Fundraising tech/Message queues

Jump to navigation Jump to search

This page gives an overview of the message queues used to decouple fundraising subsystems. For a description of the message formats, see "Normalized donation messages". See also the Wikitech article on WMF-specific configuration.

Message Queue[edit]

Queues are used to decouple the payments frontend from the CiviCRM server. This is important for several reasonsː it allows us to continue accepting donations even if the backend servers are down, it keeps our private database more secure, and it enforces write-only communication from the payments cluster.

The main data flow is over the donations queue. Completed payment transactions are encoded as JSON and sent over the wire, to be consumed by the queue2civicrm Drupal module and recorded in the CiviCRM database.

Another important queue is the pending queue, which is used both as a key-value store and as a FIFO queue. Before we redirect the donor to a payment processor hosted page or iframe, we record the donor's personal information and push it to the pending queue, where it's consumed to a table indexed by gateway name and transaction ID. We store this information in a temporary fashion rather out of concern for storing data about people who aren't donors. When the donation is entered into the civi database, we search for a corresponding pending message. We delete the message, and merge this information into the completed donation message sent to the regular queue.

However, if control is never returned, then pending db messages will sit around for some time in case the data will become useful again. After about 20 minutes, they become eligible for orphan rectification, currently only applied to Ingenico credit card transactions and PayPal Express Checkout Payments. We attempt to complete settlement on these orders, and if successful, the completed message including pending-provided details is sent to the donations queue. If unsuccessful, the personal information should be purged. All pending information is purged after at most 30 days.

At Wikimedia, we are currently using lists in Redis ( as the queue backend.


Queue Producers Consumers Description
donations payments, py-audit-(paypal,worldpay), listeners crm-queue2civi Primary queue for incoming donations, written to whenever we learn about a successful payment.
donations_recurring crm-audit, py-audit crm-recurring Information about changes in donor monthly subscriptions.
refund-notifications py-audit-(paypal,worldpay) crm-refund incoming IPN notifications that the processor has completed a refund
pending payments SmashPig-job-runner (Adyen), crm-queue2civi (Amazon) Donation methods which use an iframe (GC, Adyen) will leave a message on the pending queue before transferring UI flow to the processor. SmashPig pending queue consumer dumps this to temporary storage used by some IPN listeners and frontends. Messages will either be read from the db table after a fixed time, to complete settlement steps; or upon incoming notification of a status change; or will expire in a short amount of time.
payments-init payments crm-fredge One entry for each transaction that leaves our flow control.
payments-antifraud payments crm-fredge Data on transaction fraud scores
unsubscribe unsubscribe page crm-unsubscribe The FundraisingEmailUnsubscribe module allows donors to opt out of bulk mailings and sends these requests over a queue, to be consumed by the CRM.
banner-history payments crm-banner_history Used to capture correlations between contribution tracking ID and banner history logging ID.
contribution_tracking payments, crm-queue2civi crm-queue2civi, analytics Hybrid write-only log and analytic store.
error logging (completion data) payments crm-audit Syslog, but also mined to reconstruct missing transaction data. TODO: standardize line format, use normalized data and not gateway XML.
banner-impressions wmf-varnish legacy-bannerimpressions-job TODO: Use Kafka client without filesystem layer


Component Operation Queue Description
donatewiki get sequence contribution_tracking Donatewiki is the first stop where we record contribution tracking data. The donor is given a contribution_tracking ID to associate with their cookies.
push contribution_tracking
DI-gateway-generic push payments-init Donation collection frontend, which can create successful donation messages.
push complete
push pending When processing becomes asynchronous or risky, a copy of the transaction is pushed to one of the temporary "pending" queues, usually waiting to integrate some response from a payment provider.
get sequence contribution_tracking
push contribution_tracking
DI-adyen, amazon, astropay set by id pending TODO: Review whether we can just send these messages, with a short expiry or antimessages...
delete by id pending
DI-ingenico set by id globalcollect-cc-limbo, limbo
delete by id globalcollect-cc-limbo, limbo
Ingenico orphan rectifier peek globalcollect-cc-limbo A script that attempts to "rectify" the orphaned message by settling at the gateway, for messages older than 5 minutes.
delete by id globalcollect-cc-limbo
crm-audit, py-audit push donations, donations_recurring, refund Historical sources of payment events.
crm-audit search by id error_logs This funky feature is to pull otherwise unconsumed information about failed transactions back into memory, to gather context for incoming notifications.
SP-listener-generic push inflight A mini-pending arrangement for transactional processing.
delete by id inflight
push donations, refund Source of payment events.
SP-job-runner-generic pop job-requests Run from the job queue.
SP-listener-adyen push job-requests
delete by id pending
SP-adyen-process capture job get by id pending
push payments-antifraud
SP-adyen-record capture job get by id pending
push donations
SP-expiration-job archive by age pending - 20 days

limbospecial - 9

verified_damaged - 14

recurring_damaged - 14

refund_damaged - 14

donations_gc_garbage - 1

AMQ Old Message Consume. TODO: make intrisic to the messages.
legacy-listener-paypal push pending_paypal_recurring Old dirty bare PHP, still in service. Deprecate!
q2c-banner history pop banner-history Import banner history log-donation id correlations.
q2c-donations pop donations The main consumer is the queue2civi job, which reads from the donations queue and stores in our CRM database.
get by id pending Pull in completion message data and merge.
delete by id pending Drop completion message once consumed.
q2c-fredge pop payments-antifraud, payments-init Import statistics
q2c-generic reject move * to *-damaged Certain types of error cause a message to be shunted to a damaged stream, to be analyzed and possibly corrected.
q2c-recurring pop donations_recurring Q2C module
q2c-refund pop refund-notifications Q2C module to record refund notifications, marking the affected contribution
q2c-unsubscribe pop unsubscribe (mostly unused) Decouples the mailing list unsubscribe UI from the
DI-recurring-ingenico push payments-init Make monthly charges. TODO: Should we push to the donations queue as well, and even the recurring events stream if we failban?
crm-damaged-browser peek multiple *-damaged TODO: write human review policies.
push * (not damaged)
delete by id *-damaged
analytics query by all indexes contribution_tracking TODO: should be decoupled from frontend event log

Overhaul 2016[edit]

See the main article: Fundraising Queue Overhaul.