Switch Evotor integration to webhook-based token delivery flow

Replace OAuth 2.0 authorization code flow with Evotor's proprietary webhook token delivery: POST /evotor/callback receives token server-to-server, GET /evotor/link links it to the logged-in user's account. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-09 17:18:25 +03:00
parent 69e21a18c9
commit e376c86fbe
7 changed files with 208 additions and 85 deletions
--- a/.env.example
+++ b/.env.example
@@ -2,6 +2,9 @@ DATABASE_URL=mysql+pymysql://evosync:evosync@db:3306/evosync
 SECRET_KEY=your-random-secret-key-here
 BASE_URL=http://localhost:8000

+EVOTOR_APP_ID=your-evotor-app-id
+EVOTOR_WEBHOOK_SECRET=your-webhook-secret
+
 DB_ROOT_PASSWORD=rootpass
 DB_NAME=evosync
 DB_USER=evosync
--- a/scripts/evotor-get-token.sh
+++ b/scripts/evotor-get-token.sh
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# Obtain an Evotor developer access token via password grant (no browser required).
+# Uses dev.evotor.ru credentials (your Evotor developer account).
+#
+# Usage: ./scripts/evotor-get-token.sh
+
+set -euo pipefail
+
+# Load .env if present
+if [[ -f .env ]]; then
+    set -a; source .env; set +a
+fi
+
+EVOTOR_TOKEN_URL="https://dev.evotor.ru/oauth/token"
+
+# Prompt for credentials
+read -rp "Evotor developer login (email): " EVOTOR_LOGIN
+read -rsp "Evotor developer password: " EVOTOR_PASSWORD
+echo
+
+echo
+echo "A 2FA code will be sent to your email if this IP is not recognized."
+read -rp "2FA code (leave blank if not required): " EVOTOR_2FA
+
+# Build request body
+BODY="type=LOGIN&grant_type=password&client_id=Evo-UI&username=$(python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))" "$EVOTOR_LOGIN")&password=$(python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))" "$EVOTOR_PASSWORD")"
+
+EXTRA_HEADERS=()
+if [[ -n "$EVOTOR_2FA" ]]; then
+    EXTRA_HEADERS+=(-H "2fa_confirmation: $EVOTOR_2FA")
+fi
+
+echo
+echo "Requesting token..."
+RESPONSE=$(curl -s -X POST "$EVOTOR_TOKEN_URL" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    "${EXTRA_HEADERS[@]}" \
+    -d "$BODY")
+
+echo
+echo "Response:"
+echo "$RESPONSE" | python3 -m json.tool 2>/dev/null || echo "$RESPONSE"
+
+ACCESS_TOKEN=$(echo "$RESPONSE" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null || true)
+
+if [[ -z "$ACCESS_TOKEN" ]]; then
+    echo
+    echo "ERROR: No access_token in response." >&2
+    exit 1
+fi
+
+echo
+echo "Access token:"
+echo "$ACCESS_TOKEN"
+echo
+echo "To save this token to .env, add or update:"
+echo "  EVOTOR_ACCESS_TOKEN=$ACCESS_TOKEN"
--- a/web/config.py
+++ b/web/config.py
@@ -7,9 +7,8 @@ class Settings(BaseSettings):
    BASE_URL: str = "http://localhost:8080"
    PASSWORD_RESET_EXPIRE_MINUTES: int = 60

-    EVOTOR_CLIENT_ID: str = ""
-    EVOTOR_CLIENT_SECRET: str = ""
-    EVOTOR_SCOPES: str = "store:read product:read"
+    EVOTOR_APP_ID: str = ""
+    EVOTOR_WEBHOOK_SECRET: str = ""

    HEALTH_CHECK_INTERVAL_SECONDS: int = 600

--- a/web/migrations/versions/f6a7b8c9d0e1_evotor_webhook_token_flow.py
+++ b/web/migrations/versions/f6a7b8c9d0e1_evotor_webhook_token_flow.py
@@ -0,0 +1,32 @@
+"""evotor webhook token flow: add evotor_user_id, make user_id nullable
+
+Revision ID: f6a7b8c9d0e1
+Revises: e5f6a7b8c9d0
+Branch Labels: None
+Depends On: None
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = 'f6a7b8c9d0e1'
+down_revision = 'e5f6a7b8c9d0'
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.add_column('evotor_connections',
+        sa.Column('evotor_user_id', sa.String(255), nullable=True))
+    op.create_unique_constraint('uq_evotor_connections_evotor_user_id',
+        'evotor_connections', ['evotor_user_id'])
+    op.create_index('ix_evotor_connections_evotor_user_id',
+        'evotor_connections', ['evotor_user_id'])
+    op.alter_column('evotor_connections', 'user_id', nullable=True)
+
+
+def downgrade() -> None:
+    op.alter_column('evotor_connections', 'user_id', nullable=False)
+    op.drop_index('ix_evotor_connections_evotor_user_id', 'evotor_connections')
+    op.drop_constraint('uq_evotor_connections_evotor_user_id', 'evotor_connections')
+    op.drop_column('evotor_connections', 'evotor_user_id')
--- a/web/models.py
+++ b/web/models.py
@@ -33,7 +33,8 @@ class EvotorConnection(Base):
    __tablename__ = "evotor_connections"

    id = Column(Integer, primary_key=True, autoincrement=True)
-    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), unique=True, nullable=False)
+    user_id = Column(Integer, ForeignKey("users.id", ondelete="CASCADE"), unique=True, nullable=True)
+    evotor_user_id = Column(String(255), unique=True, nullable=True, index=True)
    access_token = Column(Text, nullable=False)
    store_id = Column(String(255), nullable=True)
    store_name = Column(String(255), nullable=True)
--- a/web/routes/evotor.py
+++ b/web/routes/evotor.py
@@ -1,12 +1,11 @@
-import secrets
 import logging
 import httpx

-from fastapi import APIRouter, Request, Depends
-
-logger = logging.getLogger(__name__)
-from fastapi.responses import RedirectResponse
+from datetime import datetime, timedelta
+from fastapi import APIRouter, Request, Depends, HTTPException
+from fastapi.responses import RedirectResponse, JSONResponse
 from fastapi.templating import Jinja2Templates
+from pydantic import BaseModel
 from sqlalchemy.orm import Session

 from web.auth import get_current_user
@@ -14,16 +13,16 @@ from web.config import settings
 from web.database import get_db
 from web.models import User, EvotorConnection

+logger = logging.getLogger(__name__)
+
 router = APIRouter(prefix="/evotor")
 templates = Jinja2Templates(directory="web/templates")

-EVOTOR_AUTHORIZE_URL = "https://oauth.evotor.ru/oauth/authorize"
-EVOTOR_TOKEN_URL = "https://oauth.evotor.ru/oauth/token"
+EVOTOR_LOGIN_URL = "https://market.evotor.ru/#/store/auth/login"
 EVOTOR_STORES_URL = "https://api.evotor.ru/stores"

-
-def _redirect_uri() -> str:
-    return f"{settings.BASE_URL}/evotor/callback"
+# Pending connections older than this are ignored during linking
+PENDING_LINK_WINDOW_SECONDS = 300


@router.get("")
@@ -50,72 +49,46 @@ def evotor_connect(request: Request, user: User | None = Depends(get_current_use
    if not user:
        return RedirectResponse("/login", 303)

-    state = secrets.token_urlsafe(32)
-    request.session["evotor_oauth_state"] = state
+    # Record when this user initiated a connect so we can link the incoming webhook
+    request.session["evotor_connect_user_id"] = user.id
+    request.session["evotor_connect_at"] = datetime.utcnow().isoformat()

-    params = (
-        f"?client_id={settings.EVOTOR_CLIENT_ID}"
-        f"&response_type=code"
-        f"&redirect_uri={_redirect_uri()}"
-        f"&scope={settings.EVOTOR_SCOPES.replace(' ', '%20')}"
-        f"&state={state}"
-    )
-    return RedirectResponse(EVOTOR_AUTHORIZE_URL + params, 302)
+    return RedirectResponse(EVOTOR_LOGIN_URL, 302)


-@router.get("/callback")
+class EvotorTokenPayload(BaseModel):
+    userId: str
+    token: str
+
+
+@router.post("/callback")
 async def evotor_callback(
    request: Request,
+    payload: EvotorTokenPayload,
    db: Session = Depends(get_db),
-    user: User | None = Depends(get_current_user),
 ):
-    if not user:
-        return RedirectResponse("/login", 303)
+    """
+    Webhook endpoint: Evotor POSTs {"userId": "...", "token": "..."} here
+    after the user authorizes the app in their Evotor account.
+    """
+    # Verify the Authorization header matches our configured webhook secret
+    if settings.EVOTOR_WEBHOOK_SECRET:
+        auth_header = request.headers.get("Authorization", "")
+        expected = f"Bearer {settings.EVOTOR_WEBHOOK_SECRET}"
+        if auth_header != expected:
+            logger.warning("Evotor webhook: invalid Authorization header")
+            raise HTTPException(status_code=401, detail="Unauthorized")

-    code = request.query_params.get("code")
-    state = request.query_params.get("state")
-    saved_state = request.session.pop("evotor_oauth_state", None)
+    now = datetime.utcnow()

-    if not code or not state or state != saved_state:
-        return RedirectResponse("/evotor?error=invalid_state", 303)
-
-    # Exchange code for access token
-    try:
-        async with httpx.AsyncClient() as client:
-            token_response = await client.post(
-                EVOTOR_TOKEN_URL,
-                data={
-                    "grant_type": "authorization_code",
-                    "code": code,
-                    "redirect_uri": _redirect_uri(),
-                    "client_id": settings.EVOTOR_CLIENT_ID,
-                    "client_secret": settings.EVOTOR_CLIENT_SECRET,
-                },
-                timeout=15,
-            )
-            token_response.raise_for_status()
-            token_data = token_response.json()
-    except httpx.HTTPStatusError as e:
-        logger.error("Evotor token exchange HTTP error %s: %s", e.response.status_code, e.response.text)
-        return RedirectResponse("/evotor?error=token_exchange", 303)
-    except Exception as e:
-        logger.error("Evotor token exchange failed: %s", e, exc_info=True)
-        return RedirectResponse("/evotor?error=token_exchange", 303)
-
-    access_token = token_data.get("access_token")
-    refresh_token = token_data.get("refresh_token")
-    expires_in = token_data.get("expires_in")
-    if not access_token:
-        return RedirectResponse("/evotor?error=no_token", 303)
-
-    # Fetch first store to save store info
+    # Fetch store info using the received token
    store_id = None
    store_name = None
    try:
        async with httpx.AsyncClient() as client:
            stores_response = await client.get(
                EVOTOR_STORES_URL,
-                headers={"Authorization": f"Bearer {access_token}"},
+                headers={"Authorization": f"Bearer {payload.token}"},
                timeout=15,
            )
            if stores_response.status_code == 200:
@@ -125,34 +98,88 @@ async def evotor_callback(
                    store_id = items[0].get("uuid") or items[0].get("id")
                    store_name = items[0].get("name")
    except Exception:
-        pass  # Store info is optional; token is still saved
+        pass  # Store info is optional

-    # Save or update connection
-    from datetime import datetime, timedelta
-    now = datetime.utcnow()
-    token_expires_at = now + timedelta(seconds=expires_in) if expires_in else None
+    # Upsert by evotor_user_id (user_id stays NULL until /evotor/link is called)
+    connection = db.query(EvotorConnection).filter(
+        EvotorConnection.evotor_user_id == payload.userId
+    ).first()

-    connection = db.query(EvotorConnection).filter(EvotorConnection.user_id == user.id).first()
    if connection:
-        connection.access_token = access_token
-        connection.refresh_token = refresh_token
-        connection.token_expires_at = token_expires_at
+        connection.access_token = payload.token
        connection.store_id = store_id
        connection.store_name = store_name
        connection.is_online = True
        connection.last_checked_at = now
+        connection.updated_at = now
    else:
        connection = EvotorConnection(
-            user_id=user.id,
-            access_token=access_token,
-            refresh_token=refresh_token,
-            token_expires_at=token_expires_at,
+            evotor_user_id=payload.userId,
+            access_token=payload.token,
            store_id=store_id,
            store_name=store_name,
            is_online=True,
            last_checked_at=now,
        )
        db.add(connection)
+
+    db.commit()
+    logger.info("Evotor webhook: saved token for evotor_user_id=%s", payload.userId)
+
+    return JSONResponse({"status": "ok"})
+
+
+@router.get("/link")
+def evotor_link(
+    request: Request,
+    db: Session = Depends(get_db),
+    user: User | None = Depends(get_current_user),
+):
+    """
+    Called when the user returns to our app after authorizing on Evotor.
+    Links the most recently received unlinked token to this user.
+    """
+    if not user:
+        return RedirectResponse("/login", 303)
+
+    connect_user_id = request.session.pop("evotor_connect_user_id", None)
+    connect_at_str = request.session.pop("evotor_connect_at", None)
+
+    if not connect_user_id or connect_user_id != user.id or not connect_at_str:
+        return RedirectResponse("/evotor?error=session_expired", 303)
+
+    try:
+        connect_at = datetime.fromisoformat(connect_at_str)
+    except ValueError:
+        return RedirectResponse("/evotor?error=session_expired", 303)
+
+    cutoff = connect_at - timedelta(seconds=10)  # allow slight clock drift
+    now = datetime.utcnow()
+
+    if (now - connect_at).total_seconds() > PENDING_LINK_WINDOW_SECONDS:
+        return RedirectResponse("/evotor?error=link_timeout", 303)
+
+    # Find an unlinked connection received after the user clicked "Connect"
+    pending = (
+        db.query(EvotorConnection)
+        .filter(
+            EvotorConnection.user_id.is_(None),
+            EvotorConnection.connected_at >= cutoff,
+        )
+        .order_by(EvotorConnection.connected_at.desc())
+        .first()
+    )
+
+    if not pending:
+        return RedirectResponse("/evotor?error=token_not_received", 303)
+
+    # Detach any existing connection for this user
+    existing = db.query(EvotorConnection).filter(EvotorConnection.user_id == user.id).first()
+    if existing:
+        db.delete(existing)
+        db.flush()
+
+    pending.user_id = user.id
    db.commit()

    return RedirectResponse("/connections", 303)
--- a/web/templates/evotor.html
+++ b/web/templates/evotor.html
@@ -7,12 +7,12 @@

        {% if error %}
        <div class="alert alert-danger mt-4">
-            {% if error == "invalid_state" %}
-                <i class="bi bi-exclamation-triangle me-2"></i>Ошибка безопасности. Попробуйте подключить аккаунт заново.
-            {% elif error == "token_exchange" %}
-                <i class="bi bi-exclamation-triangle me-2"></i>Не удалось получить токен доступа от Эвотор. Попробуйте позже.
-            {% elif error == "no_token" %}
-                <i class="bi bi-exclamation-triangle me-2"></i>Эвотор не вернул токен доступа. Попробуйте позже.
+            {% if error == "token_not_received" %}
+                <i class="bi bi-exclamation-triangle me-2"></i>Токен от Эвотор ещё не получен. Убедитесь, что авторизация прошла успешно, и попробуйте снова.
+            {% elif error == "link_timeout" %}
+                <i class="bi bi-exclamation-triangle me-2"></i>Время ожидания истекло. Попробуйте подключить аккаунт заново.
+            {% elif error == "session_expired" %}
+                <i class="bi bi-exclamation-triangle me-2"></i>Сессия устарела. Попробуйте подключить аккаунт заново.
            {% else %}
                <i class="bi bi-exclamation-triangle me-2"></i>Произошла ошибка при подключении: {{ error }}
            {% endif %}
@@ -54,6 +54,9 @@
                    <button type="submit" class="btn btn-outline-danger w-100">Отключить аккаунт Эвотор</button>
                </form>
            </div>
+            <div class="card-footer text-muted small">
+                После переподключения нажмите <a href="/evotor/link">Подтвердить подключение</a>.
+            </div>

            {% else %}
            {# ── NOT CONNECTED STATE ── #}
@@ -67,8 +70,9 @@
                    <li>После подтверждения доступа синхронизация будет настроена автоматически</li>
                    <li>Вы можете отключить доступ в любой момент</li>
                </ul>
-                <div class="d-grid">
+                <div class="d-grid gap-2">
                    <a href="/evotor/connect" class="btn btn-primary btn-lg">Подключить Эвотор</a>
+                    <a href="/evotor/link" class="btn btn-outline-secondary">Уже авторизовался — подтвердить подключение</a>
                </div>
            </div>
            {% endif %}