Skip to content

fix(webhooks): harden audited provider triggers #3997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
waleedlatif1 merged 23 commits into from
Apr 7, 2026
Merged

fix(webhooks): harden audited provider triggers #3997

Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
2e89fe5
fix(triggers): apply webhook audit follow-ups
waleedlatif1 Apr 6, 2026
bb716bb
fix(webhooks): Salesforce provider handler, Zoom CRC and block wiring
waleedlatif1 Apr 6, 2026
0ddc769
fix(webhooks): harden Resend and Linear triggers (idempotency, auth, …
waleedlatif1 Apr 6, 2026
e9618d9
fix(webhooks): harden Vercel and Greenhouse trigger handlers
waleedlatif1 Apr 6, 2026
317d4ab
fix(gong): JWT verification, trigger UX, alignment script
waleedlatif1 Apr 6, 2026
729667a
fix(notion): align webhook lifecycle and outputs
waleedlatif1 Apr 6, 2026
e79c556
fix(webhooks): tighten remaining provider hardening
waleedlatif1 Apr 7, 2026
23ccc9b
refactor(webhooks): move subscription helpers out of providers
waleedlatif1 Apr 7, 2026
e000c5b
fix(zoom): resolve env-backed secrets during validation
waleedlatif1 Apr 7, 2026
b50a902
fix build
waleedlatif1 Apr 7, 2026
732755a
consolidate tests
waleedlatif1 Apr 7, 2026
7c31044
refactor(salesforce): share payload object type parsing
waleedlatif1 Apr 7, 2026
41b0348
fix(webhooks): address remaining review follow-ups
waleedlatif1 Apr 7, 2026
cae9c8b
test(webhooks): separate Zoom coverage and clean Notion output shape
waleedlatif1 Apr 7, 2026
a305fc2
feat(triggers): enrich Vercel and Greenhouse webhook output shapes
waleedlatif1 Apr 7, 2026
3e29341
feat(webhooks): enrich Resend trigger outputs; clarify Notion output …
waleedlatif1 Apr 7, 2026
5148936
feat(webhooks): enrich Zoom and Gong trigger output schemas
waleedlatif1 Apr 7, 2026
0600c90
feat(triggers): enrich Salesforce and Linear webhook output schemas
waleedlatif1 Apr 7, 2026
1cd27d8
remove from mdx
waleedlatif1 Apr 7, 2026
e0580f7
chore(webhooks): expand trigger alignment coverage
waleedlatif1 Apr 7, 2026
3e7a046
updated skills
waleedlatif1 Apr 7, 2026
d3fcf04
updated file naming semantics
waleedlatif1 Apr 7, 2026
2897ce1
rename file
waleedlatif1 Apr 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(zoom): resolve env-backed secrets during validation 
Use the same env-aware secret resolution path for Zoom endpoint validation as regular delivery verification so URL validation works correctly when the secret token is stored via env references.

Made-with: Cursor
  • Loading branch information
@waleedlatif1
waleedlatif1 committed Apr 7, 2026
commit e000c5bd60cf8ed3f11f2d2bd1183d73fa1d77e4
55 changes: 45 additions & 10 deletions apps/sim/lib/webhooks/providers/zoom.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
import crypto from 'crypto'
import { db, webhook } from '@sim/db'
import { db, webhook, workflow } from '@sim/db'
import { createLogger } from '@sim/logger'
import { and, eq } from 'drizzle-orm'
import type { NextRequest } from 'next/server'
import { NextResponse } from 'next/server'
import { safeCompare } from '@/lib/core/security/encryption'
import { resolveEnvVarsInObject } from '@/lib/webhooks/env-resolver'
import type {
AuthContext,
EventMatchContext,
Expand Down Expand Up @@ -47,6 +48,46 @@ export function validateZoomSignature(
}
}

async function resolveZoomChallengeSecrets(
path: string,
requestId: string
): Promise<Array<{ secretToken: string }>> {
const rows = await db
.select({
providerConfig: webhook.providerConfig,
userId: workflow.userId,
workspaceId: workflow.workspaceId,
})
.from(webhook)
.innerJoin(workflow, eq(webhook.workflowId, workflow.id))
.where(and(eq(webhook.path, path), eq(webhook.provider, 'zoom'), eq(webhook.isActive, true)))

const resolvedRows = await Promise.all(
rows.map(async (row) => {
const rawConfig =
row.providerConfig &&
typeof row.providerConfig === 'object' &&
!Array.isArray(row.providerConfig)
? (row.providerConfig as Record<string, unknown>)
: {}

try {
const config = await resolveEnvVarsInObject(rawConfig, row.userId, row.workspaceId)
const secretToken = typeof config.secretToken === 'string' ? config.secretToken : ''
return { secretToken }
} catch (error) {
logger.warn(`[${requestId}] Failed to resolve Zoom webhook secret for challenge`, {
error: error instanceof Error ? error.message : String(error),
path,
})
return { secretToken: '' }
}
})
)

return resolvedRows.filter((row) => row.secretToken)
}

export const zoomHandler: WebhookProviderHandler = {
verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext) {
const secretToken = providerConfig.secretToken as string | undefined
Expand Down Expand Up @@ -166,22 +207,16 @@ export const zoomHandler: WebhookProviderHandler = {
const bodyForSignature =
rawBody !== undefined && rawBody !== null ? rawBody : JSON.stringify(body)

let rows: { providerConfig: unknown }[] = []
let rows: Array<{ secretToken: string }> = []
try {
rows = await db
.select({ providerConfig: webhook.providerConfig })
.from(webhook)
.where(
and(eq(webhook.path, path), eq(webhook.provider, 'zoom'), eq(webhook.isActive, true))
)
rows = await resolveZoomChallengeSecrets(path, requestId)
} catch (err) {
logger.warn(`[${requestId}] Failed to look up webhook secret for Zoom validation`, err)
return null
}

for (const row of rows) {
const config = row.providerConfig as Record<string, unknown> | null
const secretToken = (config?.secretToken as string) || ''
const secretToken = row.secretToken
if (
secretToken &&
validateZoomSignature(secretToken, signature, timestamp, bodyForSignature)
Expand Down
Loading