refactor(netlify): switch trigger to manual webhook setup

stylessh · stylessh · commit 36c8db91c028 · 2026-05-08T15:18:52.000-04:00
Removes auto-registration of Netlify outgoing webhooks because the data.signature_secret field doesn't reliably round-trip through the hooks API. The user now configures the webhook in Netlify's dashboard and pastes the JWS secret token into the trigger; Sim only verifies inbound signatures with that secret. Drops apiKey and siteId from the trigger config (still required on the block for tool operations).
diff --git a/apps/sim/lib/webhooks/providers/netlify.ts b/apps/sim/lib/webhooks/providers/netlify.ts
@@ -2,15 +2,11 @@ import crypto from 'crypto'
 import { createLogger } from '@sim/logger'
 import { safeCompare } from '@sim/security/compare'
 import { NextResponse } from 'next/server'
-import { getNotificationUrl, getProviderConfig } from '@/lib/webhooks/provider-subscription-utils'
 import type {
   AuthContext,
-  DeleteSubscriptionContext,
   EventMatchContext,
   FormatInputContext,
   FormatInputResult,
-  SubscriptionContext,
-  SubscriptionResult,
   WebhookProviderHandler,
 } from '@/lib/webhooks/providers/types'
 
@@ -53,11 +49,11 @@ function verifyNetlifyJwt(token: string, secret: string, rawBody: string): boole
 
 export const netlifyHandler: WebhookProviderHandler = {
   verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext): NextResponse | null {
-    const secret = (providerConfig.webhookSecret as string | undefined)?.trim()
+    const secret = (providerConfig.signatureSecret as string | undefined)?.trim()
     if (!secret) {
-      logger.warn(`[${requestId}] Netlify webhook secret missing; rejecting delivery`)
+      logger.warn(`[${requestId}] Netlify signature secret missing; rejecting delivery`)
       return new NextResponse(
-        'Unauthorized - Netlify webhook signing secret is not configured. Re-save the trigger so a webhook can be registered.',
+        'Unauthorized - Netlify signature secret is not configured. Set the JWS secret token on this trigger.',
         { status: 401 }
       )
     }
@@ -105,152 +101,6 @@ export const netlifyHandler: WebhookProviderHandler = {
     return `netlify:${String(id)}`
   },
 
-  async createSubscription(ctx: SubscriptionContext): Promise<SubscriptionResult | undefined> {
-    const { webhook, requestId } = ctx
-    try {
-      const providerConfig = getProviderConfig(webhook)
-      const apiKey = providerConfig.apiKey as string | undefined
-      const triggerId = providerConfig.triggerId as string | undefined
-      const siteId = (providerConfig.siteId as string | undefined)?.trim()
-
-      if (!apiKey) {
-        throw new Error(
-          'Netlify Personal Access Token is required. Provide your access token in the trigger configuration.'
-        )
-      }
-      if (!siteId) {
-        throw new Error('Netlify Site ID is required to register a deploy webhook.')
-      }
-      if (!triggerId) {
-        throw new Error('Missing trigger ID — re-save the Netlify trigger.')
-      }
-
-      const { NETLIFY_TRIGGER_EVENT_TYPES } = await import('@/triggers/netlify/utils')
-      const event = NETLIFY_TRIGGER_EVENT_TYPES[triggerId]
-      if (!event) {
-        throw new Error(
-          `Unknown Netlify trigger "${triggerId}". Remove and re-add the Netlify trigger, then save again.`
-        )
-      }
-
-      const notificationUrl = getNotificationUrl(webhook)
-      const signingSecret = crypto.randomBytes(32).toString('base64url')
-
-      logger.info(`[${requestId}] Creating Netlify webhook`, {
-        triggerId,
-        event,
-        siteId,
-        webhookId: webhook.id,
-      })
-
-      const apiUrl = `https://api.netlify.com/api/v1/hooks?site_id=${encodeURIComponent(siteId)}`
-      const requestBody = {
-        type: 'url',
-        event,
-        data: {
-          url: notificationUrl,
-          signature_secret: signingSecret,
-        },
-      }
-
-      const netlifyResponse = await fetch(apiUrl, {
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${apiKey}`,
-          'Content-Type': 'application/json',
-        },
-        body: JSON.stringify(requestBody),
-      })
-
-      const responseBody = (await netlifyResponse.json().catch(() => ({}))) as Record<
-        string,
-        unknown
-      >
-
-      if (!netlifyResponse.ok) {
-        const errorMessage =
-          (responseBody.message as string) ||
-          (responseBody.error as string) ||
-          'Unknown Netlify API error'
-
-        let userFriendlyMessage = 'Failed to create webhook subscription in Netlify'
-        if (netlifyResponse.status === 401 || netlifyResponse.status === 403) {
-          userFriendlyMessage =
-            'Invalid or insufficient Netlify Personal Access Token. Verify the token has access to this site.'
-        } else if (netlifyResponse.status === 404) {
-          userFriendlyMessage = `Netlify site "${siteId}" not found or not accessible with this token.`
-        } else if (errorMessage && errorMessage !== 'Unknown Netlify API error') {
-          userFriendlyMessage = `Netlify error: ${errorMessage}`
-        }
-
-        throw new Error(userFriendlyMessage)
-      }
-
-      const externalId = (responseBody.id as string | undefined) ?? undefined
-      if (!externalId) {
-        throw new Error('Netlify webhook creation succeeded but no hook ID was returned')
-      }
-
-      logger.info(`[${requestId}] Successfully created Netlify hook ${externalId}`, {
-        webhookId: webhook.id,
-        event,
-      })
-
-      return {
-        providerConfigUpdates: {
-          externalId,
-          webhookSecret: signingSecret,
-        },
-      }
-    } catch (error: unknown) {
-      const err = error as Error
-      logger.error(`[${requestId}] Exception during Netlify webhook creation`, {
-        message: err.message,
-        webhookId: webhook.id,
-      })
-      throw error
-    }
-  },
-
-  async deleteSubscription(ctx: DeleteSubscriptionContext): Promise<void> {
-    const { webhook, requestId } = ctx
-    try {
-      const config = getProviderConfig(webhook)
-      const apiKey = config.apiKey as string | undefined
-      const externalId = config.externalId as string | undefined
-
-      if (!apiKey || !externalId) {
-        logger.warn(
-          `[${requestId}] Missing apiKey or externalId for Netlify webhook deletion ${webhook.id}, skipping cleanup`
-        )
-        if (ctx.strict) throw new Error('Missing Netlify webhook deletion credentials')
-        return
-      }
-
-      const apiUrl = `https://api.netlify.com/api/v1/hooks/${encodeURIComponent(externalId)}`
-
-      const response = await fetch(apiUrl, {
-        method: 'DELETE',
-        headers: {
-          Authorization: `Bearer ${apiKey}`,
-        },
-      })
-
-      if (!response.ok && response.status !== 404) {
-        logger.warn(
-          `[${requestId}] Failed to delete Netlify webhook (non-fatal): ${response.status}`
-        )
-        if (ctx.strict) throw new Error(`Failed to delete Netlify webhook: ${response.status}`)
-      } else {
-        await response.body?.cancel()
-        logger.info(`[${requestId}] Successfully deleted Netlify hook ${externalId}`)
-      }
-    } catch (error) {
-      logger.warn(`[${requestId}] Error deleting Netlify webhook (non-fatal)`, error)
-      if (ctx.strict) throw error
-    }
-  },
-
   async formatInput(ctx: FormatInputContext): Promise<FormatInputResult> {
     const body = ctx.body as Record<string, unknown>
 
diff --git a/apps/sim/triggers/netlify/utils.ts b/apps/sim/triggers/netlify/utils.ts
@@ -54,13 +54,16 @@ export function isNetlifyEventMatch(triggerId: string, state: string | undefined
 
 /**
  * Generates HTML setup instructions shown inside the trigger config panel.
+ * Netlify outgoing webhooks are configured manually in the Netlify dashboard;
+ * Sim verifies inbound deliveries using the JWS secret token the user provides.
  */
 export function netlifySetupInstructions(eventLabel: string): string {
   const instructions = [
-    'Generate a Personal Access Token at <strong>User settings → Applications → Personal access tokens</strong> (<a href="https://app.netlify.com/user/applications#personal-access-tokens" target="_blank" rel="noreferrer">direct link</a>) and paste it above.',
-    'Enter the target <strong>Site ID</strong> (or primary domain) of the Netlify site to listen on.',
-    `<strong>Deploy</strong> the workflow — Sim will automatically register an outgoing webhook in Netlify for <strong>${eventLabel}</strong> events on the chosen site.`,
-    'The webhook is automatically removed from Netlify when you delete this trigger or undeploy the workflow.',
+    'Copy the <strong>Webhook URL</strong> above.',
+    'In Netlify open <strong>Site settings → Build &amp; deploy → Deploy notifications → Add notification → Outgoing webhook</strong>.',
+    `Paste the URL, choose <strong>${eventLabel}</strong> as the event to listen for, generate a <strong>JWS secret token</strong>, and save the notification.`,
+    'Paste that same JWS secret into the <strong>Signature Secret</strong> field above, then <strong>Deploy</strong> the workflow.',
+    'Remove the notification in Netlify when you delete this trigger — Sim does not manage the webhook on your behalf.',
   ]
 
   return instructions
@@ -73,31 +76,24 @@ export function netlifySetupInstructions(eventLabel: string): string {
 
 /**
  * Netlify-specific extra fields exposed in trigger configuration.
+ * The signature secret is the JWS secret token the user configures on the
+ * outgoing webhook in Netlify; we use it to verify inbound deliveries.
  */
 export function buildNetlifyExtraFields(triggerId: string): SubBlockConfig[] {
   return [
     {
-      id: 'apiKey',
-      title: 'Access Token',
+      id: 'signatureSecret',
+      title: 'Signature Secret',
       type: 'short-input' as const,
-      placeholder: 'Enter your Netlify Personal Access Token',
-      description: 'Required to register and remove the webhook in Netlify.',
+      placeholder: 'Paste the JWS secret token configured in Netlify',
+      description:
+        'The JWS secret token set on the outgoing webhook in Netlify. Used to verify the signature of every incoming delivery.',
       password: true,
       required: true,
       paramVisibility: 'user-only',
       mode: 'trigger' as const,
       condition: { field: 'selectedTriggerId', value: triggerId },
     },
-    {
-      id: 'siteId',
-      title: 'Site ID',
-      type: 'short-input' as const,
-      placeholder: 'Site ID or primary domain (e.g., 0d3a9d2f-... or my-site.netlify.app)',
-      description: 'The Netlify site whose deploys will trigger this workflow.',
-      required: true,
-      mode: 'trigger' as const,
-      condition: { field: 'selectedTriggerId', value: triggerId },
-    },
   ]
 }
 
