Retry webhook on DB errors

[elias-ba]

Description

Adds resilient webhook processing: WebhooksController#create now retries transient database connection errors using a new Lightning.Retry helper with exponential backoff and optional jitter. Retry behavior is configurable via Lightning.Config.webhook_retry (optionally set by WEBHOOK_RETRY_* env vars). If retries are exhausted, the endpoint returns 503 Service Unavailable with a Retry-After header based on the configured timeout_ms.

Closes #3097

Validation steps

Postgres controls I used (macOS packaged Postgres 17):

# start
sudo -u postgres /Library/PostgreSQL/17/bin/pg_ctl \
  -D /Library/PostgreSQL/17/data start -m fast

# stop
sudo -u postgres /Library/PostgreSQL/17/bin/pg_ctl \
  -D /Library/PostgreSQL/17/data stop -m fast

1. Start app and DB

• Start Postgres (cmd above)
• Start the Phoenix app

2. Create a workflow and copy its webhook URL
   (Any workflow with a webhook trigger is fine.)

3. Happy path still works

curl -i -X POST <webhook_url> \
  -H 'content-type: application/json' \
  -d '{}'

Expected: 200 OK with body like:

{"work_order_id":"<uuid>"}

4. Configure retry via .env and restart the app

Create or edit .env in the project root:

WEBHOOK_RETRY_MAX_ATTEMPTS=3
WEBHOOK_RETRY_INITIAL_DELAY_MS=100
WEBHOOK_RETRY_TIMEOUT_MS=5000   # 5s total retry budget → Retry-After=5
WEBHOOK_RETRY_JITTER=false      # optional; keeps timings deterministic

Reload env and start the server (bash/zsh):

env $(cat .env | grep -v "#" | xargs) iex -S mix phx.server

5. Simulate DB outage

Stop Postgres (cmd above).

6. POST while DB is down → controller returns 503 + Retry-After

curl -i -X POST <webhook_url> \
  -H 'content-type: application/json' \
  -d '{}'

Expected:

• Status: 503 Service Unavailable
• Header: Retry-After: 5
• Body:

{
  "error": "service_unavailable",
  "message": "Unable to process request due to temporary database issues. Please try again in 5s.",
  "retry_after": 5
}

7. Plug path also returns 503 when lookup fails (DB still down)

Hit the same endpoint again (or any valid /i/:id):

curl -i -X POST <webhook_url> -H 'content-type: application/json' -d '{}'

Expected (from WebhookAuth plug):

• Status: 503 Service Unavailable
• Header: Retry-After: 5
• Body:

{
  "error": "service_unavailable",
  "message": "Temporary database issue during webhook lookup. Please retry in 5s.",
  "retry_after": 5
}

8. Recovery: request eventually succeeds if DB comes back before timeout

• With DB still stopped, run the POST from step 3 in one terminal.
• Quickly start Postgres in another terminal within 5s (the configured timeout_ms).
• The in-flight request should complete with 200 and a work_order_id (no 503).

9. Regression checks (unchanged behavior)

• GET <webhook_url> → 200 with “Make a POST request…” message.
• Send unsupported media type:

curl -i -X POST <webhook_url> \
  -H 'content-type: text/xml' -d '{}'

Expected: 415 Unsupported Media Type with {"error":"Unsupported Media Type"}.

10. (Optional) Observe logs

Run the POST from step 6 with the DB down and check the app logs. You should see lines like:

• retry sleeping attempt=... delay_ms=...
• retry exhausted attempts=...
• or, on success after a retry: retry succeeded after ... attempts

Additional notes for the reviewer

• Idle timeout: Default is now max(60_000, retry_timeout_ms + 15_000) to avoid the HTTP connection closing while webhook DB retries are in progress.

• Error shape (limits): Rate/usage limit responses now include an error code and message.

  • 402 → {"error":"runs_hard_limit","message":"Runs limit exceeded"}
  • 429 → {"error":"too_many_requests","message":"Too many runs in the last minute"}

• Telemetry: Lightning.Retry emits :start, :attempt, :stop, :exhausted, :timeout under [:lightning, :retry, ...].

• Docs & envs: DEPLOYMENT.md and .env.example document WEBHOOK_RETRY_*.

• Backwards compatibility: If no WEBHOOK_RETRY_* envs are set, sensible defaults apply; existing behavior remains unchanged.

AI Usage

Please tick what applies for this PR:

• Code generation (copilot but not intellisense)
• Learning or fact checking
• Strategy / design
• Optimisation / refactoring
• Translation / spellchecking / doc gen
• Other
• I have not used AI

You can read more details in our Responsible AI Policy

Pre-submission checklist

• I have performed a self-review of my code.
• I have implemented and tested all related authorization policies (N/A for this change; controller path already guarded).
• I have updated the changelog.
• I have ticked a box in "AI usage" in this PR.

[codecov]

Codecov Report

❌ Patch coverage is 94.83871% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.89%. Comparing base (ecbe7d0) to head (dd9687f).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
lib/lightning/retry.ex	92.04%	7 Missing ⚠️
lib/lightning_web/utils.ex	93.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3528      +/-   ##
==========================================
+ Coverage   89.86%   89.89%   +0.03%     
==========================================
  Files         380      381       +1     
  Lines       15469    15609     +140     
==========================================
+ Hits        13901    14032     +131     
- Misses       1568     1577       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[midigofrank]

Hey @elias-ba , great job, I mostly have questions here.

1. Did you consider that if max_retries=5 then we could potentially retry 10 times since we're retrying twice?
2. Now that we're capturing the DBConnection exception, will our monitoring services ever pick it up? (sentry, prometheus ..)
3. I'm surprised that the WebhookAuth plug was placed after Plug.Parsers all along. Great catch, I wonder if there was a reason it was moved later. Here is the original commit that you did which placed it before Plug.Parsers. Could you please double check as to why this was changed?
4. I see you've updated the error response payload, I have a feeling this might break workflows else where. I'm okay with it but could you just check with the implementation team to see if they ever match on the error response?
5. Did you verify that these changes work okay on the billing app?

[rorymckinley]

I still need to do the manual tests (and look at some of the tests around bootstrap and config) but I am afraid I have run out of brain today and I don't want to take the chance that GH eats today's work overnight.

I flagged some cases in Lightning.Retry where some transformations of configuration values do not have test coverage (e.g. in next_base_delay). That stuff is tricky to test so you need to decide if it is worth the effort. If you do think so, I would suggest putting all of that sort of stuff into a module of its own - that way you can measure the changes made to config settings by looking directly at the output of the transformation rather than having to try and figure it out from retry behaviour.

[rorymckinley]

Some of these transformations do not appear to have test coverage, e.g.

[rorymckinley]

The "normalisation" of the jitter does not appear to have test coverage:

[rorymckinley]

The min and application of config.backoff_factor do not appear to have test coverage.

[rorymckinley]

For the first implementation of this, it feels like we have a lot of knobs that we can fiddle with - my bias is towards wondering if there is space for a simpler implementation that allows us to iterate towards the additional complexity as we see what is required?

[rorymckinley]

I am trying to decide why this feels weird. I am not sure if you are familiar with the concept of "layering" as suggested by Eric Evans but this feels like it might reversing a pattern, here.

I.e. in my head, I think of the "layers" within how config gets accessed as follows:

Other application code
|_ Lightning.Config
|_ stuff in bootstrap

And by referring to Lightning.Config inside it bootstrap, it feels like we are reversing that 'layering' (quotes because it has been a long time since I read the DDD book so I may be mangling it :). Especially as Lightning.Config overrides the 'default_webhook_retry` values unconditionally?

As a rule of thumb I try to avoid this kind of stuff as it can get me into trouble, but it is subjective.

[rorymckinley]

Given that this happens unconditionally, could we not just set defaults in bootstrap and do away with default_webhook_retry ? That seems to be a pattern that is quite common?

[rorymckinley]

Does Mimic allow matching of arguments passed to the method being mocked? If not, I imagine you could perhaps do pattern matching in the function that handles the response?

For me, when I am writing a test where the code is calling another function, the two questions I want answered are:

• Does the code I am testing call the method correctly?
• Does the code I am testing do the right thing with the method response?

I think we may be missing coverage of the former, so it would be great if we could use Mimic for that.

[rorymckinley]

In cases where I am testing code that is performing a lookup, I like to have "negative" examples if it is cheap to do so - e.g. at least one other instance of trigger (in this case) that I am not interested to try and offer some reassurance that my code will still work when there is more than one instance of the thing that I am looking for (i.e. the way things would be in a non-test env).

[rorymckinley]

Hey Jambaar! Round 2 done - more silly questions. I just need to run the manual tests and then I am done :).

[rorymckinley]

Is there an advantage to using {Config, opts} instead of @opts_key? Or @config_key, @import_key?

[rorymckinley]

Nice! Given that it these helpers re only used in a single block of tests, how would you feel about moving the method definitions to be closer to the tests that use them?

[rorymckinley]

Also, is it worth extending this method a little bit so that we can also use it in the setup block?

[rorymckinley]

Nice - although someone should add a compact method for Elixir! :P

Is there any readability value to code-golfing this to extend the pipeline into a cond to replace the if?

[rorymckinley]

There seems to be a lot of overlap between this and Retry.build_config? Is there a case to be made for deferring the normalisation to build_config?

[rorymckinley]

TIL - thanks, very cool!

[rorymckinley]

This appears to be a duplicate of default_retry_check - what if we made retriable_error? the default for retriable_on, then you would need one less argument in the two current calls?

[rorymckinley]

Jerejef @elias-ba - manual tests done - all looks good. Great job - none of my comments are showstoppers, so feel free to implement any/none of the suggestions :) - I am going to approve in the meantime so that I do not block you, but happy to do follow-ups if you require!

[rorymckinley]

@elias-ba Almost, forgot! This: Telemetry: Lightning.Retry emits :start, :attempt, :stop, :exhausted, :timeout under [:lightning, :retry, ...]. is awesome! Could you point me to the code where there is happening, I would love to surface this in Grafana :)

[elias-ba]

Hey @midigofrank I handled most of your change requests / questions. Thanks a lot for your eagle eyes on this. This is really great. Here are few responses to your general questions

1. Each call to Retry.with_webhook_retry/2 has its own cap. We run two separate retry loops in a request: one for auth lookup in the plug, one for create_workorder in the controller. So the same DB operation is never retried twice; we just have two different operations that can each retry up to max_attempts (default 5). Worst case per request you’ll see up to 5 failed auth lookups and up to 5 failed work-order creations, not 10 for the same step. The DB driver’s own reconnects don’t change that cap; they just influence how a single attempt behaves internally.

2. Thanks for the catch, you’re right, we weren’t surfacing those because Retry rescues DBConnection.ConnectionError, so PlugCapture never saw them. I’ve pushed a change: we now explicitly capture exhausted retries to Sentry in the 503 path, and emit telemetry for the retry lifecycle plus a webhook.db_unavailable event for PromEx. This restores monitoring without spamming (only on exhaustion) and keeps payloads minimal. cc @rorymckinley

3. Did a quick check, and this has no implication. We can safely place WebhookAuth before Replug. The switch noted in Replace use of Application.get_env in Endpoint module #1541 was probably accidental.

4. Nice catch, I restored the "Webhook not found" error

5. Verified and all good on the billing app, as it should be. This has no implication in anything that would break the billing app

[elias-ba]

@elias-ba Almost, forgot! This: Telemetry: Lightning.Retry emits :start, :attempt, :stop, :exhausted, :timeout under [:lightning, :retry, ...]. is awesome! Could you point me to the code where there is happening, I would love to surface this in Grafana :)

Hey @rorymckinley sorry that commit about telemetry never got into this PR, I am happy you asked. You can find all the telemetry events now in this commit