Fix PandaDoc webhook: fetch fields via API and create applications#248
Open
rayyanmridha wants to merge 21 commits into
Open
Fix PandaDoc webhook: fetch fields via API and create applications#248rayyanmridha wants to merge 21 commits into
rayyanmridha wants to merge 21 commits into
Conversation
…sions Adds a public POST /api/pandadoc-webhook endpoint that receives PandaDoc webhook payloads when a recipient completes the application form. The endpoint runs the payload through the existing pandadocMapper, sets defaults (appStatus=APP_SUBMITTED, derives applicantType from schoolDepartment), then creates Application, CandidateInfo, and LearnerInfo records in sequence with logging at each step. - New PandadocWebhookModule with controller, service, and tests - Export ApplicationsService and LearnerInfoService from their modules - Register PandadocWebhookModule and CandidateInfoModule in AppModule - Optional webhook signature verification via PANDADOC_WEBHOOK_KEY env var - Reuses existing error email filters for applicant notifications Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ilters The controller previously did the x-pandadoc-signature check inline and applied ApplicationCreationErrorFilter + ApplicationValidationEmailFilter intended for the human application-form route. Those filters use @catch(Error), which swallowed UnauthorizedException and rewrote it as 500, and also emailed the applicant on every failure — wrong actor on a webhook where PandaDoc, not the applicant, is the caller. Move the signature check into PandadocSignatureGuard so 401s flow through Nest's default handler, and remove @UseFilters from the webhook controller. The filters remain on POST /applications where they belong.
Previously the service called ApplicationsService.create, CandidateInfoService.create, and LearnerInfoService.create sequentially. Any failure mid-sequence — including the success-confirmation email inside ApplicationsService.create — left an Application row without its CandidateInfo / LearnerInfo siblings. Inject DataSource and run all three em.save calls inside dataSource.transaction so a failure rolls everything back. Drop the inter-service dependency from the module (now only ConfigModule is needed; entities are resolved via the global DataSource). Also harden formatDate to convert ISO-8601 strings to YYYY-MM-DD instead of returning them as-is.
Previously the webhook handler tried to read form field values directly
from the webhook payload, but PandaDoc only sends event metadata (doc ID,
event type) — not field values. This commit wires up the full flow:
- Receive webhook → extract document ID from array payload format
- Call PandaDoc fields API (GET /documents/{id}/fields) with PANDADOC_API_KEY
- Map fields by field_id (not name — name is a generic type like "Text")
- Inject email and phone from assigned_to recipient metadata since they
are not form fields
- Coalesce upload slots: *1 = supervisor flow, *2 = applicant flow;
fall back to *1 when *2 is empty so both submission paths work
- Normalize Volunteer_Discipline label to kebab-case key to satisfy
the discipline catalog FK constraint
- Make Volunteer_Phone optional (form label exists but no input field
in the current PandaDoc template)
- Convert missing-required-fields mapper errors to 400 Bad Request
instead of 500
Tested against all 8 completed PandaDoc documents: 6 real submissions
create applications successfully, 2 blank/junk test forms return 400.
ostepan8
changed the title
Extract first_name/last_name from PandaDoc recipient assigned_to metadata (same source as email/phone) and upsert a User row inside the transaction. Without this the frontend fell back to displaying raw email addresses because useApplications.ts resolves display names via the users table. Tested end-to-end: fired a signed webhook for a real completed doc, confirmed Application + CandidateInfo + LearnerInfo + User (Sam Nie) all created atomically.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
juCyjmgFCMLTNrfBbxfate). Confirmed all four records created atomically: Application (appId=46), CandidateInfo, LearnerInfo, and User (firstName=Sam, lastName=Nie)PANDADOC_API_KEYmust be set in ECS environment (confirm with Sam — believed already present)