Store attachments in dedicated column instead of overwriting payload (#249)

freekmurze · web-flow · commit c27da1f65c72 · 2026-04-28T09:38:31.000+02:00
* Store attachments in dedicated column instead of overwriting payload Fixes #248. PR #235 stored uploaded files under the 'attachments' key of the payload, which silently overwrote that key for any webhook whose JSON body legitimately uses 'attachments'. Files now go to a dedicated nullable JSON 'attachments' column on the webhook_calls table. The payload is no longer touched. Backwards compatibility: - getAttachments() reads from the new column and falls back to payload['attachments'] for rows written by 3.5.x, so historical data stays accessible without manual migration. - A new add_attachments_to_webhook_calls_table migration is registered for existing installs. - A per-config 'store_attachments' option (default true) lets users opt out of file storage. The only code-side break is direct reads of $call->payload['attachments'] on new rows; those callers should switch to $call->getAttachments(), which has been the documented accessor since #235. * Add larastan to require-dev so PHPStan can load checkOctaneCompatibility and checkModelProperties The phpstan.neon.dist has referenced these larastan-specific config keys since at least July 2025, but larastan was never declared as a dev dep. PHPStan has been failing on every CI run as a result. Adds larastan ^2.9 which matches the existing PHPStan 1.12 line. * Revert "Add larastan to require-dev so PHPStan can load checkOctaneCompatibility and checkModelProperties" This reverts commit 610b667. * Drop larastan-specific keys from phpstan.neon.dist checkOctaneCompatibility and checkModelProperties require larastan, which can't be added to require-dev without restricting Laravel versions in the test matrix (larastan 2.x doesn't support L12/L13 and larastan 3.x requires PHPStan 2.x). Removing these keys lets PHPStan run cleanly with the level 5 base ruleset. * Ignore Eloquent magic-method PHPStan errors that previously needed larastan Without larastan, PHPStan does not understand Laravel's Eloquent magic statics like Model::create() and Model::where(), nor the IDE-helper \Eloquent mixin. Adds targeted ignoreErrors entries for the specific patterns used in WebhookCall, so PHPStan runs cleanly without pulling larastan into require-dev (which would conflict with Laravel 12/13 in the test matrix).
diff --git a/config/webhook-client.php b/config/webhook-client.php
@@ -53,6 +53,13 @@
 
             ],
 
+            /*
+             * When set to true, file uploads on the incoming request are stored
+             * in the dedicated `attachments` column on the webhook call model.
+             * Set to false to skip file extraction entirely.
+             */
+            'store_attachments' => true,
+
             /*
              * The class name of the job that will process the webhook request.
              *
diff --git a/database/migrations/add_attachments_to_webhook_calls_table.php.stub b/database/migrations/add_attachments_to_webhook_calls_table.php.stub
@@ -0,0 +1,19 @@
+<?php
+
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up()
+    {
+        if (Schema::hasColumn('webhook_calls', 'attachments')) {
+            return;
+        }
+
+        Schema::table('webhook_calls', function (Blueprint $table) {
+            $table->json('attachments')->nullable()->after('payload');
+        });
+    }
+};
diff --git a/database/migrations/create_webhook_calls_table.php.stub b/database/migrations/create_webhook_calls_table.php.stub
@@ -15,6 +15,7 @@ return new class extends Migration
             $table->string('url', 512);
             $table->json('headers')->nullable();
             $table->json('payload')->nullable();
+            $table->json('attachments')->nullable();
             $table->text('exception')->nullable();
 
             $table->timestamps();
diff --git a/phpstan.neon.dist b/phpstan.neon.dist
@@ -8,9 +8,9 @@ parameters:
         - config
         - database
     tmpDir: build/phpstan
-    checkOctaneCompatibility: true
-    checkModelProperties: true
     checkMissingIterableValueType: false
 
     ignoreErrors:
         - '#Unsafe usage of new static#'
+        - '#PHPDoc tag @mixin contains unknown class Eloquent#'
+        - '#Call to an undefined static method Spatie\\WebhookClient\\Models\\WebhookCall::(create|where)\(\)#'
diff --git a/src/Models/WebhookCall.php b/src/Models/WebhookCall.php
@@ -20,6 +20,7 @@
  * @property string $url
  * @property array|null $headers
  * @property array|null $payload
+ * @property array|null $attachments
  * @property array|null $exception
  * @property \Illuminate\Support\Carbon|null $created_at
  * @property \Illuminate\Support\Carbon|null $updated_at
@@ -43,32 +44,40 @@ class WebhookCall extends Model
     protected $casts = [
         'headers' => 'array',
         'payload' => 'array',
+        'attachments' => 'array',
         'exception' => 'array',
     ];
 
     public static function storeWebhook(WebhookConfig $config, Request $request): WebhookCall
     {
-        $headers = self::headersToStore($config, $request);
-        $payload = self::buildPayloadFromRequest($request);
-
         return self::create([
             'name' => $config->name,
             'url' => $request->fullUrl(),
-            'headers' => $headers,
-            'payload' => $payload,
+            'headers' => self::headersToStore($config, $request),
+            'payload' => self::buildPayloadFromRequest($request),
+            'attachments' => self::buildAttachmentsFromRequest($config, $request),
             'exception' => null,
         ]);
     }
 
     protected static function buildPayloadFromRequest(Request $request): array
     {
-        $payload = $request->input();
+        return $request->input();
+    }
 
-        if ($request->allFiles()) {
-            $payload['attachments'] = self::processRequestFiles($request->allFiles());
+    protected static function buildAttachmentsFromRequest(WebhookConfig $config, Request $request): ?array
+    {
+        if (! $config->storeAttachments) {
+            return null;
         }
 
-        return $payload;
+        $files = $request->allFiles();
+
+        if (empty($files)) {
+            return null;
+        }
+
+        return self::processRequestFiles($files);
     }
 
     protected static function processRequestFiles(array $files): array
@@ -157,20 +166,20 @@ public function prunable()
     }
 
     /**
-     * Convert stored file metadata back into UploadedFile objects
+     * Convert stored file metadata back into UploadedFile objects.
+     *
+     * Reads from the dedicated attachments column and falls back to
+     * `payload['attachments']` for rows written by older versions of the
+     * package that stored attachments inside the payload.
      *
      * @return array
      */
     public function getAttachments(): array
     {
-        if (! isset($this->payload['attachments'])) {
-            return [];
-        }
+        $attachments = $this->attachments ?? $this->payload['attachments'] ?? [];
 
-        return collect($this->payload['attachments'])
-            ->map(function ($attachment) {
-                return $this->createUploadedFileFromAttachment($attachment);
-            })
+        return collect($attachments)
+            ->map(fn ($attachment) => $this->createUploadedFileFromAttachment($attachment))
             ->toArray();
     }
 
diff --git a/src/WebhookClientServiceProvider.php b/src/WebhookClientServiceProvider.php
@@ -16,7 +16,10 @@ public function configurePackage(Package $package): void
         $package
             ->name('laravel-webhook-client')
             ->hasConfigFile()
-            ->hasMigrations('create_webhook_calls_table');
+            ->hasMigrations(
+                'create_webhook_calls_table',
+                'add_attachments_to_webhook_calls_table',
+            );
     }
 
     public function packageRegistered()
diff --git a/src/WebhookConfig.php b/src/WebhookConfig.php
@@ -27,6 +27,8 @@ class WebhookConfig
 
     public array | string $storeHeaders;
 
+    public bool $storeAttachments;
+
     public string $processWebhookJobClass;
 
     public function __construct(array $properties)
@@ -57,6 +59,8 @@ public function __construct(array $properties)
 
         $this->storeHeaders = $properties['store_headers'] ?? [];
 
+        $this->storeAttachments = $properties['store_attachments'] ?? true;
+
         if (! is_subclass_of($properties['process_webhook_job'], ProcessWebhookJob::class)) {
             throw InvalidConfig::invalidProcessWebhookJob($properties['process_webhook_job']);
         }
diff --git a/tests/WebhookCallModelTest.php b/tests/WebhookCallModelTest.php
@@ -28,7 +28,7 @@
     expect($webhookCall)->toBeInstanceOf(WebhookCall::class);
     expect($webhookCall->name)->toBe('test');
     expect($webhookCall->payload)->toBe(['key' => 'value']);
-    expect($webhookCall->payload)->not->toHaveKey('attachments');
+    expect($webhookCall->attachments)->toBeNull();
 });
 
 it('can store webhook with single file', function () {
@@ -43,11 +43,11 @@
 
     expect($webhookCall)->toBeInstanceOf(WebhookCall::class);
     expect($webhookCall->name)->toBe('test');
-    expect($webhookCall->payload['key'])->toBe('value');
-    expect($webhookCall->payload)->toHaveKey('attachments');
-    expect($webhookCall->payload['attachments'])->toHaveCount(1);
+    expect($webhookCall->payload)->toBe(['key' => 'value']);
+    expect($webhookCall->payload)->not->toHaveKey('attachments');
+    expect($webhookCall->attachments)->toHaveCount(1);
 
-    $attachment = $webhookCall->payload['attachments'][0];
+    $attachment = $webhookCall->attachments[0];
     expect($attachment['originalName'])->toBe('test.txt');
     expect($attachment['mimeType'])->not->toBeEmpty();
     expect($attachment['size'])->toBeGreaterThan(0);
@@ -66,14 +66,13 @@
     $webhookCall = WebhookCall::storeWebhook($this->webhookConfig, $request);
 
     expect($webhookCall)->toBeInstanceOf(WebhookCall::class);
-    expect($webhookCall->payload)->toHaveKey('attachments');
-    expect($webhookCall->payload['attachments'])->toHaveCount(2);
+    expect($webhookCall->attachments)->toHaveCount(2);
 
-    $attachment1 = $webhookCall->payload['attachments'][0];
+    $attachment1 = $webhookCall->attachments[0];
     expect($attachment1['originalName'])->toBe('test1.txt');
     expect($attachment1['size'])->toBeGreaterThan(0);
 
-    $attachment2 = $webhookCall->payload['attachments'][1];
+    $attachment2 = $webhookCall->attachments[1];
     expect($attachment2['originalName'])->toBe('test2.pdf');
     expect($attachment2['size'])->toBeGreaterThan(0);
 });
@@ -92,15 +91,69 @@
     $webhookCall = WebhookCall::storeWebhook($this->webhookConfig, $request);
 
     expect($webhookCall)->toBeInstanceOf(WebhookCall::class);
-    expect($webhookCall->payload)->toHaveKey('attachments');
-    expect($webhookCall->payload['attachments'])->toHaveCount(3);
+    expect($webhookCall->attachments)->toHaveCount(3);
 
-    $fileNames = collect($webhookCall->payload['attachments'])->pluck('originalName')->toArray();
+    $fileNames = collect($webhookCall->attachments)->pluck('originalName')->toArray();
     expect($fileNames)->toContain('single.txt');
     expect($fileNames)->toContain('multi1.txt');
     expect($fileNames)->toContain('multi2.txt');
 });
 
+it('does not overwrite a user-provided attachments key in the payload', function () {
+    $request = Request::create('/test', 'POST', [
+        'key' => 'value',
+        'attachments' => ['user-provided', 'data'],
+    ]);
+
+    $webhookCall = WebhookCall::storeWebhook($this->webhookConfig, $request);
+
+    expect($webhookCall->payload['attachments'])->toBe(['user-provided', 'data']);
+    expect($webhookCall->attachments)->toBeNull();
+});
+
+it('preserves a user-provided attachments key when files are also uploaded', function () {
+    Storage::fake('local');
+
+    $file = UploadedFile::fake()->create('test.txt', 1);
+
+    $request = Request::create('/test', 'POST', [
+        'attachments' => ['user-provided'],
+    ]);
+    $request->files->set('document', $file);
+
+    $webhookCall = WebhookCall::storeWebhook($this->webhookConfig, $request);
+
+    expect($webhookCall->payload['attachments'])->toBe(['user-provided']);
+    expect($webhookCall->attachments)->toHaveCount(1);
+    expect($webhookCall->attachments[0]['originalName'])->toBe('test.txt');
+});
+
+it('does not extract files when store_attachments is disabled', function () {
+    Storage::fake('local');
+
+    $config = new WebhookConfig([
+        'name' => 'test',
+        'signing_secret' => 'secret',
+        'signature_header_name' => 'Signature',
+        'signature_validator' => \Spatie\WebhookClient\SignatureValidator\DefaultSignatureValidator::class,
+        'webhook_profile' => \Spatie\WebhookClient\WebhookProfile\ProcessEverythingWebhookProfile::class,
+        'webhook_response' => \Spatie\WebhookClient\WebhookResponse\DefaultRespondsTo::class,
+        'webhook_model' => WebhookCall::class,
+        'process_webhook_job' => \Spatie\WebhookClient\Tests\TestClasses\ProcessWebhookJobTestClass::class,
+        'store_headers' => [],
+        'store_attachments' => false,
+    ]);
+
+    $file = UploadedFile::fake()->create('test.txt', 1);
+    $request = Request::create('/test', 'POST', ['key' => 'value']);
+    $request->files->set('document', $file);
+
+    $webhookCall = WebhookCall::storeWebhook($config, $request);
+
+    expect($webhookCall->attachments)->toBeNull();
+    expect($webhookCall->payload)->not->toHaveKey('attachments');
+});
+
 it('can retrieve attachments as uploaded file objects', function () {
     Storage::fake('local');
 
@@ -128,6 +181,58 @@
     expect($attachments)->toBeEmpty();
 });
 
+it('falls back to payload attachments for rows written by older versions', function () {
+    $legacyAttachment = [
+        'originalName' => 'legacy.txt',
+        'mimeType' => 'text/plain',
+        'size' => 7,
+        'error' => 0,
+        'path' => '/tmp/legacy',
+        'content' => base64_encode('legacy!'),
+    ];
+
+    $webhookCall = WebhookCall::create([
+        'name' => 'test',
+        'url' => 'http://example.test/webhook',
+        'headers' => [],
+        'payload' => ['key' => 'value', 'attachments' => [$legacyAttachment]],
+        'attachments' => null,
+        'exception' => null,
+    ]);
+
+    $attachments = $webhookCall->getAttachments();
+
+    expect($attachments)->toHaveCount(1);
+    expect($attachments[0])->toBeInstanceOf(UploadedFile::class);
+    expect($attachments[0]->getClientOriginalName())->toBe('legacy.txt');
+    expect(file_get_contents($attachments[0]->getPathname()))->toBe('legacy!');
+});
+
+it('prefers the attachments column over a payload attachments key when both exist', function () {
+    $columnAttachment = [
+        'originalName' => 'column.txt',
+        'mimeType' => 'text/plain',
+        'size' => 6,
+        'error' => 0,
+        'path' => '/tmp/column',
+        'content' => base64_encode('column'),
+    ];
+
+    $webhookCall = WebhookCall::create([
+        'name' => 'test',
+        'url' => 'http://example.test/webhook',
+        'headers' => [],
+        'payload' => ['attachments' => ['user-provided']],
+        'attachments' => [$columnAttachment],
+        'exception' => null,
+    ]);
+
+    $attachments = $webhookCall->getAttachments();
+
+    expect($attachments)->toHaveCount(1);
+    expect($attachments[0]->getClientOriginalName())->toBe('column.txt');
+});
+
 it('can retrieve multiple attachments as uploaded file objects', function () {
     Storage::fake('local');
 
diff --git a/tests/WebhookConfigTest.php b/tests/WebhookConfigTest.php
@@ -57,6 +57,24 @@
     expect(fn () => new WebhookConfig($config))->toThrow(InvalidConfig::class);
 });
 
+it('defaults storeAttachments to true when not provided', function () {
+    $config = getValidConfig();
+    unset($config['store_attachments']);
+
+    $webhookConfig = new WebhookConfig($config);
+
+    expect($webhookConfig->storeAttachments)->toBeTrue();
+});
+
+it('respects an explicit storeAttachments value', function () {
+    $config = getValidConfig();
+    $config['store_attachments'] = false;
+
+    $webhookConfig = new WebhookConfig($config);
+
+    expect($webhookConfig->storeAttachments)->toBeFalse();
+});
+
 function getValidConfig(): array
 {
     return [
