fix(webhooks): tighten remaining provider hardening

Close the remaining pre-merge caveats by tightening Salesforce, Zoom, and Linear behavior, and follow through on the deferred provider and tooling cleanup for Vercel, Greenhouse, Gong, and Notion.

Made-with: Cursor

Author: waleedlatif1

.agents/skills/add-trigger/SKILL.md

@@ -691,13 +691,13 @@ export const {service}WebhookTrigger: TriggerConfig = {
 ### Automatic Webhook Registration (if supported)
 - [ ] Added API key field to `build{Service}ExtraFields` with `password: true`
 - [ ] Updated setup instructions for automatic webhook creation
-- [ ] Added provider-specific logic to `apps/sim/app/api/webhooks/route.ts`
-- [ ] Added `create{Service}WebhookSubscription` helper function
-- [ ] Added `delete{Service}Webhook` function to `provider-subscriptions.ts`
-- [ ] Added provider to `cleanupExternalWebhook` function
+- [ ] Added `createSubscription` to `apps/sim/lib/webhooks/providers/{service}.ts`
+- [ ] Added `deleteSubscription` to `apps/sim/lib/webhooks/providers/{service}.ts`
+- [ ] Did not add provider-specific orchestration logic to shared route / deploy / provider-subscriptions files unless absolutely required
 
 ### Webhook Input Formatting
-- [ ] Added handler in `apps/sim/lib/webhooks/utils.server.ts` (if custom formatting needed)
+- [ ] Added provider-owned `formatInput` in `apps/sim/lib/webhooks/providers/{service}.ts` when custom formatting is needed
+- [ ] Used `createHmacVerifier` for standard HMAC providers, or a custom `verifyAuth()` when the provider requires non-standard signature semantics / stricter secret handling
 - [ ] Handler returns fields matching trigger `outputs` exactly
 - [ ] Run `bun run apps/sim/scripts/check-trigger-alignment.ts {service}` to verify alignment
 

.claude/commands/add-trigger.md

@@ -806,7 +806,7 @@ export const {service}WebhookTrigger: TriggerConfig = {
 - [ ] Created handler file in `apps/sim/lib/webhooks/providers/{service}.ts`
 - [ ] Registered handler in `apps/sim/lib/webhooks/providers/registry.ts` (alphabetical)
 - [ ] Signature validator defined as private function inside handler file (not in a shared file)
-- [ ] Used `createHmacVerifier` from `providers/utils` for HMAC-based auth
+- [ ] Used `createHmacVerifier` from `providers/utils` for standard HMAC auth, or a provider-specific `verifyAuth()` when the provider requires custom signature semantics / stricter secret handling
 - [ ] Used `verifyTokenAuth` from `providers/utils` for token-based auth
 - [ ] Event matching uses dynamic `await import()` for trigger utils
 - [ ] Added `formatInput` if webhook payload needs transformation (returns `{ input: ... }`)

apps/sim/lib/webhooks/providers/gong.test.ts

@@ -28,6 +28,20 @@ describe('normalizeGongPublicKeyPem', () => {
   })
 })
 
+describe('gongHandler formatInput', () => {
+  it('always returns callId as a string', async () => {
+    const { input } = await gongHandler.formatInput!({
+      webhook: {},
+      workflow: { id: 'wf', userId: 'u' },
+      body: { callData: { metaData: {} } },
+      headers: {},
+      requestId: 'gong-format',
+    })
+
+    expect((input as Record<string, unknown>).callId).toBe('')
+  })
+})
+
 describe('gongHandler verifyAuth (JWT)', () => {
   it('returns null when JWT public key is not configured', async () => {
     const request = new NextRequest('https://app.example.com/api/webhooks/trigger/abc', {

apps/sim/lib/webhooks/providers/gong.ts

@@ -129,9 +129,7 @@ export const gongHandler: WebhookProviderHandler = {
     const metaData = (callData?.metaData as Record<string, unknown>) || {}
     const content = callData?.content as Record<string, unknown> | undefined
     const callId =
-      typeof metaData.id === 'string' || typeof metaData.id === 'number'
-        ? String(metaData.id)
-        : null
+      typeof metaData.id === 'string' || typeof metaData.id === 'number' ? String(metaData.id) : ''
 
     return {
       input: {
@@ -142,7 +140,7 @@ export const gongHandler: WebhookProviderHandler = {
         context: (callData?.context as unknown[]) || [],
         trackers: (content?.trackers as unknown[]) || [],
         eventType: 'gong.automation_rule',
-        callId: callId ?? null,
+        callId,
       },
     }
   },

apps/sim/lib/webhooks/providers/greenhouse.ts

@@ -98,6 +98,14 @@ export const greenhouseHandler: WebhookProviderHandler = {
       return `greenhouse:${action}:offer:${String(offerId)}:${v}`
     }
 
+    const offer = (payload.offer || {}) as Record<string, unknown>
+    const nestedOfferId = offer.id
+    if (nestedOfferId !== undefined && nestedOfferId !== null && nestedOfferId !== '') {
+      const nestedVersion =
+        offer.version !== undefined && offer.version !== null ? String(offer.version) : '0'
+      return `greenhouse:${action}:offer:${String(nestedOfferId)}:${nestedVersion}`
+    }
+
     const job = (payload.job || {}) as Record<string, unknown>
     const jobId = job.id
     if (jobId !== undefined && jobId !== null && jobId !== '') {

apps/sim/lib/webhooks/providers/linear.test.ts

@@ -0,0 +1,78 @@
+import crypto from 'node:crypto'
+import { NextRequest } from 'next/server'
+import { describe, expect, it } from 'vitest'
+import { linearHandler } from '@/lib/webhooks/providers/linear'
+
+function signLinearBody(secret: string, rawBody: string): string {
+  return crypto.createHmac('sha256', secret).update(rawBody, 'utf8').digest('hex')
+}
+
+function requestWithLinearSignature(secret: string, rawBody: string): NextRequest {
+  const signature = signLinearBody(secret, rawBody)
+  return new NextRequest('http://localhost/test', {
+    headers: {
+      'Linear-Signature': signature,
+    },
+  })
+}
+
+describe('Linear webhook provider', () => {
+  it('rejects signed requests when webhookTimestamp is missing', async () => {
+    const secret = 'linear-secret'
+    const rawBody = JSON.stringify({
+      action: 'create',
+      type: 'Issue',
+    })
+
+    const res = await linearHandler.verifyAuth!({
+      request: requestWithLinearSignature(secret, rawBody),
+      rawBody,
+      requestId: 'linear-t1',
+      providerConfig: { webhookSecret: secret },
+      webhook: {},
+      workflow: {},
+    })
+
+    expect(res?.status).toBe(401)
+  })
+
+  it('rejects signed requests when webhookTimestamp skew is too large', async () => {
+    const secret = 'linear-secret'
+    const rawBody = JSON.stringify({
+      action: 'update',
+      type: 'Issue',
+      webhookTimestamp: Date.now() - 120_000,
+    })
+
+    const res = await linearHandler.verifyAuth!({
+      request: requestWithLinearSignature(secret, rawBody),
+      rawBody,
+      requestId: 'linear-t2',
+      providerConfig: { webhookSecret: secret },
+      webhook: {},
+      workflow: {},
+    })
+
+    expect(res?.status).toBe(401)
+  })
+
+  it('accepts signed requests within the allowed timestamp window', async () => {
+    const secret = 'linear-secret'
+    const rawBody = JSON.stringify({
+      action: 'update',
+      type: 'Issue',
+      webhookTimestamp: Date.now(),
+    })
+
+    const res = await linearHandler.verifyAuth!({
+      request: requestWithLinearSignature(secret, rawBody),
+      rawBody,
+      requestId: 'linear-t3',
+      providerConfig: { webhookSecret: secret },
+      webhook: {},
+      workflow: {},
+    })
+
+    expect(res).toBeNull()
+  })
+})

apps/sim/lib/webhooks/providers/linear.ts

@@ -42,7 +42,7 @@ function validateLinearSignature(secret: string, signature: string, body: string
   }
 }
 
-const LINEAR_WEBHOOK_TIMESTAMP_SKEW_MS = 5 * 60 * 1000
+const LINEAR_WEBHOOK_TIMESTAMP_SKEW_MS = 60 * 1000
 
 export const linearHandler: WebhookProviderHandler = {
   async verifyAuth({
@@ -70,15 +70,20 @@ export const linearHandler: WebhookProviderHandler = {
     try {
       const parsed = JSON.parse(rawBody) as Record<string, unknown>
       const ts = parsed.webhookTimestamp
-      if (typeof ts === 'number' && Number.isFinite(ts)) {
-        if (Math.abs(Date.now() - ts) > LINEAR_WEBHOOK_TIMESTAMP_SKEW_MS) {
-          logger.warn(
-            `[${requestId}] Linear webhookTimestamp outside allowed skew (${LINEAR_WEBHOOK_TIMESTAMP_SKEW_MS}ms)`
-          )
-          return new NextResponse('Unauthorized - Webhook timestamp skew too large', {
-            status: 401,
-          })
-        }
+      if (typeof ts !== 'number' || !Number.isFinite(ts)) {
+        logger.warn(`[${requestId}] Linear webhookTimestamp missing or invalid`)
+        return new NextResponse('Unauthorized - Invalid webhook timestamp', {
+          status: 401,
+        })
+      }
+
+      if (Math.abs(Date.now() - ts) > LINEAR_WEBHOOK_TIMESTAMP_SKEW_MS) {
+        logger.warn(
+          `[${requestId}] Linear webhookTimestamp outside allowed skew (${LINEAR_WEBHOOK_TIMESTAMP_SKEW_MS}ms)`
+        )
+        return new NextResponse('Unauthorized - Webhook timestamp skew too large', {
+          status: 401,
+        })
       }
     } catch (error) {
       logger.warn(

apps/sim/lib/webhooks/providers/notion.test.ts

@@ -0,0 +1,28 @@
+import { describe, expect, it } from 'vitest'
+import { notionHandler } from '@/lib/webhooks/providers/notion'
+import { isNotionPayloadMatch } from '@/triggers/notion/utils'
+
+describe('Notion webhook provider', () => {
+  it('matches both legacy and newer schema updated event names', () => {
+    expect(
+      isNotionPayloadMatch('notion_database_schema_updated', {
+        type: 'database.schema_updated',
+      })
+    ).toBe(true)
+
+    expect(
+      isNotionPayloadMatch('notion_database_schema_updated', {
+        type: 'data_source.schema_updated',
+      })
+    ).toBe(true)
+  })
+
+  it('builds a stable idempotency key from event type and id', () => {
+    const key = notionHandler.extractIdempotencyId!({
+      id: 'evt_123',
+      type: 'page.created',
+    })
+
+    expect(key).toBe('notion:page.created:evt_123')
+  })
+})

apps/sim/lib/webhooks/providers/notion.ts

@@ -135,4 +135,17 @@ export const notionHandler: WebhookProviderHandler = {
 
     return true
   },
+
+  extractIdempotencyId(body: unknown) {
+    const obj = body as Record<string, unknown>
+    const id = obj.id
+    const type = obj.type
+    if (
+      (typeof id === 'string' || typeof id === 'number') &&
+      (typeof type === 'string' || typeof type === 'number')
+    ) {
+      return `notion:${String(type)}:${String(id)}`
+    }
+    return null
+  },
 }

…roviders/salesforce-zoom-webhook.test.ts …ib/webhooks/providers/salesforce.test.tsapps/sim/lib/webhooks/providers/salesforce-zoom-webhook.test.ts renamed to apps/sim/lib/webhooks/providers/salesforce.test.ts apps/sim/lib/webhooks/providers/salesforce-zoom-webhook.test.ts renamed to apps/sim/lib/webhooks/providers/salesforce.test.ts

@@ -64,6 +64,17 @@ describe('Salesforce webhook provider', () => {
     expect(
       isSalesforceEventMatch('salesforce_webhook', { objectType: 'Contact', Id: 'x' }, 'Account')
     ).toBe(false)
+    expect(isSalesforceEventMatch('salesforce_webhook', { Id: 'x' }, 'Account')).toBe(false)
+  })
+
+  it('isSalesforceEventMatch fails closed for record triggers when configured objectType is missing', () => {
+    expect(
+      isSalesforceEventMatch(
+        'salesforce_record_created',
+        { eventType: 'created', Id: '001' },
+        'Account'
+      )
+    ).toBe(false)
   })
 
   it('formatInput maps record trigger fields', async () => {
@@ -92,6 +103,23 @@ describe('Salesforce webhook provider', () => {
     })
     expect(id).toContain('001')
   })
+
+  it('extractIdempotencyId is stable without timestamps for identical payloads', () => {
+    const body = {
+      eventType: 'updated',
+      objectType: 'Account',
+      Id: '001',
+      Name: 'Acme',
+      changedFields: ['Name'],
+    }
+
+    const first = salesforceHandler.extractIdempotencyId!(body)
+    const second = salesforceHandler.extractIdempotencyId!({ ...body })
+
+    expect(first).toBe(second)
+    expect(first).toContain('001')
+    expect(first).toContain('updated')
+  })
 })
 
 describe('Zoom webhook provider', () => {
@@ -121,4 +149,32 @@ describe('Zoom webhook provider', () => {
     })
     expect(zid).toBe('zoom:meeting.started:123:u1')
   })
+
+  it('extractIdempotencyId uses participant identity when available', () => {
+    const zid = zoomHandler.extractIdempotencyId!({
+      event: 'meeting.participant_joined',
+      event_ts: 123,
+      payload: {
+        object: {
+          uuid: 'meeting-uuid',
+          participant: {
+            user_id: 'participant-1',
+          },
+        },
+      },
+    })
+    expect(zid).toBe('zoom:meeting.participant_joined:123:participant-1')
+  })
+
+  it('matchEvent never executes endpoint validation payloads', async () => {
+    const result = await zoomHandler.matchEvent!({
+      webhook: { id: 'w' },
+      workflow: { id: 'wf' },
+      body: { event: 'endpoint.url_validation' },
+      request: reqWithHeaders({}),
+      requestId: 't5',
+      providerConfig: { triggerId: 'zoom_webhook' },
+    })
+    expect(result).toBe(false)
+  })
 })