From 4fde22c025ad91d7bad4c1455ad19ff82106f17e Mon Sep 17 00:00:00 2001
From: Xavier Fernandez <xavier.fernandez@beta.gouv.fr>
Date: Thu, 12 Dec 2024 11:43:43 +0100
Subject: [PATCH] urls: only include Mailjet tracking webhook in our URL

It is currently the only webhook used
---
 config/urls.py            |  5 +++--
 tests/www/test_anymail.py | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)
 create mode 100644 tests/www/test_anymail.py

diff --git a/config/urls.py b/config/urls.py
index 0ff8378318..8eb4d069a1 100644
--- a/config/urls.py
+++ b/config/urls.py
@@ -1,3 +1,4 @@
+from anymail.webhooks.mailjet import MailjetTrackingWebhookView
 from django.conf import settings
 from django.contrib import admin
 from django.urls import include, path, re_path, register_converter
@@ -86,9 +87,9 @@
     path("users/", include("itou.www.users_views.urls")),
     path("announcements/", include("itou.www.announcements.urls")),
     path("versions/", include("itou.www.releases.urls")),
-    # Enable Anymail’s status tracking
+    # Enable Mailjet status tracking
     # https://anymail.readthedocs.io/en/stable/esps/mailjet/#status-tracking-webhooks
-    re_path(r"^webhooks/anymail/", include("anymail.urls")),
+    path("webhooks/anymail/mailjet/tracking/", MailjetTrackingWebhookView.as_view()),
     path("welcoming_tour/", include("itou.www.welcoming_tour.urls")),
     # Static pages.
     path("accessibility/", TemplateView.as_view(template_name="static/accessibility.html"), name="accessibility"),
diff --git a/tests/www/test_anymail.py b/tests/www/test_anymail.py
new file mode 100644
index 0000000000..048e691b08
--- /dev/null
+++ b/tests/www/test_anymail.py
@@ -0,0 +1,19 @@
+import base64
+
+
+def test_access(client, settings):
+    # Setup access
+    settings.ANYMAIL = dict(settings.ANYMAIL) | {"WEBHOOK_SECRET": "S3cr3t"}
+
+    # Try without credentials
+    response = client.post("/webhooks/anymail/mailjet/tracking/", content_type="application/json", data=[])
+    assert response.status_code == 400
+
+    # and with
+    response = client.post(
+        "/webhooks/anymail/mailjet/tracking/",
+        content_type="application/json",
+        data=[],
+        headers={"Authorization": "Basic " + base64.b64encode(b"S3cr3t").decode()},
+    )
+    assert response.status_code == 200