Add eBay Browse API integration with daily call quota

eBay marketplaces are now polled through eBay's official Buy > Browse API (client-credentials OAuth2) instead of an Apify scraper actor; Apify still handles Yahoo JP and Mercari. Browse API calls are tracked per day in a new ebay_api_usage table and capped (default 5000, configurable) on eBay's Pacific-time reset clock, so polling halts before the limit is hit. Credentials live in config.toml [ebay] and are overridable via /settings, which also surfaces the day's running call count. Also carries the server.secure_cookies config plumbing (field, accessor, example) consumed by the following commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:10:39 -07:00
parent cfa01bd4ef
commit 1ae2c50b9a
12 changed files with 1092 additions and 262 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -13,13 +13,43 @@ type Config struct {
 	Server    ServerConfig    `toml:"server"`
 	Security  SecurityConfig  `toml:"security"`
 	Apify     ApifyConfig     `toml:"apify"`
+	Ebay      EbayConfig      `toml:"ebay"`
 	Ntfy      NtfyConfig      `toml:"ntfy"`
 	Scheduler SchedulerConfig `toml:"scheduler"`
 }

+// EbayConfig holds credentials for eBay's official Buy > Browse API. When set,
+// eBay marketplaces are polled through the Browse API instead of an Apify
+// scraper actor. ClientID is the App ID and ClientSecret is the Cert ID from
+// the eBay developer keyset. Environment is "production" (default) or
+// "sandbox". Like the Apify key, both credentials can be overridden at
+// runtime via the Settings page.
+type EbayConfig struct {
+	ClientID     string `toml:"client_id"`
+	ClientSecret string `toml:"client_secret"`
+	Environment  string `toml:"environment"`
+	// DailyCallLimit caps Browse API calls per day, on eBay's own quota
+	// clock (midnight US Pacific). Once reached, eBay polling halts until
+	// the next reset. Defaults to 5000 (the standard Browse API allowance).
+	// Set to a negative value to disable the cap.
+	DailyCallLimit int `toml:"daily_call_limit"`
+}
+
 type ServerConfig struct {
 	Port   int    `toml:"port"`
 	DBPath string `toml:"db_path"`
+	// SecureCookies sets the Secure attribute on the session cookie. It must
+	// be true in any deployment reachable over HTTPS — including behind a
+	// TLS-terminating proxy like Traefik, where the browser-facing leg is
+	// HTTPS even though Veola itself speaks plain HTTP. Defaults to true;
+	// set false only for local non-TLS development.
+	SecureCookies *bool `toml:"secure_cookies"`
+}
+
+// UseSecureCookies resolves the SecureCookies setting, defaulting to true when
+// the key is absent from config.
+func (c ServerConfig) UseSecureCookies() bool {
+	return c.SecureCookies == nil || *c.SecureCookies
 }

 type SecurityConfig struct {
@@ -111,6 +141,9 @@ func (c *Config) validate() error {
 	if c.Ntfy.DefaultTopic == "" {
 		c.Ntfy.DefaultTopic = "veola"
 	}
+	if c.Ebay.DailyCallLimit == 0 {
+		c.Ebay.DailyCallLimit = 5000
+	}
 	return nil
 }