forem · maestromac · Feb 11, 2020 · Jan 29, 2020 · Jan 30, 2020 · Feb 6, 2020
diff --git a/app/controllers/webhooks/mailchimp_unsubscribes_controller.rb b/app/controllers/webhooks/mailchimp_unsubscribes_controller.rb
@@ -0,0 +1,30 @@
+class Webhooks::MailchimpUnsubscribesController < ApplicationController
+  class InvalidListID < StandardError; end
+
+  LIST_MAPPINGS = {
+    mailchimp_newsletter_id: :email_newsletter,
+    mailchimp_sustaining_members_id: :email_membership_newsletter,
+    mailchimp_tag_moderators_id: :email_tag_mod_newsletter,
+    mailchimp_community_moderators_id: :email_community_mod_newsletter
+  }.freeze
+
+  def create
+    not_authorized unless valid_secret?
+    user = User.find_by!(email: params.dig(:data, :email))
+    user.update(email_type => false)
+  end
+
+  private
+
+  def valid_secret?
+    params[:secret] == SiteConfig.mailchimp_webhook_secret
+  end
+
+  def email_type
+    list_id = params.dig(:data, :list_id)
+    key = LIST_MAPPINGS.keys.detect { |k| SiteConfig.public_send(k) == list_id }
+    raise InvalidListID unless key
+
+    LIST_MAPPINGS[key]
+  end
+end
diff --git a/app/models/site_config.rb b/app/models/site_config.rb
@@ -37,6 +37,10 @@ class SiteConfig < RailsSettings::Base
   field :mailchimp_tag_moderators_id, type: :string, default: ""
   field :mailchimp_community_moderators_id, type: :string, default: ""
 
+  # Mailchimp webhook secret. Part of the callback URL in the Mailchimp settings.
+  # <https://mailchimp.com/developer/guides/about-webhooks/#Webhooks_security>
+  field :mailchimp_webhook_secret, type: :string, default: ""
+
   # Email digest frequency
   field :periodic_email_digest_max, type: :integer, default: 0
   field :periodic_email_digest_min, type: :integer, default: 2

diff --git a/config/routes.rb b/config/routes.rb
@@ -154,11 +154,15 @@
     resources :reads, only: [:create]
   end
 
+  namespace :webhooks do
+    post "/mailchimp/:secret/unsubscribe", to: "mailchimp_unsubscribes#create", as: :mailchimp_unsubscribe
+  end
+
   resources :messages, only: [:create]
   resources :chat_channels, only: %i[index show create update]
   resources :chat_channel_memberships, only: %i[create update destroy]
   resources :articles, only: %i[update create destroy]
-  resources :article_mutes, only: %i[update]
+  resources :article_mutes,  only: %i[update]
   resources :comments, only: %i[create update destroy] do
     patch "/hide", to: "comments#hide"
     patch "/unhide", to: "comments#unhide"

diff --git a/spec/requests/webhooks/mailchimp/unsubscribe_spec.rb b/spec/requests/webhooks/mailchimp/unsubscribe_spec.rb
@@ -0,0 +1,29 @@
+require "rails_helper"
+
+RSpec.describe "Webhooks::MailchimpUnsubscribesController", type: :request do
+  let(:user) { create(:user, email_digest_periodic: true) }
+
+  describe "POST /webhooks/mailchimp/:secret/unsubscribe" do
+    let(:secret) { "secret" }
+    let(:list_id) { "1234" }
+    let(:params) { { data: { email: user.email, list_id: list_id } } }
+
+    before do
+      allow(SiteConfig).to receive(:mailchimp_webhook_secret).and_return(secret)
+    end
+
+    it "return not authorized if the secret is incorrect" do
+      expect do
+        post "/webhooks/mailchimp/wrong_secret/unsubscribe", params: params
+      end.to raise_error(Pundit::NotAuthorizedError)
+    end
+
+    it "unsubscribes the user if the secret is correct" do
+      SiteConfig.mailchimp_newsletter_id = list_id
+
+      expect do
+        post "/webhooks/mailchimp/#{secret}/unsubscribe", params: params
+      end.to change { user.reload.email_newsletter }.from(true).to(false)
+    end
+  end
+end