Restructure omni services and add Chatwoot research snapshot

research/chatwoot/app/controllers/concerns/access_token_auth_helper.rb

@@ -0,0 +1,39 @@
+module AccessTokenAuthHelper
+  BOT_ACCESSIBLE_ENDPOINTS = {
+    'api/v1/accounts/conversations' => %w[toggle_status toggle_priority create update custom_attributes],
+    'api/v1/accounts/conversations/messages' => ['create'],
+    'api/v1/accounts/conversations/assignments' => ['create']
+  }.freeze
+
+  def ensure_access_token
+    token = request.headers[:api_access_token] || request.headers[:HTTP_API_ACCESS_TOKEN]
+    @access_token = AccessToken.find_by(token: token) if token.present?
+  end
+
+  def authenticate_access_token!
+    ensure_access_token
+    render_unauthorized('Invalid Access Token') && return if @access_token.blank?
+
+    # NOTE: This ensures that current_user is set and available for the rest of the controller actions
+    @resource = @access_token.owner
+    Current.user = @resource if allowed_current_user_type?(@resource)
+  end
+
+  def allowed_current_user_type?(resource)
+    return true if resource.is_a?(User)
+    return true if resource.is_a?(AgentBot)
+
+    false
+  end
+
+  def validate_bot_access_token!
+    return if Current.user.is_a?(User)
+    return if agent_bot_accessible?
+
+    render_unauthorized('Access to this endpoint is not authorized for bots')
+  end
+
+  def agent_bot_accessible?
+    BOT_ACCESSIBLE_ENDPOINTS.fetch(params[:controller], []).include?(params[:action])
+  end
+end

research/chatwoot/app/controllers/concerns/attachment_concern.rb

@@ -0,0 +1,35 @@
+module AttachmentConcern
+  extend ActiveSupport::Concern
+
+  def validate_and_prepare_attachments(actions, record = nil)
+    blobs = []
+    return [blobs, actions, nil] if actions.blank?
+
+    sanitized = actions.map do |action|
+      next action unless action[:action_name] == 'send_attachment'
+
+      result = process_attachment_action(action, record, blobs)
+      return [nil, nil, I18n.t('errors.attachments.invalid')] unless result
+
+      result
+    end
+
+    [blobs, sanitized, nil]
+  end
+
+  private
+
+  def process_attachment_action(action, record, blobs)
+    blob_id = action[:action_params].first
+    blob = ActiveStorage::Blob.find_signed(blob_id.to_s)
+
+    return action.merge(action_params: [blob.id]).tap { blobs << blob } if blob.present?
+    return action if blob_already_attached?(record, blob_id)
+
+    nil
+  end
+
+  def blob_already_attached?(record, blob_id)
+    record&.files&.any? { |f| f.blob_id == blob_id.to_i }
+  end
+end

research/chatwoot/app/controllers/concerns/auth_helper.rb

@@ -0,0 +1,10 @@
+module AuthHelper
+  def send_auth_headers(user)
+    data = user.create_new_auth_token
+    response.headers[DeviseTokenAuth.headers_names[:'access-token']] = data['access-token']
+    response.headers[DeviseTokenAuth.headers_names[:'token-type']]   = 'Bearer'
+    response.headers[DeviseTokenAuth.headers_names[:client]]       = data['client']
+    response.headers[DeviseTokenAuth.headers_names[:expiry]]       = data['expiry']
+    response.headers[DeviseTokenAuth.headers_names[:uid]]          = data['uid']
+  end
+end

research/chatwoot/app/controllers/concerns/domain_helper.rb

@@ -0,0 +1,5 @@
+module DomainHelper
+  def self.chatwoot_domain?(domain = request.host)
+    [URI.parse(ENV.fetch('FRONTEND_URL', '')).host, URI.parse(ENV.fetch('HELPCENTER_URL', '')).host].include?(domain)
+  end
+end

research/chatwoot/app/controllers/concerns/ensure_current_account_helper.rb

@@ -0,0 +1,33 @@
+module EnsureCurrentAccountHelper
+  private
+
+  def current_account
+    @current_account ||= ensure_current_account
+    Current.account = @current_account
+  end
+
+  def ensure_current_account
+    account = Account.find(params[:account_id])
+    render_unauthorized('Account is suspended') and return unless account.active?
+
+    if current_user
+      account_accessible_for_user?(account)
+    elsif @resource.is_a?(AgentBot)
+      account_accessible_for_bot?(account)
+    end
+    account
+  end
+
+  def account_accessible_for_user?(account)
+    @current_account_user = account.account_users.find_by(user_id: current_user.id)
+    Current.account_user = @current_account_user
+    render_unauthorized('You are not authorized to access this account') unless @current_account_user
+  end
+
+  def account_accessible_for_bot?(account)
+    return if @resource.account_id == account.id
+    return if @resource.agent_bot_inboxes.find_by(account_id: account.id)
+
+    render_unauthorized('Bot is not authorized to access this account')
+  end
+end

research/chatwoot/app/controllers/concerns/google_concern.rb

@@ -0,0 +1,20 @@
+module GoogleConcern
+  extend ActiveSupport::Concern
+
+  def google_client
+    app_id = GlobalConfigService.load('GOOGLE_OAUTH_CLIENT_ID', nil)
+    app_secret = GlobalConfigService.load('GOOGLE_OAUTH_CLIENT_SECRET', nil)
+
+    ::OAuth2::Client.new(app_id, app_secret, {
+                           site: 'https://oauth2.googleapis.com',
+                           authorize_url: 'https://accounts.google.com/o/oauth2/auth',
+                           token_url: 'https://accounts.google.com/o/oauth2/token'
+                         })
+  end
+
+  private
+
+  def scope
+    'email profile https://mail.google.com/'
+  end
+end

research/chatwoot/app/controllers/concerns/hmac_concern.rb

@@ -0,0 +1,5 @@
+module HmacConcern
+  def hmac_verified?
+    ActiveModel::Type::Boolean.new.cast(params[:hmac_verified]).present?
+  end
+end

research/chatwoot/app/controllers/concerns/instagram_concern.rb

@@ -0,0 +1,74 @@
+module InstagramConcern
+  extend ActiveSupport::Concern
+
+  def instagram_client
+    ::OAuth2::Client.new(
+      client_id,
+      client_secret,
+      {
+        site: 'https://api.instagram.com',
+        authorize_url: 'https://api.instagram.com/oauth/authorize',
+        token_url: 'https://api.instagram.com/oauth/access_token',
+        auth_scheme: :request_body,
+        token_method: :post
+      }
+    )
+  end
+
+  private
+
+  def client_id
+    GlobalConfigService.load('INSTAGRAM_APP_ID', nil)
+  end
+
+  def client_secret
+    GlobalConfigService.load('INSTAGRAM_APP_SECRET', nil)
+  end
+
+  def exchange_for_long_lived_token(short_lived_token)
+    endpoint = 'https://graph.instagram.com/access_token'
+    params = {
+      grant_type: 'ig_exchange_token',
+      client_secret: client_secret,
+      access_token: short_lived_token,
+      client_id: client_id
+    }
+
+    make_api_request(endpoint, params, 'Failed to exchange token')
+  end
+
+  def fetch_instagram_user_details(access_token)
+    endpoint = 'https://graph.instagram.com/v22.0/me'
+    params = {
+      fields: 'id,username,user_id,name,profile_picture_url,account_type',
+      access_token: access_token
+    }
+
+    make_api_request(endpoint, params, 'Failed to fetch Instagram user details')
+  end
+
+  def make_api_request(endpoint, params, error_prefix)
+    response = HTTParty.get(
+      endpoint,
+      query: params,
+      headers: { 'Accept' => 'application/json' }
+    )
+
+    unless response.success?
+      Rails.logger.error "#{error_prefix}. Status: #{response.code}, Body: #{response.body}"
+      raise "#{error_prefix}: #{response.body}"
+    end
+
+    begin
+      JSON.parse(response.body)
+    rescue JSON::ParserError => e
+      ChatwootExceptionTracker.new(e).capture_exception
+      Rails.logger.error "Invalid JSON response: #{response.body}"
+      raise e
+    end
+  end
+
+  def base_url
+    ENV.fetch('FRONTEND_URL', 'http://localhost:3000')
+  end
+end

research/chatwoot/app/controllers/concerns/label_concern.rb

@@ -0,0 +1,10 @@
+module LabelConcern
+  def create
+    model.update_labels(permitted_params[:labels])
+    @labels = model.label_list
+  end
+
+  def index
+    @labels = model.label_list
+  end
+end

research/chatwoot/app/controllers/concerns/meta_token_verify_concern.rb

@@ -0,0 +1,20 @@
+# services from Meta (Prev: Facebook) needs a token verification step for webhook subscriptions,
+# This concern handles the token verification step.
+
+module MetaTokenVerifyConcern
+  def verify
+    service = is_a?(Webhooks::WhatsappController) ? 'whatsapp' : 'instagram'
+    if valid_token?(params['hub.verify_token'])
+      Rails.logger.info("#{service.capitalize} webhook verified")
+      render json: params['hub.challenge']
+    else
+      render status: :unauthorized, json: { error: 'Error; wrong verify token' }
+    end
+  end
+
+  private
+
+  def valid_token?(_token)
+    raise 'Overwrite this method your controller'
+  end
+end

research/chatwoot/app/controllers/concerns/microsoft_concern.rb

@@ -0,0 +1,21 @@
+module MicrosoftConcern
+  extend ActiveSupport::Concern
+
+  def microsoft_client
+    app_id = GlobalConfigService.load('AZURE_APP_ID', nil)
+    app_secret = GlobalConfigService.load('AZURE_APP_SECRET', nil)
+
+    ::OAuth2::Client.new(app_id, app_secret,
+                         {
+                           site: 'https://login.microsoftonline.com',
+                           authorize_url: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
+                           token_url: 'https://login.microsoftonline.com/common/oauth2/v2.0/token'
+                         })
+  end
+
+  private
+
+  def scope
+    'offline_access https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send openid profile email'
+  end
+end

research/chatwoot/app/controllers/concerns/notion_concern.rb

@@ -0,0 +1,21 @@
+module NotionConcern
+  extend ActiveSupport::Concern
+
+  def notion_client
+    app_id = GlobalConfigService.load('NOTION_CLIENT_ID', nil)
+    app_secret = GlobalConfigService.load('NOTION_CLIENT_SECRET', nil)
+
+    ::OAuth2::Client.new(app_id, app_secret, {
+                           site: 'https://api.notion.com',
+                           authorize_url: 'https://api.notion.com/v1/oauth/authorize',
+                           token_url: 'https://api.notion.com/v1/oauth/token',
+                           auth_scheme: :basic_auth
+                         })
+  end
+
+  private
+
+  def scope
+    ''
+  end
+end

research/chatwoot/app/controllers/concerns/request_exception_handler.rb

@@ -0,0 +1,62 @@
+module RequestExceptionHandler
+  extend ActiveSupport::Concern
+
+  included do
+    rescue_from ActiveRecord::RecordInvalid, with: :render_record_invalid
+  end
+
+  private
+
+  def handle_with_exception
+    yield
+  rescue ActiveRecord::RecordNotFound => e
+    log_handled_error(e)
+    render_not_found_error('Resource could not be found')
+  rescue Pundit::NotAuthorizedError => e
+    log_handled_error(e)
+    render_unauthorized('You are not authorized to do this action')
+  rescue ActionController::ParameterMissing => e
+    log_handled_error(e)
+    render_could_not_create_error(e.message)
+  ensure
+    # to address the thread variable leak issues in Puma/Thin webserver
+    Current.reset
+  end
+
+  def render_unauthorized(message)
+    render json: { error: message }, status: :unauthorized
+  end
+
+  def render_not_found_error(message)
+    render json: { error: message }, status: :not_found
+  end
+
+  def render_could_not_create_error(message)
+    render json: { error: message }, status: :unprocessable_entity
+  end
+
+  def render_payment_required(message)
+    render json: { error: message }, status: :payment_required
+  end
+
+  def render_internal_server_error(message)
+    render json: { error: message }, status: :internal_server_error
+  end
+
+  def render_record_invalid(exception)
+    log_handled_error(exception)
+    render json: {
+      message: exception.record.errors.full_messages.join(', '),
+      attributes: exception.record.errors.attribute_names
+    }, status: :unprocessable_entity
+  end
+
+  def render_error_response(exception)
+    log_handled_error(exception)
+    render json: exception.to_hash, status: exception.http_status
+  end
+
+  def log_handled_error(exception)
+    logger.info("Handled error: #{exception.inspect}")
+  end
+end

research/chatwoot/app/controllers/concerns/switch_locale.rb

@@ -0,0 +1,79 @@
+module SwitchLocale
+  extend ActiveSupport::Concern
+
+  private
+
+  def switch_locale(&)
+    # Priority is for locale set in query string (mostly for widget/from js sdk)
+    locale ||= params[:locale]
+
+    # Use the user's locale if available
+    locale ||= locale_from_user
+
+    # Use the locale from a custom domain if applicable
+    locale ||= locale_from_custom_domain
+
+    # if locale is not set in account, let's use DEFAULT_LOCALE env variable
+    locale ||= ENV.fetch('DEFAULT_LOCALE', nil)
+
+    set_locale(locale, &)
+  end
+
+  def switch_locale_using_account_locale(&)
+    # Get the locale from the user first
+    locale = locale_from_user
+
+    # Fallback to the account's locale if the user's locale is not set
+    locale ||= locale_from_account(@current_account)
+
+    set_locale(locale, &)
+  end
+
+  # If the request is coming from a custom domain, it should be for a helpcenter portal
+  # We will use the portal locale in such cases
+  def locale_from_custom_domain(&)
+    return if params[:locale]
+
+    domain = request.host
+    return if DomainHelper.chatwoot_domain?(domain)
+
+    @portal = Portal.find_by(custom_domain: domain)
+    return unless @portal
+
+    @portal.default_locale
+  end
+
+  def locale_from_user
+    return unless @user
+
+    @user.ui_settings&.dig('locale')
+  end
+
+  def set_locale(locale, &)
+    safe_locale = validate_and_get_locale(locale)
+    # Ensure locale won't bleed into other requests
+    # https://guides.rubyonrails.org/i18n.html#managing-the-locale-across-requests
+    I18n.with_locale(safe_locale, &)
+  end
+
+  def validate_and_get_locale(locale)
+    return I18n.default_locale.to_s if locale.blank?
+
+    available_locales = I18n.available_locales.map(&:to_s)
+    locale_without_variant = locale.split('_')[0]
+
+    if available_locales.include?(locale)
+      locale
+    elsif available_locales.include?(locale_without_variant)
+      locale_without_variant
+    else
+      I18n.default_locale.to_s
+    end
+  end
+
+  def locale_from_account(account)
+    return unless account
+
+    account.locale
+  end
+end

research/chatwoot/app/controllers/concerns/twitter_concern.rb

@@ -0,0 +1,26 @@
+module TwitterConcern
+  extend ActiveSupport::Concern
+
+  private
+
+  def parsed_body
+    @parsed_body ||= Rack::Utils.parse_nested_query(@response.raw_response.body)
+  end
+
+  def host
+    ENV.fetch('FRONTEND_URL', '')
+  end
+
+  def twitter_client
+    Twitty::Facade.new do |config|
+      config.consumer_key = ENV.fetch('TWITTER_CONSUMER_KEY', nil)
+      config.consumer_secret = ENV.fetch('TWITTER_CONSUMER_SECRET', nil)
+      config.base_url = twitter_api_base_url
+      config.environment = ENV.fetch('TWITTER_ENVIRONMENT', '')
+    end
+  end
+
+  def twitter_api_base_url
+    'https://api.twitter.com'
+  end
+end

research/chatwoot/app/controllers/concerns/website_token_helper.rb

@@ -0,0 +1,26 @@
+module WebsiteTokenHelper
+  def auth_token_params
+    @auth_token_params ||= ::Widget::TokenService.new(token: request.headers['X-Auth-Token']).decode_token
+  end
+
+  def set_web_widget
+    @web_widget = ::Channel::WebWidget.find_by!(website_token: permitted_params[:website_token])
+    @current_account = @web_widget.inbox.account
+
+    render json: { error: 'Account is suspended' }, status: :unauthorized unless @current_account.active?
+  end
+
+  def set_contact
+    @contact_inbox = @web_widget.inbox.contact_inboxes.find_by(
+      source_id: auth_token_params[:source_id]
+    )
+    @contact = @contact_inbox&.contact
+    raise ActiveRecord::RecordNotFound unless @contact
+
+    Current.contact = @contact
+  end
+
+  def permitted_params
+    params.permit(:website_token)
+  end
+end