Xendit webhook: metadata.app routing + survival audit log + rolling fallback file

Every Xendit invoice now carries metadata: { app: 'halobestie_v2' } so an
external webhook router (no DB access) can fan out v1/v2 traffic purely off
the echoed payload.

Every inbound webhook lands in a new webhook_logs table BEFORE auth or
business logic, so a forensic row survives 401/409/unknown/exception paths.
Primary fields are parsed as columns; raw_body keeps the full payload
verbatim. The handler captures outcome in closure-scoped vars and stamps
http_status/processing_result/processing_error in a single update before
the lone reply.send() — Fastify flushes reply.send() immediately, which
defeated the original finally-block stamp.

A non-UUID external_id no longer crashes the Postgres cast; it ACKs with
ignored_non_uuid_external_id so Xendit stops retrying legacy old-app IDs.

When the DB log itself fails, an optional rolling JSONL file sink absorbs
the event. Disabled by default — opt in via XENDIT_WEBHOOK_FALLBACK_ENABLED.
Naming: <NAME>-YYYY-MM-DD.jsonl in XENDIT_WEBHOOK_FALLBACK_DIR (default
./logs), basename XENDIT_WEBHOOK_FALLBACK_NAME (default
xendit-webhook-fallback). No stdout fallback by design.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/test/helpers/db.js

@@ -19,6 +19,7 @@ export const db = () => getDb()
  * force every test to re-create users (slow + noisy).
  */
 const TRUNCATE_TABLES = [
+  'webhook_logs',
   'pairing_failures',
   'payment_requests',
   'chat_request_notifications',

backend/test/routes/shared.payment-webhooks.routes.test.js

@@ -187,4 +187,179 @@ describe('POST /api/shared/payment/webhooks/xendit', () => {
     const [row] = await db()`SELECT status FROM payment_requests WHERE id = ${session.id}`
     expect(row.status).toBe(PaymentRequestStatus.PENDING)
   })
+
+  // --- Survival logging --------------------------------------------------
+  // Every inbound webhook lands in `webhook_logs` BEFORE auth/validation, so
+  // we keep a forensic record on rejects, unknown payments, and exceptions.
+  describe('webhook_logs survival audit', () => {
+    const latestLog = async () => {
+      const rows = await db()`SELECT * FROM webhook_logs ORDER BY received_at DESC LIMIT 1`
+      return rows[0]
+    }
+
+    it('PAID: logs row with parsed primary fields + outcome stamped', async () => {
+      const session = await requestPayment({
+        productType: 'chat_session',
+        customerId: customer.id, durationMinutes: 12, amount: 50_000,
+      })
+
+      await fireWebhook(app, {
+        id: 'inv_log_paid',
+        external_id: session.id,
+        status: 'PAID',
+        amount: 50_000,
+        currency: 'IDR',
+        payment_method: 'BCA',
+        paid_at: '2026-05-25T10:00:00.000Z',
+        metadata: { app: 'halobestie_v2' },
+      })
+
+      const log = await latestLog()
+      expect(log.provider).toBe('xendit')
+      expect(log.callback_token_valid).toBe(true)
+      expect(log.xendit_event_id).toBe('inv_log_paid')
+      expect(log.external_id).toBe(session.id)
+      expect(log.payment_request_id).toBe(session.id)
+      expect(log.status).toBe('PAID')
+      expect(Number(log.amount)).toBe(50_000)
+      expect(log.currency).toBe('IDR')
+      expect(log.payment_method).toBe('BCA')
+      expect(log.paid_at).not.toBeNull()
+      expect(log.metadata_app).toBe('halobestie_v2')
+      expect(log.http_status).toBe(200)
+      expect(log.processing_result).toBe('confirmed')
+      expect(log.processing_error).toBeNull()
+      expect(log.processed_at).not.toBeNull()
+      // raw_body is verbatim — unknown future fields would land here
+      expect(log.raw_body.metadata.app).toBe('halobestie_v2')
+    })
+
+    it('401 invalid token still logs a row with callback_token_valid=false', async () => {
+      const res = await fireWebhook(
+        app,
+        { id: 'inv_log_401', external_id: 'whatever', status: 'PAID', amount: 1 },
+        'wrong-token-but-same-length-padding',
+      )
+      expect(res.statusCode).toBe(401)
+
+      const log = await latestLog()
+      expect(log.callback_token_valid).toBe(false)
+      expect(log.http_status).toBe(401)
+      expect(log.processing_result).toBe('rejected_invalid_token')
+      // Raw body still captured even though the request was rejected
+      expect(log.raw_body.id).toBe('inv_log_401')
+    })
+
+    it('redacts x-callback-token in stored headers', async () => {
+      await fireWebhook(app, { id: 'inv_redact', external_id: 'x', status: 'PAID', amount: 1 })
+      const log = await latestLog()
+      expect(log.headers['x-callback-token']).toBe('[REDACTED]')
+      // Non-secret headers are kept (e.g. content-type)
+      expect(log.headers['content-type']).toMatch(/application\/json/)
+    })
+
+    it('amount mismatch (409) logs rejected_amount_mismatch', async () => {
+      const session = await requestPayment({
+        productType: 'chat_session',
+        customerId: customer.id, durationMinutes: 12, amount: 50_000,
+      })
+      const res = await fireWebhook(app, {
+        id: 'inv_log_mismatch', external_id: session.id, status: 'PAID', amount: 999,
+      })
+      expect(res.statusCode).toBe(409)
+
+      const log = await latestLog()
+      expect(log.http_status).toBe(409)
+      expect(log.processing_result).toBe('rejected_amount_mismatch')
+      expect(Number(log.amount)).toBe(999)
+    })
+
+    it('unknown payment_request still logs ignored_unknown_payment_request', async () => {
+      await fireWebhook(app, {
+        id: 'inv_log_orphan',
+        external_id: '00000000-0000-0000-0000-000000000000',
+        status: 'PAID',
+        amount: 50_000,
+      })
+      const log = await latestLog()
+      expect(log.processing_result).toBe('ignored_unknown_payment_request')
+      expect(log.payment_request_id).toBe('00000000-0000-0000-0000-000000000000')
+    })
+
+    it('missing external_id logs ignored_no_external_id with payment_request_id NULL', async () => {
+      await fireWebhook(app, { id: 'evt_nox', status: 'SOMETHING' })
+      const log = await latestLog()
+      expect(log.processing_result).toBe('ignored_no_external_id')
+      expect(log.external_id).toBeNull()
+      expect(log.payment_request_id).toBeNull()
+    })
+
+    it('non-UUID external_id ACKs 200 and logs ignored_non_uuid_external_id', async () => {
+      const res = await fireWebhook(app, {
+        id: 'inv_log_legacy',
+        external_id: 'legacy-old-app-id-42',
+        status: 'PAID',
+        amount: 1,
+      })
+      expect(res.statusCode).toBe(200)
+      expect(res.json().ignored).toBe('non_uuid_external_id')
+
+      const log = await latestLog()
+      expect(log.external_id).toBe('legacy-old-app-id-42')
+      expect(log.payment_request_id).toBeNull()
+      expect(log.processing_result).toBe('ignored_non_uuid_external_id')
+      expect(log.http_status).toBe(200)
+    })
+
+    it('logs raw_body verbatim including unknown fields', async () => {
+      const session = await requestPayment({
+        productType: 'chat_session',
+        customerId: customer.id, durationMinutes: 12, amount: 50_000,
+      })
+      await fireWebhook(app, {
+        id: 'inv_log_extra',
+        external_id: session.id,
+        status: 'PAID',
+        amount: 50_000,
+        future_field_we_dont_know_yet: { nested: ['anything', 42] },
+        metadata: { app: 'halobestie_v2', extra: 'preserved' },
+      })
+      const log = await latestLog()
+      expect(log.raw_body.future_field_we_dont_know_yet.nested).toEqual(['anything', 42])
+      expect(log.raw_body.metadata.extra).toBe('preserved')
+      expect(log.metadata_app).toBe('halobestie_v2')
+    })
+
+    it('survives processing exceptions: logs processing_error + http_status=500', async () => {
+      // Force an exception by stubbing getPayment to throw. The survival
+      // contract is that even when the handler errors, the forensic row is
+      // intact and stamped — Xendit will retry on its own, but we have the
+      // record either way.
+      const paymentSvc = await import('../../src/services/payment.service.js')
+      const orig = paymentSvc.getPayment
+      const stub = vi.spyOn(paymentSvc, 'getPayment').mockImplementation(async () => {
+        throw new Error('synthetic_db_outage')
+      })
+      try {
+        const res = await fireWebhook(app, {
+          id: 'inv_boom',
+          external_id: '11111111-1111-1111-1111-111111111111',
+          status: 'PAID',
+          amount: 50_000,
+        })
+        expect(res.statusCode).toBe(500)
+
+        const log = await latestLog()
+        expect(log.http_status).toBe(500)
+        expect(log.processing_result).toBe('error')
+        expect(log.processing_error).toBe('synthetic_db_outage')
+        expect(log.xendit_event_id).toBe('inv_boom')
+        // Raw body is still there even though processing blew up
+        expect(log.raw_body.id).toBe('inv_boom')
+      } finally {
+        stub.mockRestore()
+        void orig
+      }
+    })
+  })
 })

backend/test/services/webhook-log.service.test.js

@@ -0,0 +1,184 @@
+import { describe, it, expect, afterEach, beforeEach } from 'vitest'
+import { mkdtemp, readFile, rm, readdir } from 'node:fs/promises'
+import { tmpdir } from 'node:os'
+import path from 'node:path'
+
+const {
+  rollingFallbackFilename,
+  getWebhookFallbackConfig,
+  writeWebhookFallback,
+  sanitizeHeaders,
+} = await import('../../src/services/webhook-log.service.js')
+
+describe('webhook-log.service helpers', () => {
+  describe('sanitizeHeaders', () => {
+    it('redacts secret-bearing headers but keeps their names', () => {
+      const out = sanitizeHeaders({
+        'x-callback-token': 'shhhh',
+        'Authorization': 'Bearer abc',
+        'cookie': 'sid=xyz',
+        'content-type': 'application/json',
+        'x-request-id': 'req-1',
+      })
+      expect(out['x-callback-token']).toBe('[REDACTED]')
+      expect(out['authorization']).toBe('[REDACTED]')
+      expect(out['cookie']).toBe('[REDACTED]')
+      expect(out['content-type']).toBe('application/json')
+      expect(out['x-request-id']).toBe('req-1')
+    })
+
+    it('lowercases keys so lookups are consistent', () => {
+      const out = sanitizeHeaders({ 'X-Callback-Token': 't', 'Content-Type': 'app/json' })
+      expect(out['x-callback-token']).toBe('[REDACTED]')
+      expect(out['content-type']).toBe('app/json')
+      expect(out['X-Callback-Token']).toBeUndefined()
+    })
+  })
+
+  describe('rollingFallbackFilename', () => {
+    it('produces "<name>-YYYY-MM-DD.jsonl" using UTC day boundary', () => {
+      const d = new Date(Date.UTC(2026, 4, 25, 10, 30))
+      expect(rollingFallbackFilename('xendit', d)).toBe('xendit-2026-05-25.jsonl')
+    })
+
+    it('zero-pads single-digit months and days', () => {
+      const d = new Date(Date.UTC(2026, 0, 3, 0, 0))
+      expect(rollingFallbackFilename('wh', d)).toBe('wh-2026-01-03.jsonl')
+    })
+
+    it('a date right before UTC midnight stays on the current day', () => {
+      const d = new Date(Date.UTC(2026, 4, 25, 23, 59, 59))
+      expect(rollingFallbackFilename('x', d)).toBe('x-2026-05-25.jsonl')
+    })
+  })
+
+  describe('getWebhookFallbackConfig', () => {
+    const originalEnv = { ...process.env }
+    afterEach(() => {
+      // Restore only the vars this suite touches — leaving the rest alone.
+      for (const k of ['XENDIT_WEBHOOK_FALLBACK_ENABLED', 'XENDIT_WEBHOOK_FALLBACK_DIR', 'XENDIT_WEBHOOK_FALLBACK_NAME']) {
+        if (originalEnv[k] === undefined) delete process.env[k]
+        else process.env[k] = originalEnv[k]
+      }
+    })
+
+    it('defaults to disabled with sensible dir/name', () => {
+      delete process.env.XENDIT_WEBHOOK_FALLBACK_ENABLED
+      delete process.env.XENDIT_WEBHOOK_FALLBACK_DIR
+      delete process.env.XENDIT_WEBHOOK_FALLBACK_NAME
+      expect(getWebhookFallbackConfig()).toEqual({
+        enabled: false,
+        dir: './logs',
+        name: 'xendit-webhook-fallback',
+      })
+    })
+
+    it('only the literal string "true" enables the sink', () => {
+      process.env.XENDIT_WEBHOOK_FALLBACK_ENABLED = '1'
+      expect(getWebhookFallbackConfig().enabled).toBe(false)
+      process.env.XENDIT_WEBHOOK_FALLBACK_ENABLED = 'yes'
+      expect(getWebhookFallbackConfig().enabled).toBe(false)
+      process.env.XENDIT_WEBHOOK_FALLBACK_ENABLED = 'true'
+      expect(getWebhookFallbackConfig().enabled).toBe(true)
+    })
+
+    it('honors custom dir/name', () => {
+      process.env.XENDIT_WEBHOOK_FALLBACK_ENABLED = 'true'
+      process.env.XENDIT_WEBHOOK_FALLBACK_DIR = '/var/log/webhooks'
+      process.env.XENDIT_WEBHOOK_FALLBACK_NAME = 'xendit-prod'
+      expect(getWebhookFallbackConfig()).toEqual({
+        enabled: true,
+        dir: '/var/log/webhooks',
+        name: 'xendit-prod',
+      })
+    })
+  })
+
+  describe('writeWebhookFallback', () => {
+    let workDir
+    const originalEnv = { ...process.env }
+
+    beforeEach(async () => {
+      workDir = await mkdtemp(path.join(tmpdir(), 'webhook-fallback-'))
+    })
+
+    afterEach(async () => {
+      for (const k of ['XENDIT_WEBHOOK_FALLBACK_ENABLED', 'XENDIT_WEBHOOK_FALLBACK_DIR', 'XENDIT_WEBHOOK_FALLBACK_NAME']) {
+        if (originalEnv[k] === undefined) delete process.env[k]
+        else process.env[k] = originalEnv[k]
+      }
+      await rm(workDir, { recursive: true, force: true })
+    })
+
+    it('returns false and writes nothing when disabled', async () => {
+      delete process.env.XENDIT_WEBHOOK_FALLBACK_ENABLED
+      const ok = await writeWebhookFallback({
+        provider: 'xendit',
+        headers: { 'content-type': 'application/json' },
+        rawBody: { id: 'inv_x' },
+        callbackTokenValid: true,
+      })
+      expect(ok).toBe(false)
+      expect(await readdir(workDir)).toEqual([])
+    })
+
+    it('appends one JSONL line per call to the rolling daily file', async () => {
+      process.env.XENDIT_WEBHOOK_FALLBACK_ENABLED = 'true'
+      process.env.XENDIT_WEBHOOK_FALLBACK_DIR = workDir
+      process.env.XENDIT_WEBHOOK_FALLBACK_NAME = 'test-fallback'
+
+      await writeWebhookFallback({
+        provider: 'xendit',
+        headers: { 'content-type': 'application/json', 'x-callback-token': '[REDACTED]' },
+        rawBody: { id: 'inv_a', external_id: 'pr-1', status: 'PAID' },
+        callbackTokenValid: true,
+        dbErrorMessage: 'connection refused',
+      })
+      await writeWebhookFallback({
+        provider: 'xendit',
+        headers: {},
+        rawBody: { id: 'inv_b', status: 'EXPIRED' },
+        callbackTokenValid: false,
+      })
+
+      const files = await readdir(workDir)
+      expect(files).toHaveLength(1)
+      expect(files[0]).toMatch(/^test-fallback-\d{4}-\d{2}-\d{2}\.jsonl$/)
+
+      const contents = await readFile(path.join(workDir, files[0]), 'utf8')
+      const lines = contents.trim().split('\n')
+      expect(lines).toHaveLength(2)
+
+      const first = JSON.parse(lines[0])
+      expect(first.provider).toBe('xendit')
+      expect(first.callback_token_valid).toBe(true)
+      expect(first.raw_body.id).toBe('inv_a')
+      expect(first.raw_body.external_id).toBe('pr-1')
+      expect(first.db_error).toBe('connection refused')
+      expect(first.headers['x-callback-token']).toBe('[REDACTED]')
+      expect(first.received_at).toMatch(/^\d{4}-\d{2}-\d{2}T/)
+
+      const second = JSON.parse(lines[1])
+      expect(second.raw_body.id).toBe('inv_b')
+      expect(second.callback_token_valid).toBe(false)
+      expect(second.db_error).toBeNull()
+    })
+
+    it('creates the destination directory if it does not exist', async () => {
+      process.env.XENDIT_WEBHOOK_FALLBACK_ENABLED = 'true'
+      const nested = path.join(workDir, 'does', 'not', 'exist', 'yet')
+      process.env.XENDIT_WEBHOOK_FALLBACK_DIR = nested
+      process.env.XENDIT_WEBHOOK_FALLBACK_NAME = 'nested'
+
+      const ok = await writeWebhookFallback({
+        provider: 'xendit',
+        headers: {},
+        rawBody: { id: 'inv_n' },
+        callbackTokenValid: true,
+      })
+      expect(ok).toBe(true)
+      const files = await readdir(nested)
+      expect(files).toHaveLength(1)
+    })
+  })
+})