feat: add webhook endpoint for Open edX course enrollment

[Anas12091101]

What are the relevant tickets?

https://github.com/mitodl/hq/issues/1209 > https://github.com/mitodl/hq/issues/10518

Description (What does it do?)

This PR adds a webhook endpoint (api/openedx_webhook/enrollment/) that receives enrollment notifications from Open edX. When a user needs to be enrolled in a course (e.g., staff/instructor role added), the Open edX plugin POSTs the event to MITx Online, which then creates a local enrollment record for the user as an auditor in the corresponding course run (without calling back to Open edX, since the enrollment already exists there).

The endpoint authenticates requests using an OAuth2 Bearer access token (Django OAuth Toolkit / OAuth2Authentication), and handles user/course lookup, idempotent behavior (repeated webhook calls), and appropriate error responses. This enables seamless synchronization of course enrollment state from Open edX into MITx Online.

Screenshots (if appropriate):

• Desktop screenshots
• Mobile width screenshots

How can this be tested?

Prerequisites

• MITx Online running locally (docker compose up)
• Open edX instance running locally (only needed for end-to-end testing with the plugin)
• Create an OAuth2 access token in MITx Online to authorize the webhook requests (Django OAuth Toolkit)

Automated Tests

• Run: docker compose run --rm web uv run pytest openedx/views_test.py -v

Manual Testing via cURL

0. Create/Get an OAuth2 token (MITx Online)

   • Create an access token in Django admin (or via shell) using Django OAuth Toolkit.
   • Use the token value as <ACCESS_TOKEN> below.

1. Successful enrollment (happy path)

   • Create a user and a course run in MITx Online (via admin or shell)
   • Run:

     curl -X POST http://mitxonline.odl.local:9080/api/openedx_webhook/enrollment/ \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer <ACCESS_TOKEN>" \
       -d '{"email": "<user-email>", "course_id": "<courseware_id>", "role": "instructor"}'

   • Expected: 201 Created with {"message": "Enrollment successful", "enrollment_id": ..., "active": true, "edx_enrolled": true}
   • Verify: In Django admin, confirm a CourseRunEnrollment exists for the user with enrollment_mode=audit

2. Idempotency — already enrolled user

   • Run the same cURL command from step 1 again
   • Expected: 200 OK (should not error; enrollment remains present/active)

3. Missing Authorization header

   • Run:

     curl -X POST http://mitxonline.odl.local:9080/api/openedx_webhook/enrollment/ \
       -H "Content-Type: application/json" \
       -d '{"email": "test@example.com", "course_id": "course-v1:MITx+1.001x+2025_T1", "role": "staff"}'

   • Expected: 401 Unauthorized

4. Invalid/expired token

   • Run:

     curl -X POST http://mitxonline.odl.local:9080/api/openedx_webhook/enrollment/ \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer invalid-token" \
       -d '{"email": "test@example.com", "course_id": "course-v1:MITx+1.001x+2025_T1", "role": "staff"}'

   • Expected: 401 Unauthorized

5. User not found

   • Run with a non-existent email:

     curl -X POST http://mitxonline.odl.local:9080/api/openedx_webhook/enrollment/ \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer <ACCESS_TOKEN>" \
       -d '{"email": "nonexistent@example.com", "course_id": "<valid-courseware_id>", "role": "instructor"}'

   • Expected: 404 Not Found

6. Course run not found

   • Run with a non-existent course ID:

     curl -X POST http://mitxonline.odl.local:9080/api/openedx_webhook/enrollment/ \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer <ACCESS_TOKEN>" \
       -d '{"email": "<valid-email>", "course_id": "course-v1:MITx+FAKE+2025_T1", "role": "instructor"}'

   • Expected: 404 Not Found

7. Missing required fields

   • Run without email:

     curl -X POST http://mitxonline.odl.local:9080/api/openedx_webhook/enrollment/ \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer <ACCESS_TOKEN>" \
       -d '{"course_id": "course-v1:MITx+1.001x+2025_T1", "role": "staff"}'

   • Expected: 400 Bad Request

8. GET method rejected

   • Run:

     curl http://mitxonline.odl.local:9080/api/openedx_webhook/enrollment/ \
       -H "Authorization: Bearer <ACCESS_TOKEN>"

   • Expected: 405 Method Not Allowed

End-to-End Testing (with Open edX plugin)

• Check the testing instructions here
• Ensure the plugin is configured to send an Authorization: Bearer <ACCESS_TOKEN> header.

Dashboard Fix (null start_date)

• Enroll a user in a course run that has no start date set
• Navigate to the dashboard (/dashboard/)
• Verify: The dashboard loads without errors and the course card shows "Coming Soon" instead of crashing

Additional Context

[github-actions]

OpenAPI Changes

Show/hide ## Changes for v0.yaml:

## Changes for v0.yaml:
No changes detected

## Changes for v1.yaml:
No changes detected

## Changes for v2.yaml:
No changes detected

Unexpected changes? Ensure your branch is up-to-date with main (consider rebasing).

[pdpinch]

How/is this limited to course staff? There are similar use cases for enrolling non-staff as auditors, for example a SPOC or beta-testers

[Anas12091101]

Enrollment in a course run with a null start date was breaking the dashboard page.

[Anas12091101]

How/is this limited to course staff?

Our plugin checks the user’s role first. If it’s admin or staff, it sends the request to the webhook; otherwise, it doesn’t. The logic is implemented here in the plugins PR.

[pdpinch]

Should we make this more generic on the mitxonline side, so it can handle more enrollments and not just staff? Maybe we just need to change the URL of the API.

Also, how does this handle the possibility that a staff is added, but they don't have an account set up in mitxonline for some reason? I think raising an exception would be best.

[Anas12091101]

Should we make this more generic on the mitxonline side, so it can handle more enrollments and not just staff? Maybe we just need to change the URL of the API.

Yes, it's already generic. I'll update the URL in the next commit.

Also, how does this handle the possibility that a staff is added, but they don't have an account set up in mitxonline for some reason? I think raising an exception would be best.

The endpoint returns a 404 response with {"error": "User with email ... not found"} and logs a warning. This behavior is intentional. Returning a 404 (instead of a 500) prevents the Open edX plugin from retrying the request, since it only retries on 5xx responses. In this case, retries would not resolve the issue because the missing account would still not exist.

The 404 is logged on the MITx Online side so we can monitor these cases and investigate further if needed.

[arslanashraf7]

What is this change for? At best, Its is not related to this PR.

[Anas12091101]

Yes, it’s not directly related to this PR. Enrollment in a course run with a null start date was causing the dashboard page to break. As a result, if someone is added as a staff member to a course in MITxOnline without a start date set through the endpoint added in this PR, their dashboard would break without this change.

Would you prefer that I keep this in the current PR, or should I move it to a separate one?

[arslanashraf7]

A separate PR might be better.

[arslanashraf7]

Again, I don't think these changes are related. Could you open a separate PR for these if needed?

[arslanashraf7]

@rhysyngsun what's your opinion on this? Do you think a pre-generated config-based string bearer token is fine here, or should we rather go with a staff OAuth token with expiry, or HMAC maybe (Is it worth it)?

[rhysyngsun]

I would go with a standard OAuth token because there's a few key benefits to that:

• OAuth tokens can quickly be revoked without needing to redeploy
• OAuth tokens can be rotated without downtime

[arslanashraf7]

Sounds good. fyi @Anas12091101

[arslanashraf7]

Maybe not right now, but we may want to move it to ol-django at some point to make it common between other applications that might want to use this API endpoint. I'll re-think more on this.

[arslanashraf7]

Shouldn't be a 500. It should be a 400 instead.

[arslanashraf7]

Is this ever going to happen? Can there be multiple users in the Users table with same email?

[arslanashraf7]

PII caring

Suggested change

	{"error": f"User with email {email} not found"},
	{"error": f"User not found"},

[arslanashraf7]

create_run_enrollments is for creating enrollments for edX as well. In this case, the API request itself is coming from enrollment in edX, so should we call this method? Or create a new one so that we just create a local enrollment upon the Webhook call? Apparently, from the method docstr this is all this method eventually does:

    Creates local records of a user's enrollment in course runs, and attempts to enroll them
    in edX via API.
    Updates the enrollment mode and change_status if the user is already enrolled in the course run
    and now is changing the enrollment mode, (e.g. pays or re-enrolls again or getting deferred)
    Possible cases are:
    1. Downgrade: Verified to Audit via a deferral
    2. Upgrade: Audit to Verified via a payment
    3. Reactivation: Audit to Audit or Verified to Verified via a re-enrollment

So the point is, do we want to go this route? cc: @pdpinch

[arslanashraf7]

Should we do an early return at this point or maybe at the start of the API to make it idempotent? The thing we should ideally do is to check if the enrollment exists in the system, before doing anything else, and if the enrollment does exist already, we may return 409 conflict in that case actually otherwise proceed with whatever needs to happen.

[arslanashraf7]

What will this status be? A false? Because the user would already be enrolled in the course in edX

[Anas12091101]

@arslanashraf7, this is ready for another look. A test is failing but it doesn't seem to be related to the changes in this PR

[arslanashraf7]

The code looks fine, But I'm unable to test it end-to-end with edX. Did you test it end-to-end?

I was able to test using Postman/curl but not when I'm integrated with edX, I get 403 errors while edX tried to enroll the user.

[Anas12091101]

Yes, I tested it end-to-end. It’s most likely a rate-limiting issue, probably caused by the frequent execution of the retry registration task in the MITxOnline Celery workers. The simplest solution would be to temporarily comment out the code here:

https://github.com/openedx/openedx-platform/blob/master/openedx/core/djangoapps/user_authn/views/register.py#L580-L582

[arslanashraf7]

This should only be a staff token-based API call, not just authenticated. The tests should update accordingly.

Suggested change

	@permission_classes([IsAuthenticated])
	@permission_classes([IsAdminUser])

[arslanashraf7]

👍 with a few nits. There is also an openapi check failing.

[arslanashraf7]

nit: Can be a single parametrized test.

[arslanashraf7]

Can be a single parametrized test.

[arslanashraf7]

nit: Can be a single parametrized test.

[arslanashraf7]

nit: Can be a single parametrized test.