fix(webhooks): harden audited provider triggers

[waleedlatif1]

Summary

• harden audited webhook providers across Salesforce, Zoom, Resend, Linear, Vercel, Greenhouse, Gong, and Notion
• add missing provider lifecycle behavior such as server-side event matching, secure verification, retry/idempotency handling, trigger wiring, and runtime/output alignment
• improve provider setup guidance and add targeted tests plus a reusable trigger-alignment script for ongoing audits

Test plan

• Ran targeted webhook/provider tests
• Verified integrated suite passes: 56 tests across provider, processor, route, and idempotency coverage
• Checked lints for touched provider and trigger files
• Reviewed implementation against provider docs during the audit/fix pass
• Full repository test suite not run
• Full repository type-check still has unrelated pre-existing failures outside this scope

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 7, 2026 3:30am

[cursor]

PR Summary

Medium Risk
Touches webhook authentication/challenge handling and provider-specific event matching across multiple integrations, so mistakes could drop or incorrectly accept deliveries. Changes are contained to webhook ingestion/providers with added tests to reduce regression risk.

Overview
Hardens webhook ingestion and provider handlers by passing rawBody into provider challenge handlers (notably Zoom) and tightening provider-level verifyAuth logic (e.g., JWT auth for Gong, timestamp-bound signature checks for Linear, explicit secrets for Resend/Vercel/Salesforce).

Improves correctness and deduplication by adding/standardizing matchEvent behavior (fail-closed on unknown trigger IDs for Linear/Greenhouse, new matchers for Vercel/Notion/Salesforce, Zoom rejects validation payload execution) and expanding idempotency key sources (Svix/Resend, Linear, Greenhouse, plus new per-provider extractIdempotencyId implementations).

Adds Salesforce webhook support and trigger wiring via a new salesforce provider handler, pending-verification support, and trigger config updates (required secrets + optional object filtering). Zoom block is wired to expose available triggers.

Developer tooling/docs: introduces apps/sim/scripts/check-trigger-alignment.ts for provider-specific output vs formatInput alignment checks, updates trigger authoring docs accordingly, and adds targeted provider/unit tests (Gong/Linear/Notion/Vercel/Salesforce/Zoom/Greenhouse/idempotency).

^{Reviewed by Cursor Bugbot for commit 41b0348. Configure here.}

[greptile-apps]

Greptile Summary

This PR hardens webhook provider integrations for Salesforce, Zoom, Resend, Linear, Vercel, Greenhouse, Gong, and Notion. It adds missing lifecycle behaviour — server-side event matching, HMAC/JWT signature verification, retry-safe idempotency, subscription create/delete flows, and standardised output schemas — along with targeted tests and a trigger-alignment audit script.

Key improvements:

• Linear: replay window raised to 5 min (prior review finding resolved), HMAC secret generated on subscription creation, matchEvent filters by resource type/action for v1 triggers
• Vercel: full subscription lifecycle (create + delete), SHA-1 HMAC verification, per-trigger event filtering
• Zoom: CRC challenge handler DB-resolves env-backed secrets; block trigger wiring corrected
• Resend: Svix signing scheme correctly implemented (5-min replay window, base64 secret decode, multi-signature loop)
• Gong: optional RS256 JWT verification with body_sha256 body-integrity and webhook_url URL-binding claims
• Salesforce: shared-secret auth (Bearer + custom header), broad eventType normalisation, stable SHA-256 fallback idempotency fingerprint
• Greenhouse / Notion: HMAC verifiers via createHmacVerifier, event matching, idempotency extraction
• Idempotency service: atomic Redis SET NX and PostgreSQL ON CONFLICT DO NOTHING claims; in-progress polling; 7-day TTL

Findings:

• P1 (utils.ts): createHmacVerifier returns null (grants access) when no secret is configured, causing Greenhouse and Notion webhooks to silently accept any request. Salesforce and Vercel fail closed with 401 — the factory should be consistent.
• P2 (service.ts): IdempotencyResult.previousResult, ProcessingResult.result, and all additionalContext parameters use any instead of unknown, violating the project's TypeScript rules.
• P2 (vercel.test.ts): Re-mocks @sim/logger which is globally provided by vitest.setup.ts and must not be re-mocked per testing guidelines.
• P2 (salesforce.test.ts): Missing @vitest-environment node annotation that vercel.test.ts (same PR) correctly includes.

Confidence Score: 4/5

PR is safe to merge after addressing the fail-open security inconsistency in createHmacVerifier for Greenhouse and Notion webhooks.

Score is 4 because the P1 finding (createHmacVerifier silently allowing all requests when no secret is configured) is a real security inconsistency that should be resolved before merging. The existing URL unguessability provides some defence-in-depth, but it is not a substitute for authentication. All other findings are non-blocking P2 style issues. The core webhook hardening logic is well-implemented: timing-safe HMAC comparisons, atomic idempotency claims, correct event filtering, and full subscription lifecycles.

apps/sim/lib/webhooks/providers/utils.ts (createHmacVerifier fail-open for Greenhouse and Notion), apps/sim/lib/core/idempotency/service.ts (any types), apps/sim/lib/webhooks/providers/vercel.test.ts (re-mocks global logger), apps/sim/lib/webhooks/providers/salesforce.test.ts (missing @vitest-environment node)

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/providers/utils.ts	createHmacVerifier factory passes (returns null) when secret is unconfigured — inconsistent with salesforce/vercel handlers that fail closed with 401.
apps/sim/lib/core/idempotency/service.ts	Atomic Redis SET NX and PG ON CONFLICT claims; 7-day TTL; in-progress polling. Uses any on previousResult, result, and additionalContext parameters.
apps/sim/lib/webhooks/providers/linear.ts	Replay window raised to 5 min; HMAC secret generated on subscription create; matchEvent filters resource type and action for v1 triggers.
apps/sim/lib/webhooks/providers/vercel.ts	Full subscription lifecycle (create/delete); SHA-1 HMAC verification; per-trigger event filtering; idempotency via top-level delivery id.
apps/sim/lib/webhooks/providers/gong.ts	Optional RS256 JWT verification with body_sha256 body-integrity and webhook_url URL-binding claim validation.
apps/sim/lib/webhooks/providers/zoom.ts	CRC challenge DB-resolves env-backed secrets; HMAC-SHA256 with 5-min timestamp window; matchEvent blocks url_validation delivery events.
apps/sim/lib/webhooks/providers/salesforce.ts	Shared-secret auth (Bearer + X-Sim-Webhook-Secret); broad eventType normalisation; stable SHA-256 fallback idempotency fingerprint.
apps/sim/lib/webhooks/providers/greenhouse.ts	HMAC-SHA256 via createHmacVerifier (fails open when unconfigured); event matching via trigger util; idempotency via application/offer/job ID.
apps/sim/lib/webhooks/providers/notion.ts	HMAC-SHA256 via createHmacVerifier (fails open when unconfigured); reachability test via verification_token; matchEvent delegates to trigger util.
apps/sim/lib/webhooks/providers/vercel.test.ts	Good verifyAuth and idempotency coverage; re-mocks @sim/logger which is globally provided by vitest.setup.ts.
apps/sim/lib/webhooks/providers/salesforce.test.ts	Good auth, event-matching, formatInput, and idempotency coverage; missing @vitest-environment node annotation.
apps/sim/app/api/webhooks/trigger/[path]/route.ts	Fan-out processing for credential sets; auth verified per webhook before reachability test; challenge handling runs both before and after body parsing.
apps/sim/lib/webhooks/providers/resend.ts	Svix signing scheme correctly implemented; full subscription lifecycle; per-trigger event filtering via RESEND_TRIGGER_TO_EVENT_TYPE.
apps/sim/triggers/salesforce/utils.ts	Broad event type normalisation via normalised-token Sets; objectType enforcement; output builders for all five trigger variants.
apps/sim/triggers/zoom/utils.ts	ZOOM_TRIGGER_EVENT_MAP maps trigger IDs to Zoom event names; isZoomEventMatch correctly passes zoom_webhook; complete output builders.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Route as /api/webhooks/trigger/[path]
    participant Processor
    participant Provider as Provider Handler
    participant Idempotency
    participant Queue

    Client->>Route: POST body
    Route->>Processor: handleProviderChallenges({})
    Note over Processor: Early CRC/challenge (Zoom etc.)
    Route->>Processor: parseWebhookBody()
    Route->>Processor: handleProviderChallenges(body)
    Note over Processor: Challenge with parsed body
    Route->>Processor: findAllWebhooksForPath()
    loop each webhook (credential fan-out)
        Route->>Provider: verifyAuth()
        Note over Provider: HMAC / RS256 JWT / Bearer check
        Provider-->>Route: null (pass) or 401
        Route->>Provider: handleReachabilityTest()
        Note over Provider: Notion verification_token etc.
        Route->>Processor: checkWebhookPreprocessing()
        Route->>Provider: matchEvent()
        Note over Provider: Event type / resource filter
        Route->>Idempotency: extractIdempotencyId(body)
        Idempotency->>Idempotency: atomicallyClaim(Redis NX / PG conflict)
        Idempotency-->>Route: claimed or duplicate
        Route->>Queue: queueWebhookExecution()
    end
    Route-->>Client: 200 Webhook processed

Loading

Comments Outside Diff (1)

1. apps/sim/lib/webhooks/providers/utils.ts, line 32-36 (link)

   createHmacVerifier fails open when secret is unconfigured

   createHmacVerifier returns null (grants access) when providerConfig[configKey] is absent. Both greenhouseHandler and notionHandler use this factory, meaning a webhook deployed without a configured secret accepts all inbound requests with no authentication.

   This is inconsistent with salesforceHandler.verifyAuth and vercelHandler.verifyAuth, which both reject with HTTP 401 when their secrets are missing. If Greenhouse and Notion signatures should be required, change the factory to fail closed:

   const secret = providerConfig[configKey] as string | undefined
   if (!secret) {
     logger.warn(`[${requestId}] ${providerLabel} webhook missing ${configKey} — rejecting`)
     return new NextResponse(`Unauthorized - ${providerLabel} secret not configured`, { status: 401 })
   }

   If signature verification is intentionally opt-in for these providers (e.g. because the URL itself is unguessable), a TSDoc comment explaining this design decision would prevent future confusion and drift.

_{Reviews (4): Last reviewed commit: "fix(webhooks): address remaining review ..." | Re-trigger Greptile}

[waleedlatif1]

Follow-up Hardening Checklist

This PR looks reasonable to merge. The items below are follow-up hardening/cleanup work, not current blockers.

• Salesforce: consolidate duplicated object-type parsing and improve fallback dedupe behavior when Flow payloads omit stable record identity.
• Zoom: fail closed when triggerId is missing and consider rejecting malformed generic payloads with empty event.
• Resend: revisit failed-idempotency behavior for repeated svix-id deliveries and add dedicated provider tests.
• Linear: decide whether unsigned v1 mode should remain allowed and whether missing action should fail closed.
• Vercel: tighten per-trigger outputs so they align more strictly with the shared formatInput contract.
• Greenhouse: improve body-fallback idempotency for rare no-header scenarios and keep schema docs aligned with less common payload variants.
• Gong: decide whether JWT misconfiguration should fail harder instead of silently falling back to URL secrecy.
• Notion: revisit auth-before-reachability ordering during verification and decide whether more data_source.* events should get dedicated named triggers.
• Shared lifecycle: consider making challenge handling less hardcoded than CHALLENGE_PROVIDERS, revisit failed-idempotency caching semantics, and continue expanding alignment checks.

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 41b0348. Configure here.}