feat: add custom headers and data unflattening to webhook actions

[jignaciopm]

This PR introduces several improvements to the post_to_webhook_url action to make it more flexible when integrating with third-party services (like Accredible, Make, or custom APIs) that require specific headers or nested JSON structures.

Key Changes

1. Custom HTTP Headers

Users can now define a headers object in their trigger settings. This is crucial for services requiring API Keys or Bearer tokens.

• Example Config: "headers": {"Authorization": "Token secret_abc"}

2. Data Unflattening (unflatten_data)

Many 3rd party services expect nested JSON rather than flat "dot-notated" strings. We've added a utility that transforms:
{"user.email": "test@test.com"} {"user": {"email": "test@test.com"}}

3. Course Context Injection

By setting use_course_information: true, the webhook will now resolve and include the full course object in the context, even if the initial trigger only provided certificate data.

Technical Details

• Added unflatten_dict to utils.py with support for custom delimiters.
• Refactored get_certificate to avoid code duplication in actions.py.
• Added defensive checks to ensure backward compatibility for triggers without the new settings.

Testing Executed

• Unit Tests: Added test_post_to_webhook_url_with_custom_headers to verify header injection.
• Utility Tests: Added test_unflatten_dict_default_delimiter and test_unflatten_dict_custom_delimiter to ensure the recursion logic is sound.
• Integration: Verified that unflatten_dict correctly handles leaf-node assignment via setdefault.

Testing instructions

Environment Setup:

• Ensure the eox-hooks plugin is installed.
• Configure a tenant or microsite with the following EOX_HOOKS_DEFINITIONS:

"post_certificate_creation": {
        "action": "post_to_webhook_url",
        "config": {
            "fields": {
                "credential.recipient.id": "certificate.user.id",
                "credential.recipient.name": "certificate.user.pii.name",
                "credential.recipient.email": "certificate.user.pii.email",
                "credential.group_id": "course.number",
                "credential.issued_on": "metadata.time",
                "credential.custom_attributes.course_id": "course.id",
                "credential.custom_attributes.course_name": "course.name",
                "credential.custom_attributes.course_key": "certificate.course.course_key",
                "credential.custom_attributes.certificate_name": "certificate.name",
            },
            "send_certificate_data": false,
            "url": "https://api.accredible.com/v1/credentials",
            "use_course_information": true,
            "unflatten_data": true,
            "headers": {
                "Authorization": "Token ..."
            }
        },
        "fail_silently": false,
        "module": "eox_hooks.actions"
    }

Manual Test:

• Trigger the configured event (e.g., generate a certificate for a learner).

• Check the receiving end (e.g., Webhook.site) to verify that the incoming request contains both the Authorization and X-Custom-Header headers.

Automated Tests:

Run the updated unit tests:

make test-python

Confirm that test_post_to_webhook_url_with_custom_headers and test_post_to_webhook_url_without_headers_in_config pass successfully.

Additional information

• Dependencies: This change does not depend on other repositories.
• Security: Headers are managed via tenant configuration, allowing for secure API Key management outside of the source code.
• Limitations: The payload format remains application/x-www-form-urlencoded by default to avoid breaking existing integrations.

Checklist for Merge

• Tested in a remote environment
• Updated documentation
• Rebased master/main
• Squashed commits

[magajh]

LGTM! If we’ve tested this on a remote instance and are confident it works as expected, then we can close this PR.

@jignaciopm we need to update the changelog entry and bump the plugin version. I'll leave my approval once those changes are pushed