fix(security): correct webflow timestamp unit comparison and airtable hmac encoding

waleedlatif1 · waleedlatif1 · commit 49b95038538a · 2026-05-10T18:17:22.000-07:00
- webflow: compare Date.now()/1000 against x-webflow-timestamp (both in Unix seconds) — the original Date.now() - ts comparison always exceeded the 300 000ms threshold, rejecting every valid webhook
- airtable: use utf8 encoding in HMAC update instead of ascii — ascii silently mangles bytes above 127, producing an incorrect digest for non-ASCII payloads
- hubspot: add TSDoc comment clarifying v1 signature scheme is intentional for CRM subscriptions
diff --git a/apps/sim/lib/webhooks/providers/airtable.ts b/apps/sim/lib/webhooks/providers/airtable.ts
@@ -471,7 +471,7 @@ export const airtableHandler: WebhookProviderHandler = {
       const secretBytes = Buffer.from(macSecretBase64, 'base64')
       const computedHex = crypto
         .createHmac('sha256', secretBytes)
-        .update(rawBody, 'ascii')
+        .update(rawBody, 'utf8')
         .digest('hex')
 
       if (!safeCompare(computedHex, providedHex)) {
diff --git a/apps/sim/lib/webhooks/providers/hubspot.ts b/apps/sim/lib/webhooks/providers/hubspot.ts
@@ -30,7 +30,11 @@ export const hubspotHandler: WebhookProviderHandler = {
     }
 
     try {
-      // HubSpot v1 signature: SHA-256 hash of (clientSecret + requestBody)
+      /**
+       * HubSpot v1 signature: SHA-256 of (clientSecret + requestBody), verified against X-HubSpot-Signature.
+       * v1 is intentionally used for CRM webhook subscriptions — v3 requires the full request URL and method,
+       * which are not available in verifyAuth.
+       */
       const computedHash = crypto
         .createHash('sha256')
         .update(clientSecret + rawBody, 'utf8')
diff --git a/apps/sim/lib/webhooks/providers/webflow.ts b/apps/sim/lib/webhooks/providers/webflow.ts
@@ -39,9 +39,10 @@ export const webflowHandler: WebhookProviderHandler = {
       return new NextResponse('Unauthorized - Missing Webflow signature headers', { status: 401 })
     }
 
-    // Replay protection: reject if timestamp is more than 5 minutes old
+    // Replay protection: reject if timestamp is more than 5 minutes old.
+    // x-webflow-timestamp is Unix seconds; Date.now() is milliseconds — compare both in seconds.
     const ts = Number.parseInt(timestamp, 10)
-    if (Number.isNaN(ts) || Date.now() - ts > 5 * 60 * 1000) {
+    if (Number.isNaN(ts) || Date.now() / 1000 - ts > 5 * 60) {
       logger.warn(`[${requestId}] Webflow webhook timestamp expired or invalid`)
       return new NextResponse('Unauthorized - Webhook timestamp expired', { status: 401 })
     }

Original file line number	Diff line number	Diff line change
`@@ -39,9 +39,10 @@ export const webflowHandler: WebhookProviderHandler = {`
`39`	`39`	`return new NextResponse('Unauthorized - Missing Webflow signature headers', { status: 401 })`
`40`	`40`	`}`
`41`	`41`
`42`		`- // Replay protection: reject if timestamp is more than 5 minutes old`
	`42`	`+ // Replay protection: reject if timestamp is more than 5 minutes old.`
	`43`	`+ // x-webflow-timestamp is Unix seconds; Date.now() is milliseconds — compare both in seconds.`
`43`	`44`	`const ts = Number.parseInt(timestamp, 10)`
`44`		`- if (Number.isNaN(ts) \|\| Date.now() - ts > 5 * 60 * 1000) {`
	`45`	`+ if (Number.isNaN(ts) \|\| Date.now() / 1000 - ts > 5 * 60) {`
`45`	`46`	logger.warn(`[${requestId}] Webflow webhook timestamp expired or invalid`)
`46`	`47`	`return new NextResponse('Unauthorized - Webhook timestamp expired', { status: 401 })`
`47`	`48`	`}`