fix(triggers): address PR review feedback for Zoom webhooks

waleedlatif1 · waleedlatif1 · commit db37b6ebf3fa · 2026-04-06T11:51:37.000-07:00
- Add 30s timestamp freshness check to prevent replay attacks
- Return null from handleChallenge when no secret token found instead of responding with empty-key HMAC
- Remove all `as any` casts from output builder functions
diff --git a/apps/sim/lib/webhooks/providers/zoom.ts b/apps/sim/lib/webhooks/providers/zoom.ts
@@ -29,6 +29,12 @@ function validateZoomSignature(
       return false
     }
 
+    const nowSeconds = Math.floor(Date.now() / 1000)
+    const requestSeconds = parseInt(timestamp, 10)
+    if (isNaN(requestSeconds) || Math.abs(nowSeconds - requestSeconds) > 30) {
+      return false
+    }
+
     const message = `v0:${timestamp}:${body}`
     const computedHash = crypto.createHmac('sha256', secretToken).update(message).digest('hex')
     const expectedSignature = `v0=${computedHash}`
@@ -119,6 +125,12 @@ export const zoomHandler: WebhookProviderHandler = {
       }
     } catch (err) {
       logger.warn(`[${requestId}] Failed to look up webhook secret for Zoom validation`, err)
+      return null
+    }
+
+    if (!secretToken) {
+      logger.warn(`[${requestId}] No secret token configured for Zoom URL validation on path: ${path}`)
+      return null
     }
 
     const hashForValidate = crypto
diff --git a/apps/sim/triggers/zoom/utils.ts b/apps/sim/triggers/zoom/utils.ts
@@ -140,7 +140,7 @@ export function buildMeetingOutputs(): Record<string, TriggerOutput> {
         },
       },
     },
-  } as any
+  }
 }
 
 /**
@@ -187,7 +187,7 @@ export function buildParticipantOutputs(): Record<string, TriggerOutput> {
         },
       },
     },
-  } as any
+  }
 }
 
 /**
@@ -229,7 +229,7 @@ export function buildRecordingOutputs(): Record<string, TriggerOutput> {
         },
       },
     },
-  } as any
+  }
 }
 
 /**
