update pending webhook verification infra

Author: icecrasher321

apps/sim/app/api/webhooks/trigger/[path]/route.test.ts

@@ -268,6 +268,32 @@ vi.mock('@/lib/webhooks/processor', () => ({
     }
   }),
   handleProviderChallenges: vi.fn().mockResolvedValue(null),
+  handlePreLookupWebhookVerification: vi
+    .fn()
+    .mockImplementation(
+      async (
+        method: string,
+        body: Record<string, unknown> | undefined,
+        _requestId: string,
+        path: string
+      ) => {
+        if (path !== 'pending-verification-path') {
+          return null
+        }
+
+        const isVerificationProbe =
+          method === 'GET' ||
+          method === 'HEAD' ||
+          (method === 'POST' && (!body || Object.keys(body).length === 0 || !body.type))
+
+        if (!isVerificationProbe) {
+          return null
+        }
+
+        const { NextResponse } = require('next/server')
+        return NextResponse.json({ status: 'ok', message: 'Webhook endpoint verified' })
+      }
+    ),
   handleProviderReachabilityTest: vi.fn().mockReturnValue(null),
   verifyProviderAuth: vi
     .fn()
@@ -389,7 +415,7 @@ describe('Webhook Trigger API Route', () => {
   })
 
   it('should handle 404 for non-existent webhooks', async () => {
-    const req = createMockRequest('POST', { event: 'test' })
+    const req = createMockRequest('POST', { type: 'event.test' })
 
     const params = Promise.resolve({ path: 'non-existent-path' })
 
@@ -401,7 +427,7 @@ describe('Webhook Trigger API Route', () => {
     expect(text).toMatch(/not found/i)
   })
 
-  it('should return 200 for GET verification probes before webhook persistence', async () => {
+  it('should return 405 for GET requests on unknown webhook paths', async () => {
     const req = createMockRequest(
       'GET',
       undefined,
@@ -413,22 +439,37 @@ describe('Webhook Trigger API Route', () => {
 
     const response = await GET(req as any, { params })
 
+    expect(response.status).toBe(405)
+  })
+
+  it('should return 200 for GET verification probes on registered pending paths', async () => {
+    const req = createMockRequest(
+      'GET',
+      undefined,
+      {},
+      'http://localhost:3000/api/webhooks/trigger/pending-verification-path'
+    )
+
+    const params = Promise.resolve({ path: 'pending-verification-path' })
+
+    const response = await GET(req as any, { params })
+
     expect(response.status).toBe(200)
     await expect(response.json()).resolves.toMatchObject({
       status: 'ok',
       message: 'Webhook endpoint verified',
     })
   })
 
-  it('should return 200 for empty POST verification probes before webhook persistence', async () => {
+  it('should return 200 for empty POST verification probes on registered pending paths', async () => {
     const req = createMockRequest(
       'POST',
       undefined,
       {},
-      'http://localhost:3000/api/webhooks/trigger/non-existent-path'
+      'http://localhost:3000/api/webhooks/trigger/pending-verification-path'
     )
 
-    const params = Promise.resolve({ path: 'non-existent-path' })
+    const params = Promise.resolve({ path: 'pending-verification-path' })
 
     const response = await POST(req as any, { params })
 
@@ -439,6 +480,19 @@ describe('Webhook Trigger API Route', () => {
     })
   })
 
+  it('should return 404 for POST requests without type on unknown webhook paths', async () => {
+    const req = createMockRequest('POST', { event: 'test' })
+
+    const params = Promise.resolve({ path: 'non-existent-path' })
+
+    const response = await POST(req as any, { params })
+
+    expect(response.status).toBe(404)
+
+    const text = await response.text()
+    expect(text).toMatch(/not found/i)
+  })
+
   describe('Generic Webhook Authentication', () => {
     it('should process generic webhook without authentication', async () => {
       testData.webhooks.push({

apps/sim/app/api/webhooks/trigger/[path]/route.ts

@@ -31,12 +31,10 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
     return challengeResponse
   }
 
-  return handlePreLookupWebhookVerification(
-    request.method,
-    undefined,
-    requestId,
-    path
-  ) as NextResponse
+  return (
+    (await handlePreLookupWebhookVerification(request.method, undefined, requestId, path)) ||
+    new NextResponse('Method not allowed', { status: 405 })
+  )
 }
 
 export async function POST(
@@ -70,7 +68,7 @@ export async function POST(
   const webhooksForPath = await findAllWebhooksForPath({ requestId, path })
 
   if (webhooksForPath.length === 0) {
-    const verificationResponse = handlePreLookupWebhookVerification(
+    const verificationResponse = await handlePreLookupWebhookVerification(
       request.method,
       body,
       requestId,

apps/sim/lib/webhooks/deploy.ts

@@ -5,6 +5,7 @@ import { and, eq, inArray } from 'drizzle-orm'
 import { nanoid } from 'nanoid'
 import type { NextRequest } from 'next/server'
 import { getProviderIdFromServiceId } from '@/lib/oauth'
+import { PendingWebhookVerificationTracker } from '@/lib/webhooks/pending-verification'
 import {
   cleanupExternalWebhook,
   createExternalWebhookSubscription,
@@ -580,6 +581,7 @@ export async function saveTriggerWebhooksForDeploy({
     updatedProviderConfig: Record<string, unknown>
     externalSubscriptionCreated: boolean
   }> = []
+  const pendingVerificationTracker = new PendingWebhookVerificationTracker()
 
   for (const block of blocksNeedingWebhook) {
     const config = webhookConfigs.get(block.id)
@@ -595,6 +597,13 @@ export async function saveTriggerWebhooksForDeploy({
     }
 
     try {
+      await pendingVerificationTracker.register({
+        path: triggerPath,
+        provider,
+        workflowId,
+        blockId: block.id,
+      })
+
       const result = await createExternalWebhookSubscription(
         request,
         createPayload,
@@ -613,6 +622,7 @@ export async function saveTriggerWebhooksForDeploy({
       })
     } catch (error: any) {
       logger.error(`[${requestId}] Failed to create external subscription for ${block.id}`, error)
+      await pendingVerificationTracker.clearAll()
       for (const sub of createdSubscriptions) {
         if (sub.externalSubscriptionCreated) {
           try {
@@ -666,6 +676,8 @@ export async function saveTriggerWebhooksForDeploy({
       }
     })
 
+    await pendingVerificationTracker.clearAll()
+
     for (const sub of createdSubscriptions) {
       const pollingError = await configurePollingIfNeeded(
         sub.provider,
@@ -710,6 +722,7 @@ export async function saveTriggerWebhooksForDeploy({
       }
     }
   } catch (error: any) {
+    await pendingVerificationTracker.clearAll()
     logger.error(`[${requestId}] Failed to insert webhook records`, error)
     for (const sub of createdSubscriptions) {
       if (sub.externalSubscriptionCreated) {

apps/sim/lib/webhooks/pending-verification.test.ts

@@ -0,0 +1,104 @@
+/**
+ * @vitest-environment node
+ */
+import { afterEach, describe, expect, it, vi } from 'vitest'
+
+vi.mock('@/lib/core/config/redis', () => ({
+  getRedisClient: vi.fn().mockReturnValue(null),
+}))
+
+vi.mock('@sim/logger', () => ({
+  createLogger: vi.fn().mockReturnValue({
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn(),
+  }),
+}))
+
+import {
+  clearPendingWebhookVerification,
+  getPendingWebhookVerification,
+  matchesPendingWebhookVerificationProbe,
+  PendingWebhookVerificationTracker,
+  registerPendingWebhookVerification,
+} from '@/lib/webhooks/pending-verification'
+
+describe('pending webhook verification', () => {
+  afterEach(async () => {
+    await clearPendingWebhookVerification('grain-path-1')
+    await clearPendingWebhookVerification('grain-path-2')
+    await clearPendingWebhookVerification('grain-path-3')
+    await clearPendingWebhookVerification('grain-path-4')
+  })
+
+  it('stores and retrieves pending Grain verification entries', async () => {
+    await registerPendingWebhookVerification({
+      path: 'grain-path-1',
+      provider: 'grain',
+      workflowId: 'workflow-1',
+      blockId: 'block-1',
+    })
+
+    const entry = await getPendingWebhookVerification('grain-path-1')
+
+    expect(entry).toMatchObject({
+      path: 'grain-path-1',
+      provider: 'grain',
+      workflowId: 'workflow-1',
+      blockId: 'block-1',
+    })
+  })
+
+  it('matches Grain verification probe shapes only for registered paths', async () => {
+    await registerPendingWebhookVerification({
+      path: 'grain-path-2',
+      provider: 'grain',
+    })
+
+    const entry = await getPendingWebhookVerification('grain-path-2')
+
+    expect(entry).not.toBeNull()
+    expect(
+      matchesPendingWebhookVerificationProbe(entry!, {
+        method: 'POST',
+        body: {},
+      })
+    ).toBe(true)
+    expect(
+      matchesPendingWebhookVerificationProbe(entry!, {
+        method: 'POST',
+        body: { type: 'recording_added' },
+      })
+    ).toBe(false)
+  })
+
+  it('clears tracked pending verifications after a successful lifecycle', async () => {
+    const tracker = new PendingWebhookVerificationTracker()
+
+    await tracker.register({
+      path: 'grain-path-3',
+      provider: 'grain',
+    })
+
+    expect(await getPendingWebhookVerification('grain-path-3')).not.toBeNull()
+
+    await tracker.clearAll()
+
+    expect(await getPendingWebhookVerification('grain-path-3')).toBeNull()
+  })
+
+  it('clears tracked pending verifications after a failed lifecycle', async () => {
+    const tracker = new PendingWebhookVerificationTracker()
+
+    await tracker.register({
+      path: 'grain-path-4',
+      provider: 'grain',
+    })
+
+    expect(await getPendingWebhookVerification('grain-path-4')).not.toBeNull()
+
+    await tracker.clear('grain-path-4')
+
+    expect(await getPendingWebhookVerification('grain-path-4')).toBeNull()
+  })
+})