Refactor: Update QBO connection handling to use QboConnectionService for consistency across services and controllers

2026-04-02 08:21:57 -04:00 · 2026-03-01 00:27:06 -05:00
parent 5a662f67b8
commit ed111fefe7
22 changed files with 232 additions and 112 deletions
--- a/app/controllers/estimate_controller.rb
+++ b/app/controllers/estimate_controller.rb
@@ -65,7 +65,7 @@ class EstimateController < ApplicationController

  # Renders the estimate PDF or redirects with an error if rendering fails.
  def render_pdf(estimate)
-    pdf, ref = EstimatePdfService.new(qbo: Qbo.first).fetch_pdf(doc_ids: [estimate.id])
+    pdf, ref = EstimatePdfService.new(qbo: QboConnectionService.current!).fetch_pdf(doc_ids: [estimate.id])
    send_data( pdf, filename: "estimate #{ref}.pdf", disposition: :inline, type: "application/pdf" )
  rescue StandardError => e
    log "PDF render failed for Estimate #{estimate&.id}: #{e.message}"
--- a/app/controllers/invoice_controller.rb
+++ b/app/controllers/invoice_controller.rb
@@ -18,7 +18,7 @@ class InvoiceController < ApplicationController
    log "Processing request for #{request.original_url}"

    invoice_ids = Array(params[:invoice_ids] || params[:id])
-    pdf, ref = InvoicePdfService.new(qbo: Qbo.first).fetch_pdf(doc_ids: invoice_ids)
+    pdf, ref = InvoicePdfService.new(qbo: QboConnectionService.current!).fetch_pdf(doc_ids: invoice_ids)

    send_data pdf, filename: "invoice #{ref}.pdf", disposition: :inline, type: "application/pdf"

--- a/app/controllers/qbo_controller.rb
+++ b/app/controllers/qbo_controller.rb
@@ -9,128 +9,66 @@
 #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

 class QboController < ApplicationController
-  
-  require 'openssl'
-  
  include AuthHelper

  before_action :require_user, except: :webhook
-  skip_before_action :verify_authenticity_token, :check_if_login_required, only: [:webhook]
+  skip_before_action :verify_authenticity_token, :check_if_login_required, only: :webhook

-  def allowed_params
-    params.permit(:code, :state, :realmId, :id)
-  end
-
-  #
-  # Called when the user requests that Redmine to connect to QBO
-  #
+  # Initiates the OAuth authentication process by redirecting the user to the QuickBooks authorization URL. The callback URL is generated based on the application's settings and routes.
  def authenticate
-    redirect_uri = "#{Setting.protocol}://#{Setting.host_name + qbo_oauth_callback_path}"
-    log "redirect_uri: #{redirect_uri}"
-    oauth2_client = Qbo.construct_oauth2_client
-    grant_url = oauth2_client.auth_code.authorize_url(redirect_uri: redirect_uri, response_type: "code", state: SecureRandom.hex(12), scope: "com.intuit.quickbooks.accounting")
-    redirect_to grant_url
+    redirect_to QboOauthService.authorization_url(callback_url: callback_url)
  end

-  #
-  # Called by QBO after authentication has been processed
-  #
+  # Handles the OAuth callback from QuickBooks. Exchanges the authorization code for access and refresh tokens, saves the connection details, and redirects to the sync page with a success notice. If any error occurs during the process, logs the error and redirects back to the plugin settings page with an error message.
  def oauth_callback
-    if params[:state].present?
-      oauth2_client = Qbo.construct_oauth2_client
-      # use the state value to retrieve from your backend any information you need to identify the customer in your system
-      redirect_uri = "#{Setting.protocol}://#{Setting.host_name + qbo_oauth_callback_path}"
-      if resp = oauth2_client.auth_code.get_token(params[:code], redirect_uri: redirect_uri)
+    QboOauthService.exchange!(code: params[:code], callback_url: callback_url, realm_id: params[:realmId])

-        # Remove the last authentication information
-        Qbo.delete_all
-        
-        # Save the authentication information 
-        qbo = Qbo.new
-        qbo.update(oauth2_access_token: resp.token, oauth2_refresh_token: resp.refresh_token, realm_id: params[:realmId])
-        qbo.refresh_token!
-        
-        if qbo.save!
    redirect_to qbo_sync_path, flash: { notice: I18n.t(:label_connected) }
-        else
+
+  rescue StandardError => e
+    log "OAuth failure: #{e.message}"
    redirect_to plugin_settings_path(:redmine_qbo), flash: { error: I18n.t(:label_error) }
  end

-      end
-    end
-  end
-  
-  # Manual Billing
+  # Manual billing endpoint to trigger the billing process for a specific issue. Validates the issue and its associations, enqueues a job to bill the issue's time entries, and redirects back to the issue with a notice. If validation fails, redirects back with an error message.
  def bill
    issue = Issue.find_by(id: params[:id])
-    return render_404 unless issue
-
-    unless issue.customer
-      redirect_to issue, flash: { error: I18n.t(:label_billing_error_no_customer) }
-      return
-    end
-
-    unless issue.assigned_to&.employee_id.present?
-      redirect_to issue, flash: { error: I18n.t(:label_billing_error_no_employee) }
-      return
-    end
-
-    unless Qbo.first
-      redirect_to issue, flash: { error: I18n.t(:label_billing_error_no_qbo) }
-      return
-    end
+    BillingValidator.validate!(issue)

    BillIssueTimeJob.perform_later(issue.id)

    redirect_to issue, flash: {
-      notice: I18n.t(:label_billing_enqueued) + " #{issue.customer.name}"
+      notice: "#{I18n.t(:label_billing_enqueued)} #{issue.customer.name}"
    }
+
+  rescue StandardError => e
+    redirect_to issue || root_path, flash: { error: e.message }
  end

-  #
-  # Synchronizes the QboCustomer table with QBO
-  #
+  # Manual sync endpoint to trigger a full synchronization of QuickBooks entities with the local database. Enqueues all relevant sync jobs and redirects to the home page with a notice that syncing has started.
  def sync
-    log "Syncing EVERYTHING"
-
-    CustomerSyncJob.perform_later(full_sync: true)
-    EstimateSyncJob.perform_later(full_sync: true)
-    InvoiceSyncJob.perform_later(full_sync: true)
-    EmployeeSyncJob.perform_later(full_sync: true)
-
+    QboSyncDispatcher.full_sync!
    redirect_to :home, flash: { notice: I18n.t(:label_syncing) }
  end

-  # QuickBooks Webhook Callback
+  # Endpoint to receive QuickBooks webhook notifications. Validates the request and processes the payload to sync relevant data to Redmine. Responds with appropriate HTTP status codes based on success or failure of processing.
  def webhook
-    log "Webhook received"
-
-    signature = request.headers['intuit-signature']
-    key       = Setting.plugin_redmine_qbo['settingsWebhookToken']
-    body      = request.raw_post
-
-    digest = OpenSSL::Digest.new('sha256')
-    computed = Base64.strict_encode64(OpenSSL::HMAC.digest(digest, key, body))
-
-    unless secure_compare(computed, signature)
-      log "Invalid webhook signature"
-      head :unauthorized
-      return
-    end
-
-    WebhookProcessJob.perform_later(body)
-
+    QboWebhookProcessor.process!(request: request)
    head :ok
+
+  rescue StandardError => e
+    log "Webhook failure: #{e.message}"
+    head :unauthorized
  end

  private

-  # Securely compare two strings to prevent timing attacks. Returns false if either string is blank or if they do not match.
-  def secure_compare(a, b)
-    return false if a.blank? || b.blank?
-    ActiveSupport::SecurityUtils.secure_compare(a, b)
+  # Constructs the OAuth callback URL based on the application's settings and routes. This URL is used during the OAuth flow to redirect users back to the application after authentication with QuickBooks.
+  def callback_url
+    "#{Setting.protocol}://#{Setting.host_name}#{qbo_oauth_callback_path}"
  end

+  # Logs messages with a consistent prefix for easier debugging and monitoring.
  def log(msg)
    Rails.logger.info "[QboController] #{msg}"
  end
--- a/app/jobs/bill_issue_time_job.rb
+++ b/app/jobs/bill_issue_time_job.rb
@@ -27,7 +27,7 @@ class BillIssueTimeJob < ActiveJob::Base
      return if totals.blank?
      log "Aggregated hours for billing: #{totals.inspect}"

-      qbo = Qbo.first
+      qbo = QboConnectionService.current!
      raise "No QBO configuration found" unless qbo

      qbo.perform_authenticated_request do |access_token|
@@ -58,6 +58,7 @@ class BillIssueTimeJob < ActiveJob::Base
  # Create TimeActivity records in QBO for each activity type with the appropriate hours and link them to the issue's assigned employee and customer
  def create_time_activities(issue, totals, access_token, qbo)
    log "Creating TimeActivity records in QBO for issue ##{issue.id}"
+   
    time_service = Quickbooks::Service::TimeActivity.new(
      company_id: qbo.realm_id,
      access_token: access_token
@@ -66,8 +67,8 @@ class BillIssueTimeJob < ActiveJob::Base
    item_service = Quickbooks::Service::Item.new(
      company_id: qbo.realm_id,
      access_token: access_token
-    )

+      )
    totals.each do |activity_name, hours_float|
      next if activity_name.blank?
      next if hours_float.to_f <= 0
--- a/app/jobs/customer_sync_job.rb
+++ b/app/jobs/customer_sync_job.rb
@@ -14,7 +14,7 @@ class CustomerSyncJob < ApplicationJob

  # Perform a full sync of all customers, or an incremental sync of only those updated since the last sync
  def perform(full_sync: false, id: nil)
-    qbo = Qbo.first
+    qbo = QboConnectionService.current!
    raise "No QBO configuration found" unless qbo

    log "Starting #{full_sync ? 'full' : 'incremental'} sync for customer ##{id || 'all'}..."
--- a/app/jobs/employee_sync_job.rb
+++ b/app/jobs/employee_sync_job.rb
@@ -14,7 +14,7 @@ class EmployeeSyncJob < ApplicationJob

  # Performs a sync of employees from QuickBooks Online.
  def perform(full_sync: false, id: nil)
-    qbo = Qbo.first
+    qbo = QboConnectionService.current!
    raise "No QBO configuration found" unless qbo

    log "Starting #{full_sync ? 'full' : 'incremental'} sync for employee ##{id || 'all'}..."
--- a/app/jobs/estimate_sync_job.rb
+++ b/app/jobs/estimate_sync_job.rb
@@ -14,7 +14,7 @@ class EstimateSyncJob < ApplicationJob

  # Performs a sync of estimates from QuickBooks Online.
  def perform(full_sync: false, id: nil, doc_number: nil)
-    qbo = Qbo.first
+    qbo = QboConnectionService.current!
    raise "No QBO configuration found" unless qbo

    log "Starting #{full_sync ? 'full' : 'incremental'} sync for estimate ##{id || doc_number || 'all'}..."
--- a/app/jobs/invoice_sync_job.rb
+++ b/app/jobs/invoice_sync_job.rb
@@ -14,7 +14,7 @@ class InvoiceSyncJob < ApplicationJob

  # Performs a sync of invoices from QuickBooks Online.
  def perform(full_sync: false, id: nil)
-    qbo = Qbo.first
+    qbo = QboConnectionService.current!
    raise "No QBO configuration found" unless qbo

    log "Starting #{full_sync ? 'full' : 'incremental'} sync for invoice ##{id || 'all'}..."
--- a/app/jobs/qbo_sync_dispatcher.rb
+++ b/app/jobs/qbo_sync_dispatcher.rb
@@ -0,0 +1,24 @@
+#The MIT License (MIT)
+#
+#Copyright (c) 2016 - 2026 rick barrette
+#
+#Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+#The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+class QboSyncDispatcher
+
+  SYNC_JOBS = [
+    CustomerSyncJob,
+    EstimateSyncJob,
+    InvoiceSyncJob,
+    EmployeeSyncJob
+  ].freeze
+
+  # Dispatches all synchronization jobs to perform a full sync of QuickBooks entities with the local database. Each job is enqueued with the `full_sync` flag set to true.
+  def self.full_sync!
+    SYNC_JOBS.each { |job| job.perform_later(full_sync: true) }
+  end
+end
--- a/app/jobs/qbo_webhook_processor.rb
+++ b/app/jobs/qbo_webhook_processor.rb
@@ -0,0 +1,35 @@
+#The MIT License (MIT)
+#
+#Copyright (c) 2016 - 2026 rick barrette
+#
+#Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+#The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+class QboWebhookProcessor
+
+  # Processes the incoming QuickBooks webhook request by validating the signature and enqueuing a background job to handle the webhook payload. Raises an error if the signature is invalid.
+  def self.process!(request:)
+    body = request.raw_post
+    signature = request.headers['intuit-signature']
+    secret = Setting.plugin_redmine_qbo['settingsWebhookToken']
+
+    raise "Invalid signature" unless valid_signature?(body, signature, secret)
+
+    WebhookProcessJob.perform_later(body)
+  end
+
+  # Validates the QuickBooks webhook request by computing the HMAC signature and comparing it to the provided signature. Returns false if either the signature or secret is blank, or if the computed signature does not match the provided signature.
+  def self.valid_signature?(body, signature, secret)
+    return false if signature.blank? || secret.blank?
+
+    digest = OpenSSL::Digest.new('sha256')
+    computed = Base64.strict_encode64(
+      OpenSSL::HMAC.digest(digest, secret, body)
+    )
+
+    ActiveSupport::SecurityUtils.secure_compare(computed, signature)
+  end
+end
--- a/app/models/customer.rb
+++ b/app/models/customer.rb
@@ -215,7 +215,7 @@ class Customer < ActiveRecord::Base
  def pull
    begin
      raise Exception unless self.id
-      qbo = Qbo.first
+      qbo = QboConnectionService.current!
      @details = qbo.perform_authenticated_request do |access_token|
        service = Quickbooks::Service::Customer.new(company_id: qbo.realm_id, access_token: access_token)
        service.fetch_by_id(self.id)
--- a/app/models/estimate.rb
+++ b/app/models/estimate.rb
@@ -60,7 +60,7 @@ class Estimate < ActiveRecord::Base
    log "Pulling details for estimate ##{self.id}..."
    begin
      raise Exception unless self.id
-      qbo = Qbo.first
+      qbo = QboConnectionService.current!
      @details = qbo.perform_authenticated_request do |access_token|
        service = Quickbooks::Service::Estimate.new(company_id: qbo.realm_id, access_token: access_token)
        service(:estimate).fetch_by_id(self.id)
--- a/app/models/qbo.rb
+++ b/app/models/qbo.rb
@@ -13,23 +13,34 @@ class Qbo < ActiveRecord::Base
  include QuickbooksOauth
  include Redmine::I18n

+  validate :single_record_only, on: :create
+  
  # Updates last sync time stamp
  def self.update_time_stamp
    date = DateTime.now
    log "Updating QBO timestamp to #{date}"
-    qbo = Qbo.first
+    qbo = QboConnectionService.current!
    qbo.last_sync = date
    qbo.save
  end
  
+  # Returns the last sync time formatted for display. If no sync has occurred, returns a default message.
  def self.last_sync
-    format_time(Qbo.first.last_sync)
+    qbo = QboConnectionService.current!
+    return t(:label_qbo_never_synced) unless qbo&.last_sync
+    format_time(qbo.last_sync)
  end

  private

+  # Logs a message with a QBO-specific prefix for easier identification in the logs.
  def self.log(msg)
    logger.info "[QBO] #{msg}"
  end

+  # Validates that only one QBO connection record exists in the database. Adds an error if a record already exists.
+  def single_record_only
+    errors.add(:base, "Only one QBO connection allowed") if Qbo.exists?
+  end
+
 end
--- a/app/services/billing_Validator.rb
+++ b/app/services/billing_Validator.rb
@@ -0,0 +1,21 @@
+#The MIT License (MIT)
+#
+#Copyright (c) 2016 - 2026 rick barrette
+#
+#Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+#The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+
+class BillingValidator
+
+  # Validates that the given issue is eligible for billing by checking for the presence of the issue, its associated customer, assigned employee, and an active QBO connection. Raises descriptive errors if any of these conditions are not met.
+  def self.validate!(issue)
+    raise "Issue not found" unless issue
+    raise I18n.t(:label_billing_error_no_customer) unless issue.customer
+    raise I18n.t(:label_billing_error_no_employee) unless issue.assigned_to&.employee_id.present?
+    raise I18n.t(:label_billing_error_no_qbo) unless Qbo.exists?
+  end
+end
--- a/app/services/invoice_push_service.rb
+++ b/app/services/invoice_push_service.rb
@@ -22,7 +22,7 @@ class InvoicePushService

    @invoice.update_column(:qbo_sync_locked, true)

-    qbo = Qbo.first
+    qbo = QboConnectionService.current!

    qbo.perform_authenticated_request do |access_token|
      service = Quickbooks::Service::Invoice.new( company_id: qbo.realm_id, access_token: access_token)
--- a/app/services/qbo_connection_service.rb
+++ b/app/services/qbo_connection_service.rb
@@ -0,0 +1,32 @@
+#The MIT License (MIT)
+#
+#Copyright (c) 2016 - 2026 rick barrette
+#
+#Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+#The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+class QboConnectionService
+
+  # Replaces the existing QBO connection with new credentials. Deletes all existing records and creates a new one with the provided token, refresh token, and realm ID. Refreshes the token immediately after creation.
+  def self.replace!(token:, refresh_token:, realm_id:)
+    Qbo.transaction do
+      Qbo.destroy_all
+      qbo = Qbo.create!(
+        oauth2_access_token: token,
+        oauth2_refresh_token: refresh_token,
+        realm_id: realm_id
+      )
+      qbo.refresh_token!
+      qbo
+    end
+  end
+
+  # Returns the current QBO connection record. Raises an error if no connection exists.
+  def self.current!
+    Qbo.first || raise("QBO not connected")
+  end
+
+end
--- a/app/services/qbo_oauth_service.rb
+++ b/app/services/qbo_oauth_service.rb
@@ -0,0 +1,33 @@
+#The MIT License (MIT)
+#
+#Copyright (c) 2016 - 2026 rick barrette
+#
+#Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+#The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+class QboOauthService
+
+  # Generates the QuickBooks OAuth authorization URL with the specified callback URL. The URL includes necessary parameters such as response type, state, and scope.
+  def self.authorization_url(callback_url:)
+    client.auth_code.authorize_url(
+      redirect_uri: callback_url,
+      response_type: "code",
+      state: SecureRandom.hex(12),
+      scope: "com.intuit.quickbooks.accounting"
+    )
+  end
+
+  # Exchanges the authorization code for access and refresh tokens. Creates or replaces the QBO connection record with the new credentials and refreshes the token immediately after creation.
+  def self.exchange!(code:, callback_url:, realm_id:)
+    resp = client.auth_code.get_token(code, redirect_uri: callback_url)
+    QboConnectionService.replace!( token: resp.token, refresh_token: resp.refresh_token, realm_id: realm_id )
+  end
+
+  # Constructs and returns an OAuth2 client instance configured with the application's credentials and settings.
+  def self.client
+    Qbo.construct_oauth2_client
+  end
+end
--- a/app/services/qbo_webhook_verifier_service.rb
+++ b/app/services/qbo_webhook_verifier_service.rb
@@ -0,0 +1,24 @@
+#The MIT License (MIT)
+#
+#Copyright (c) 2016 - 2026 rick barrette
+#
+#Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+#
+#The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+#
+#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+class QboWebhookVerifierService
+
+  # Validates the QuickBooks webhook request by computing the HMAC signature and comparing it to the provided signature.
+  def self.valid?(body:, signature:, secret:)
+    return false if signature.blank? || secret.blank?
+
+    digest = OpenSSL::Digest.new('sha256')
+    computed = Base64.strict_encode64(
+      OpenSSL::HMAC.digest(digest, secret, body)
+    )
+
+    ActiveSupport::SecurityUtils.secure_compare(computed, signature)
+  end
+end
--- a/app/views/qbo/_settings.html.erb
+++ b/app/views/qbo/_settings.html.erb
@@ -66,12 +66,12 @@ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLI

     <tr>
        <th><%=t(:label_oauth_expires)%></th>
-        <td><%= if Qbo.exists? then Qbo.first.oauth2_access_token_expires_at end %>
+        <td><%= if Qbo.exists? then QboConnectionService.current!.oauth2_access_token_expires_at end %>
      </tr>
      
      <tr>
        <th><%=t(:label_oauth2_refresh_token_expires_at)%></th>
-        <td><%= if Qbo.exists? then Qbo.first.oauth2_refresh_token_expires_at end %>
+        <td><%= if Qbo.exists? then QboConnectionService.current!.oauth2_refresh_token_expires_at end %>
     </tr>

  </tbody>
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -66,6 +66,7 @@ en:
  label_model: "Model"
  label_name: "Name"
  label_new_customer: "New Customer"
+  label_qbo_never_synced: "Never Synced"
  label_no_customers: "There are no customers matching the search term(s)."
  label_no_estimates: "No Estimates"
  label_no_invoices: "No Invoices"