chore: setup resend webhooks to get deliveredAt, linkClickedAt

Author: gregberge

.env.example

@@ -22,6 +22,7 @@ GITLAB_APP_SECRET=
 GITLAB_ARGOS_AUTH_SECRET=
 # Resend
 RESEND_API_KEY=
+RESEND_WEBHOOK_SECRET=
 # Discord
 DISCORD_WEBHOOK_URL=
 # GitHub SSO Stripe product id

apps/backend/db/migrations/20250111204217_user-notifications.js

@@ -31,8 +31,10 @@ export const up = async (knex) => {
     table.bigInteger("workflowId").index().notNullable();
     table.foreign("workflowId").references("notification_workflows.id");
     table.string("channel").notNullable();
+    table.dateTime("sentAt");
     table.dateTime("deliveredAt");
-    table.dateTime("seenAt");
+    table.dateTime("linkClickedAt");
+    table.string("externalId").index();
   });
 };
 

apps/backend/db/structure.sql

@@ -822,8 +822,10 @@ CREATE TABLE public.notification_messages (
     "userId" bigint NOT NULL,
     "workflowId" bigint NOT NULL,
     channel character varying(255) NOT NULL,
+    "sentAt" timestamp with time zone,
     "deliveredAt" timestamp with time zone,
-    "seenAt" timestamp with time zone
+    "linkClickedAt" timestamp with time zone,
+    "externalId" character varying(255)
 );
 
 
@@ -2233,6 +2235,13 @@ CREATE INDEX github_synchronizations_githubinstallationid_index ON public.github
 CREATE INDEX github_synchronizations_jobstatus_index ON public.github_synchronizations USING btree ("jobStatus");
 
 
+--
+-- Name: notification_messages_externalid_index; Type: INDEX; Schema: public; Owner: postgres
+--
+
+CREATE INDEX notification_messages_externalid_index ON public.notification_messages USING btree ("externalId");
+
+
 --
 -- Name: notification_messages_userid_index; Type: INDEX; Schema: public; Owner: postgres
 --

apps/backend/src/config/index.ts

@@ -92,6 +92,12 @@ const config = convict({
       default: "",
       env: "RESEND_API_KEY",
     },
+    webhookSecret: {
+      doc: "Resend webhook secret",
+      format: String,
+      default: "development",
+      env: "RESEND_WEBHOOK_SECRET",
+    },
   },
   s3: {
     screenshotsBucket: {

apps/backend/src/database/models/NotificationMessage.ts

@@ -23,17 +23,33 @@ export class NotificationMessage extends Model {
       userId: { type: "string" },
       workflowId: { type: "string" },
       channel: { type: "string", enum: channels as unknown as string[] },
+      sentAt: { type: ["string", "null"] },
       deliveredAt: { type: ["string", "null"] },
-      seenAt: { type: ["string", "null"] },
+      linkClickedAt: { type: ["string", "null"] },
+      externalId: { type: ["string", "null"] },
     },
   });
 
   jobStatus!: JobStatus;
   userId!: string;
   workflowId!: string;
   channel!: NotificationChannel;
+  /**
+   * Message has been processed and sent.
+   */
+  sentAt!: string | null;
+  /**
+   * Message has been delivered, example email delivered by our email provider.
+   */
   deliveredAt!: string | null;
-  seenAt!: string | null;
+  /**
+   * User clicked on a link in the message.
+   */
+  linkClickedAt!: string | null;
+  /**
+   * External ID from the provider, example Resend ID.
+   */
+  externalId!: string | null;
 
   static override get relationMappings(): RelationMappings {
     return {

apps/backend/src/email/send.ts

@@ -1,3 +1,4 @@
+import { render } from "@react-email/render";
 import { Resend } from "resend";
 
 import config from "@/config/index.js";
@@ -33,10 +34,11 @@ export async function sendEmail(options: {
   if (production) {
     if (!resend) {
       logger.error("Resend API key is missing");
-      return;
+      return null;
     }
   } else if (!resend) {
-    return;
+    return null;
   }
-  await resend.emails.send({ ...options, from: defaultFrom });
+  const text = await render(options.react, { plainText: true });
+  return resend.emails.send({ ...options, text, from: defaultFrom });
 }

apps/backend/src/notification/message-job.ts

@@ -37,11 +37,19 @@ async function processMessage(message: NotificationMessage) {
     },
   };
   const email = handler.email({ ...(data as any), ctx });
-  await sendEmail({
+
+  const result = await sendEmail({
     to,
     subject: email.subject,
     react: email.body,
   });
+
+  const externalId = (await result?.data?.id) ?? null;
+
+  // Mark the message as sent and store the external ID.
+  await message
+    .$query()
+    .patch({ sentAt: new Date().toISOString(), externalId });
 }
 
 /**

apps/backend/src/web/api/index.ts

@@ -1,6 +1,7 @@
 import { Application, Router } from "express";
 
 import { apiMiddleware as githubApiMiddleware } from "../middlewares/github.js";
+import { apiMiddleware as resendApiMiddleware } from "../middlewares/resend.js";
 import { subdomain } from "../util.js";
 import auth from "./auth.js";
 import builds from "./builds.js";
@@ -13,6 +14,7 @@ export const installApiRouter = (app: Application) => {
 
   router.use(status);
   router.use(githubApiMiddleware);
+  router.use(resendApiMiddleware);
   router.use("/v2", v2);
   router.use(builds);
   router.use(auth);

apps/backend/src/web/middlewares/resend.ts

@@ -0,0 +1,121 @@
+import crypto from "node:crypto";
+import { assertNever } from "@argos/util/assertNever";
+import { invariant } from "@argos/util/invariant";
+import express, { RequestHandler, Router } from "express";
+import { z } from "zod";
+
+import config from "@/config/index.js";
+import { NotificationMessage } from "@/database/models";
+
+import { asyncHandler } from "../util";
+
+const router = Router();
+
+const verifyWebhookSignature: RequestHandler = (req, res, next) => {
+  const secret = config.get("resend.webhookSecret");
+
+  if (!secret) {
+    res.status(400).send('Missing "resend.webhookSecret"');
+    return;
+  }
+
+  const svixId = req.headers["svix-id"];
+  const svixTimestamp = req.headers["svix-timestamp"];
+  const svixSignatureHeader = req.headers["svix-signature"];
+
+  if (
+    typeof svixId !== "string" ||
+    typeof svixTimestamp !== "string" ||
+    typeof svixSignatureHeader !== "string"
+  ) {
+    res.status(400).send("Missing headers");
+    return;
+  }
+
+  const svixSignatures = svixSignatureHeader.split(" ").map((s) => {
+    const [, value] = s.split(",");
+    if (!value) {
+      return null;
+    }
+    return value;
+  });
+
+  if (svixSignatures.some((s) => s === null)) {
+    res.status(400).send("Invalid signature header");
+    return;
+  }
+
+  const secretParts = secret.split("_");
+  invariant(secretParts[1], 'Secret must be in the format "whsec_<base64>"');
+  const secretBytes = Buffer.from(secretParts[1], "base64");
+  const message = `${svixId}.${svixTimestamp}.${req.body}`;
+
+  const expectedSignature = crypto
+    .createHmac("sha256", secretBytes)
+    .update(message)
+    .digest("base64");
+
+  if (!svixSignatures.includes(expectedSignature)) {
+    res.status(401).send("Invalid signature");
+    return;
+  }
+
+  next();
+};
+
+const EventSchema = z.object({
+  type: z.enum(["email.delivered", "email.clicked"]),
+  data: z.object({
+    email_id: z.string(),
+  }),
+});
+
+router.post(
+  "/resend/event-handler",
+  express.text({ type: "*/*" }),
+  verifyWebhookSignature,
+  asyncHandler(async (req, res) => {
+    const body = JSON.parse(req.body);
+    const parsed = EventSchema.safeParse(body);
+    if (!parsed.success) {
+      res.status(400).send("Invalid payload");
+      return;
+    }
+    const event = parsed.data;
+
+    const message = await NotificationMessage.query()
+      .where("channel", "email")
+      .where("externalId", event.data.email_id)
+      .first();
+
+    if (!message) {
+      res.status(200).send("Message not found");
+      return;
+    }
+
+    switch (event.type) {
+      case "email.delivered": {
+        if (!message.deliveredAt) {
+          await message
+            .$query()
+            .patch({ deliveredAt: new Date().toISOString() });
+        }
+        break;
+      }
+      case "email.clicked": {
+        if (!message.linkClickedAt) {
+          await message
+            .$query()
+            .patch({ linkClickedAt: new Date().toISOString() });
+        }
+        break;
+      }
+      default:
+        assertNever(event.type);
+    }
+
+    res.status(200).send("Message updated");
+  }),
+);
+
+export const apiMiddleware: Router = router;

package.json

@@ -8,6 +8,7 @@
     "e2e:setup": "NODE_ENV=test pnpm run --filter @argos/backend db:truncate && NODE_ENV=test pnpm run --filter @argos/backend db:seed",
     "e2e:start": "NODE_ENV=test playwright test",
     "setup": "turbo run setup",
+    "resend-webhook-proxy": "NODE_TLS_REJECT_UNAUTHORIZED=0 smee --url https://smee.io/H7XOiU60kSYJJTZs --target https://api.argos-ci.dev:4001/resend/event-handler",
     "github-webhook-proxy": "NODE_TLS_REJECT_UNAUTHORIZED=0 smee --url https://smee.io/SmH89Dx2HZ89wK7T --target https://api.argos-ci.dev:4001/github/event-handler",
     "github-light-webhook-proxy": "NODE_TLS_REJECT_UNAUTHORIZED=0 smee --url https://smee.io/T3JFnf2lr3Zq6 --target https://api.argos-ci.dev:4001/github-light/event-handler",
     "slack-webhook-proxy": "ngrok http --host-header=rewrite --domain=foal-great-publicly.ngrok-free.app https://app.argos-ci.dev:4001",