Fixes
https://linear.app/chatwoot/issue/CW-6494/add-shopify-mandatory-compliance-webhooks-for-app-store-listing
Shopify requires all public apps to handle three GDPR compliance
webhooks before they can be listed on the App Store. Their automated
review checks for these endpoints and verifies that apps validate HMAC
signatures on incoming requests. We were failing both checks.
This PR adds a single webhook endpoint at `POST /webhooks/shopify` that
receives all three compliance events. When Shopify sends a webhook, it
signs the payload with our app's client secret and includes the
signature in the `X-Shopify-Hmac-SHA256` header. Our controller reads
the raw body, computes the expected HMAC-SHA256 digest, and rejects
mismatched requests with a 401.
Shopify identifies the event type through the `X-Shopify-Topic` header.
For `customers/data_request` and `customers/redact`, we simply
acknowledge with a 200—Chatwoot doesn't persist any Shopify customer
data. All order lookups happen as live API calls at query time. For
`shop/redact`, which Shopify sends after a merchant uninstalls the app,
we delete the integration hook for that shop domain and remove the
stored access token and configuration.
### How to test via Rails console
```
secret = GlobalConfigService.load('SHOPIFY_CLIENT_SECRET', nil)
body = '{"shop_domain":"test.myshopify.com"}'
valid_hmac = Base64.strict_encode64(OpenSSL::HMAC.digest('SHA256', secret, body))
```
#### Test 1: No HMAC → 401
```
app.post '/webhooks/shopify', params: body, headers: { 'Content-Type' => 'application/json', 'X-Shopify-Topic' => 'customers/data_request' }
app.response.code # => "401"
```
#### Test 2: Invalid HMAC → 401
```
app.post '/webhooks/shopify', params: body, headers: { 'Content-Type' => 'application/json', 'X-Shopify-Hmac-SHA256' => 'invalid', 'X-Shopify-Topic' => 'customers/data_request' }
app.response.code # => "401"
```
#### Test 3: Valid HMAC, customers/data_request → 200
```
app.post '/webhooks/shopify', params: body, headers: { 'Content-Type' => 'application/json', 'X-Shopify-Hmac-SHA256' => valid_hmac, 'X-Shopify-Topic' => 'customers/data_request' }
app.response.code # => "200"
```
#### Test 4: Valid HMAC, customers/redact → 200
```
app.post '/webhooks/shopify', params: body, headers: { 'Content-Type' => 'application/json', 'X-Shopify-Hmac-SHA256' => valid_hmac, 'X-Shopify-Topic' => 'customers/redact' }
app.response.code # => "200"
```
#### Test 5: Valid HMAC, shop/redact → 200 (deletes hook)
```
# First check if a hook exists for this domain:
Integrations::Hook.where(app_id: 'shopify', reference_id: 'test.myshopify.com').count
app.post '/webhooks/shopify', params: body, headers: { 'Content-Type' => 'application/json', 'X-Shopify-Hmac-SHA256' => valid_hmac, 'X-Shopify-Topic' => 'shop/redact' }
app.response.code # => "200"
```
---------
Co-authored-by: Shivam Mishra <scm.mymail@gmail.com>
fixes: #11834
This pull request introduces TikTok channel integration, enabling users
to connect and manage TikTok business accounts similarly to other
supported social channels. The changes span backend API endpoints,
authentication helpers, webhook handling, configuration, and frontend
components to support TikTok as a first-class channel.
**Key Notes**
* This integration is only compatible with TikTok Business Accounts
* Special permissions are required to access the TikTok [Business
Messaging
API](https://business-api.tiktok.com/portal/docs?id=1832183871604753).
* The Business Messaging API is region-restricted and is currently
unavailable to users in the EU.
* Only TEXT, IMAGE, and POST_SHARE messages are currently supported due
to limitations in the TikTok Business Messaging API
* A message will be successfully sent only if it contains text alone or
one image attachment. Messages with multiple attachments or those
combining text and attachments will fail and receive a descriptive error
status.
* Messages sent directly from the TikTok App will be synced into the
system
* Initiating a new conversation from the system is not permitted due to
limitations from the TikTok Business Messaging API.
**Backend: TikTok Channel Integration**
* Added `Api::V1::Accounts::Tiktok::AuthorizationsController` to handle
TikTok OAuth authorization initiation, returning the TikTok
authorization URL.
* Implemented `Tiktok::CallbacksController` to handle TikTok OAuth
callback, process authorization results, create or update channel/inbox,
and handle errors or denied scopes.
* Added `Webhooks::TiktokController` to receive and verify TikTok
webhook events, including signature verification and event dispatching.
* Created `Tiktok::IntegrationHelper` module for JWT-based token
generation and verification for secure TikTok OAuth state management.
**Configuration and Feature Flags**
* Added TikTok app credentials (`TIKTOK_APP_ID`, `TIKTOK_APP_SECRET`) to
allowed configs and app config, and registered TikTok as a feature in
the super admin features YAML.
[[1]](diffhunk://#diff-5e46e1d248631a1147521477d84a54f8ba6846ea21c61eca5f70042d960467f4R43)
[[2]](diffhunk://#diff-8bf37a019cab1dedea458c437bd93e34af1d6e22b1672b1d43ef6eaa4dcb7732R69)
[[3]](diffhunk://#diff-123164bea29f3c096b0d018702b090d5ae670760c729141bd4169a36f5f5c1caR74-R79)
**Frontend: TikTok Channel UI and Messaging Support**
* Added `TiktokChannel` API client for frontend TikTok authorization
requests.
* Updated channel icon mappings and tests to include TikTok
(`Channel::Tiktok`).
[[1]](diffhunk://#diff-b852739ed45def61218d581d0de1ba73f213f55570aa5eec52aaa08f380d0e16R16)
[[2]](diffhunk://#diff-3cd3ae32e94ef85f1f2c4435abf0775cc0614fb37ee25d97945cd51573ef199eR64-R69)
* Enabled TikTok as a supported channel in contact forms, channel
widgets, and feature toggles.
[[1]](diffhunk://#diff-ec59c85e1403aaed1a7de35971fe16b7033d5cd763be590903ebf8f1ca25a010R47)
[[2]](diffhunk://#diff-ec59c85e1403aaed1a7de35971fe16b7033d5cd763be590903ebf8f1ca25a010R69)
[[3]](diffhunk://#diff-725b90ca7e3a6837ec8291e9f57094f6a46b3ee00e598d16564f77f32cf354b0R26-R29)
[[4]](diffhunk://#diff-725b90ca7e3a6837ec8291e9f57094f6a46b3ee00e598d16564f77f32cf354b0R51-R54)
[[5]](diffhunk://#diff-725b90ca7e3a6837ec8291e9f57094f6a46b3ee00e598d16564f77f32cf354b0R68)
* Updated message meta logic to support TikTok-specific message statuses
(sent, delivered, read).
[[1]](diffhunk://#diff-e41239cf8dda36c1bd1066dbb17588ae8868e56289072c74b3a6d7ef5abdd696R23)
[[2]](diffhunk://#diff-e41239cf8dda36c1bd1066dbb17588ae8868e56289072c74b3a6d7ef5abdd696L63-R65)
[[3]](diffhunk://#diff-e41239cf8dda36c1bd1066dbb17588ae8868e56289072c74b3a6d7ef5abdd696L81-R84)
[[4]](diffhunk://#diff-e41239cf8dda36c1bd1066dbb17588ae8868e56289072c74b3a6d7ef5abdd696L103-R107)
* Added support for embedded message attachments (e.g., TikTok embeds)
with a new `EmbedBubble` component and updated message rendering logic.
[[1]](diffhunk://#diff-c3d701caf27d9c31e200c6143c11a11b9d8826f78aa2ce5aa107470e6fdb9d7fR31)
[[2]](diffhunk://#diff-047859f9368a46d6d20177df7d6d623768488ecc38a5b1e284f958fad49add68R1-R19)
[[3]](diffhunk://#diff-c3d701caf27d9c31e200c6143c11a11b9d8826f78aa2ce5aa107470e6fdb9d7fR316)
[[4]](diffhunk://#diff-cbc85e7c4c8d56f2a847d0b01cd48ef36e5f87b43023bff0520fdfc707283085R52)
* Adjusted reply policy and UI messaging for TikTok's 48-hour reply
window.
[[1]](diffhunk://#diff-0d691f6a983bd89502f91253ecf22e871314545d1e3d3b106fbfc76bf6d8e1c7R208-R210)
[[2]](diffhunk://#diff-0d691f6a983bd89502f91253ecf22e871314545d1e3d3b106fbfc76bf6d8e1c7R224-R226)
These changes collectively enable end-to-end TikTok channel support,
from configuration and OAuth flow to webhook processing and frontend
message handling.
------------
# TikTok App Setup & Configuration
1. Grant access to the Business Messaging API
([Documentation](https://business-api.tiktok.com/portal/docs?id=1832184145137922))
2. Set the app authorization redirect URL to
`https://FRONTEND_URL/tiktok/callback`
3. Update the installation config with TikTok App ID and Secret
4. Create a Business Messaging Webhook configuration and set the
callback url to `https://FRONTEND_URL/webhooks/tiktok`
([Documentation](https://business-api.tiktok.com/portal/docs?id=1832190670631937))
. You can do this by calling
`Tiktok::AuthClient.update_webhook_callback` from rails console once you
finish Tiktok channel configuration in super admin ( will be automated
in future )
5. Enable TikTok channel feature in an account
---------
Co-authored-by: Sojan Jose <sojan@pepalo.com>
Co-authored-by: iamsivin <iamsivin@gmail.com>
* feat: implement connection update handling for Baileys
* feat: add message update handling for Baileys integration
* feat: implement message processing and handling for Baileys integration
* fix: clear message source ID from Redis when contact is not found
* fix: raise error when attachment file is not found during media handling
* refactor: reorganize includes in incoming_message_baileys_service
* feat: add helper methods for message handling in Baileys integration
* feat: include IncomingMessageServiceHelpers in MessagesUpdate module
* refactor: replace IncomingMessageServiceHelpers with BaileysHandlers::Helpers in connection_update, messages_update, and messages_upsert modules
* fix: mark message as unsupported when attachment file is not found
* refactor: remove unnecessary namespace for includes in IncomingMessageBaileysService
* refactor: add private visibility to methods in connection_update, helpers, messages_update, and messages_upsert modules
* refactor: preserve original message in handle_edited_content method
* fix: attachment error handling
* feat: implement conversation creation logic in set_conversation method
* refactor: remove unused error handling for attachment not found in messages update and upsert
* feat: update last seen timestamps in conversation on message status update
* feat: log warning for unsupported message update status in Baileys service
* chore: merge
---------
Co-authored-by: gabrieljablonski <contact@gabrieljablonski.com>
* fix: return not_found status for missing messages in WhatsApp webhook
* feat: enhance message handling to support image attachments
* chore: Handle incoming whatsapp baileys service attachments and implement specs for images and videos
* fix: add file_content_type method to incoming baileys messages
* chore: specs for stickers, audio and files
* fix: handle media attachment errors
* chore: convert file_content_type to string when attaching media
* fix: add handling for attachment not found error in incoming message service
* chore: refactor file_content_type method and simplify filename method
* chore: update media attachment tests
* feat: baileys unsupported message alert (#27)
* feat: create alert message for unsupported message types
* chore: fail message when try send not supported type in baileys
* chore: add tests for unsupported message handling in Baileys service
* chore: correct spelling
* chore: NIT in spec name
* chore: remove unnecessary message reload in unsupported message type test
* feat: baileys support to send attachments (#28)
* feat: enhance message sending logic with support for attachments and interactive messages
* fix: update message format to use messageContent for text messages
* feat: attachment message sending
* fix: use strict encoding for attachment file download
* chore: streamline message sending logic and remove unused error classes
* chore: remove type from message sending logic
* chore: update message sending specs
* chore: raise MessageNotSentError instead of updating message status to failed
* chore: change baileys contact name preferences (#30)
* refactor: improve contact name handling and extraction from JID
* test: enhance message handling to update contact names based on pushName and verifiedBizName
* chore: update contact name condition to match phone number from JID
* chore: correct method name typo
* chore: correct variable names for phone number consistency in tests
* chore: update message payload structure and improve error handling in send_message
* test: re-add testing for error handling
* feat: enhance contact name handling and add self-message detection
* fix: ensure presence check for verified business name in contact name retrieval
* test: improve specs
---------
Co-authored-by: gabrieljablonski <contact@gabrieljablonski.com>
---------
Co-authored-by: gabrieljablonski <contact@gabrieljablonski.com>
Co-authored-by: Gabriel Jablonski <gabriel@fazer.ai>
---------
Co-authored-by: gabrieljablonski <contact@gabrieljablonski.com>
Co-authored-by: Gabriel Jablonski <gabriel@fazer.ai>
* fix: try to disconnect baileys before destroy inbox (#29)
* fix: ensure proper disconnection of Baileys provider on channel destruction
* test: add callback tests for disconnecting channel provider in Whatsapp spec
* refactor: simplify condition for disconnecting Baileys provider on channel destruction
* refactor: enhance disconnect_channel_provider specs for Baileys provider
* test: verify channel destruction does not call disconnect_channel_provider
---------
Co-authored-by: gabrieljablonski <contact@gabrieljablonski.com>
---------
Co-authored-by: gabrieljablonski <contact@gabrieljablonski.com>
Co-authored-by: Gabriel Jablonski <gabriel@fazer.ai>
* feat: add message update processing in IncomingMessageBaileysService
* feat: implement message update handling in IncomingMessageBaileysService
* feat: add MessageNotFoundError for handling invalid update messages in IncomingMessageBaileysService
* chore: specs for message.update events and bug fixes
* chore: refactor message update handling in IncomingMessageBaileysService
* chore: nit remove redundant comment
* chore: enhance logging for unsupported message update statuses in IncomingMessageBaileysService and disabled metrics
* chore: message status update logic with transition checks
* chore: update status mapping for PENDING to sent in status_mapper
* chore: update status_mapper comments and fix case statement for status codes
* fix: logging for unsupported message updates in update_message_content method
* test: add specs for unsupported status transitions in messages.update event
* refactor: ensure message status is reloaded before assertion in messages.update event spec
* refactor: status variable in status_mapper method
* refactor: rename status_transition_allowed method to status_transition_allowed?
* refactor: streamline message creation in specs by using let! for setup
* feat: process webhook whatsapp await response (#21)
* feat: enhance WhatsApp webhook processing and error responses handling
* chore: correct spelling of 'WhatsApp' in webhook controller specs
* refactor: rename webhook processing method and improve error handling
* chore: update error handling in WhatsApp controller specs for specific exceptions
* refactor: remove handling for StandardError in WhatsApp controller specs
* refactor: simplify perform_whatsapp_events_job method
* chore: update response status from not_found to bad_request for invalid message
* refactor: update expectations for job processing in WhatsApp controller specs
- Add a warning logger for cases where we are getting webhook events for
inactive numbers.
- Add config to discard events for inactive numbers so that the meta
will stop sending events
---------
Co-authored-by: Pranav <pranav@chatwoot.com>
- Ability to configure line bots as a channel in chatwoot
- Receive a message sent to the line bot in chatwoot
- Ability to reply to line users from chatwoot
fixes: #2738
- Ability to configure telegram bots as a channel in chatwoot
- Receive a message sent to the telegram bot in chatwoot
- Ability to reply to telegram users from chatwoot
- Receive attachment messages in chatwoot
fixes: #1843
