViewSet(viewsets.ModelViewSet):
ticket_type=Ticket.TicketType.PLATFORM,
tenant__isnull=False # Must have a tenant (from a business user)
)
elif is_customer(user):
# Customers can only see tickets they personally created
queryset = queryset.filter(creator=user)
elif hasattr(user, 'tenant') and user.tenant:
# Tenant-level users see:
# Tenant-level users (owners, managers, staff) see:
# 1. CUSTOMER, STAFF_REQUEST, INTERNAL tickets for their tenant
# 2. PLATFORM tickets they personally created (to track their support requests)
tenant_tickets = Q(
@@ -117,7 +129,7 @@ class TicketViewSet(viewsets.ModelViewSet):
)
queryset = queryset.filter(tenant_tickets | own_platform_tickets).distinct()
else:
# Regular users (e.g., customers without an associated tenant)
# Regular users without an associated tenant
# They should only see tickets they created
queryset = queryset.filter(creator=user)
@@ -144,7 +156,15 @@ class TicketViewSet(viewsets.ModelViewSet):
def perform_create(self, serializer):
# Creator is automatically set by the serializer
# Tenant is automatically set by the serializer for non-platform tickets
serializer.save()
# Set sandbox mode based on current request context
is_sandbox = getattr(self.request, 'sandbox_mode', False)
# Platform tickets are always created in live mode (not sandbox)
ticket_type = serializer.validated_data.get('ticket_type', Ticket.TicketType.CUSTOMER)
if ticket_type == Ticket.TicketType.PLATFORM:
is_sandbox = False
serializer.save(is_sandbox=is_sandbox)
def perform_update(self, serializer):
# Prevent changing creator or tenant through update