chore(webhooks): remove extraneous comments from provider handlers

fix(security): store Webflow signing key at subscription creation time

- Remove all non-TSDoc inline comments from airtable, hubspot, and webflow providers
- Fix Webflow OAuth webhook signature verification gap: secretKey was never
  stored for OAuth-created webhooks (Webflow returns secretKey only for
  site-token webhooks). Now resolved at createSubscription time via
  responseBody.secretKey ?? env.WEBFLOW_CLIENT_SECRET ?? null, so verifyAuth
  has a single clean code path identical to Stripe and HubSpot
- Change Webflow verifyAuth from fail-open to fail-closed on missing secretKey
- Replace error as Error cast with toError() in Webflow createSubscription catch
- Add inline comment noting x-webflow-timestamp is Unix milliseconds

Author: waleedlatif1

apps/sim/lib/webhooks/providers/airtable.ts

@@ -48,13 +48,10 @@ interface AirtableTableChanges {
   destroyedRecordIds?: string[]
 }
 
-/**
- * Process Airtable payloads
- */
 async function fetchAndProcessAirtablePayloads(
   webhookData: Record<string, unknown>,
   workflowData: Record<string, unknown>,
-  requestId: string // Original request ID from the ping, used for the final execution log
+  requestId: string
 ) {
   let currentCursor: number | null = null
   let mightHaveMore = true
@@ -180,7 +177,6 @@ async function fetchAndProcessAirtablePayloads(
 
     while (mightHaveMore) {
       apiCallCount++
-      // Safety break
       if (apiCallCount > 10) {
         mightHaveMore = false
         break
@@ -226,7 +222,6 @@ async function fetchAndProcessAirtablePayloads(
 
         if (receivedPayloads.length > 0) {
           payloadsFetched += receivedPayloads.length
-          // Keep the raw payloads for later exposure to the workflow
           for (const p of receivedPayloads) {
             allPayloads.push(p)
           }
@@ -247,14 +242,11 @@ async function fetchAndProcessAirtablePayloads(
                   )) {
                     const existingChange = consolidatedChangesMap.get(recordId)
                     if (existingChange) {
-                      // Record was created and possibly updated within the same batch
                       existingChange.changedFields = {
                         ...existingChange.changedFields,
                         ...(recordData.cellValuesByFieldId || {}),
                       }
-                      // Keep changeType as 'created' if it started as created
                     } else {
-                      // New creation
                       consolidatedChangesMap.set(recordId, {
                         tableId: tableId,
                         recordId: recordId,
@@ -265,7 +257,6 @@ async function fetchAndProcessAirtablePayloads(
                   }
                 }
 
-                // Handle updated records
                 if (tableChanges.changedRecordsById) {
                   const updatedCount = Object.keys(tableChanges.changedRecordsById).length
                   changeCount += updatedCount
@@ -277,16 +268,12 @@ async function fetchAndProcessAirtablePayloads(
                     const currentFields = recordData.current?.cellValuesByFieldId || {}
 
                     if (existingChange) {
-                      // Existing record was updated again
                       existingChange.changedFields = {
                         ...existingChange.changedFields,
                         ...currentFields,
                       }
-                      // Ensure type is 'updated' if it was previously 'created'
                       existingChange.changeType = 'updated'
-                      // Do not update previousFields again
                     } else {
-                      // First update for this record in the batch
                       const newChange: AirtableChange = {
                         tableId: tableId,
                         recordId: recordId,
@@ -316,7 +303,6 @@ async function fetchAndProcessAirtablePayloads(
             externalWebhookCursor: currentCursor,
           }
           try {
-            // Force a complete object update to ensure consistency in serverless env
             await db
               .update(webhook)
               .set({
@@ -325,7 +311,7 @@ async function fetchAndProcessAirtablePayloads(
               })
               .where(eq(webhook.id, webhookData.id as string))
 
-            localProviderConfig.externalWebhookCursor = currentCursor // Update local copy too
+            localProviderConfig.externalWebhookCursor = currentCursor
           } catch (dbError: unknown) {
             const err = dbError as Error
             logger.error(`[${requestId}] Failed to persist Airtable cursor to DB`, {
@@ -334,7 +320,7 @@ async function fetchAndProcessAirtablePayloads(
               error: err.message,
             })
             mightHaveMore = false
-            throw new Error('Failed to save Airtable cursor, stopping processing.') // Re-throw to break loop clearly
+            throw new Error('Failed to save Airtable cursor, stopping processing.')
           }
         } else if (!nextCursor || typeof nextCursor !== 'number') {
           logger.warn(`[${requestId}] Invalid or missing cursor received, stopping poll`, {
@@ -344,7 +330,7 @@ async function fetchAndProcessAirtablePayloads(
           })
           mightHaveMore = false
         } else if (nextCursor === currentCursor) {
-          mightHaveMore = false // Explicitly stop if cursor hasn't changed
+          mightHaveMore = false
         }
       } catch (fetchError: unknown) {
         logger.error(
@@ -355,7 +341,6 @@ async function fetchAndProcessAirtablePayloads(
         break
       }
     }
-    // Convert map values to array for final processing
     const finalConsolidatedChanges = Array.from(consolidatedChangesMap.values())
     logger.info(
       `[${requestId}] Consolidated ${finalConsolidatedChanges.length} Airtable changes across ${apiCallCount} API calls`
@@ -367,9 +352,7 @@ async function fetchAndProcessAirtablePayloads(
         const input: Record<string, unknown> = {
           payloads: allPayloads,
           latestPayload,
-          // Consolidated, simplified changes for convenience
           airtableChanges: finalConsolidatedChanges,
-          // Include webhook metadata for resolver fallbacks
           webhook: {
             data: {
               provider: 'airtable',
@@ -416,7 +399,6 @@ async function fetchAndProcessAirtablePayloads(
       })
     }
   } catch (error) {
-    // Catch any unexpected errors during the setup/polling logic itself
     logger.error(
       `[${requestId}] Unexpected error during asynchronous Airtable payload processing task`,
       {

apps/sim/lib/webhooks/providers/hubspot.ts

@@ -30,11 +30,6 @@ export const hubspotHandler: WebhookProviderHandler = {
     }
 
     try {
-      /**
-       * HubSpot v1 signature: SHA-256 of (clientSecret + requestBody), verified against X-HubSpot-Signature.
-       * v1 is intentionally used for CRM webhook subscriptions — v3 requires the full request URL and method,
-       * which are not available in verifyAuth.
-       */
       const computedHash = crypto
         .createHash('sha256')
         .update(clientSecret + rawBody, 'utf8')

apps/sim/lib/webhooks/providers/webflow.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { safeCompare } from '@sim/security/compare'
 import { toError } from '@sim/utils/errors'
 import { NextResponse } from 'next/server'
+import { env } from '@/lib/core/config/env'
 import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { getCredentialOwner, getProviderConfig } from '@/lib/webhooks/provider-subscription-utils'
@@ -25,11 +26,10 @@ export const webflowHandler: WebhookProviderHandler = {
     const secretKey = providerConfig.secretKey as string | undefined | null
 
     if (!secretKey) {
-      // Fail-open for existing webhooks created before this change (no secretKey stored)
       logger.warn(
-        `[${requestId}] Webflow webhook missing secretKey in providerConfig — skipping signature verification`
+        `[${requestId}] Webflow webhook missing secretKey in providerConfig — rejecting request`
       )
-      return null
+      return new NextResponse('Unauthorized - Webhook secret not configured', { status: 401 })
     }
 
     const signature = request.headers.get('x-webflow-signature')
@@ -40,16 +40,14 @@ export const webflowHandler: WebhookProviderHandler = {
       return new NextResponse('Unauthorized - Missing Webflow signature headers', { status: 401 })
     }
 
-    // Replay protection: reject if timestamp is more than 5 minutes old.
-    // x-webflow-timestamp is Unix milliseconds (e.g. 1722370035277) — compare directly with Date.now().
+    // x-webflow-timestamp is Unix milliseconds — compare directly with Date.now()
     const ts = Number.parseInt(timestamp, 10)
     if (Number.isNaN(ts) || Date.now() - ts > 5 * 60 * 1000) {
       logger.warn(`[${requestId}] Webflow webhook timestamp expired or invalid`)
       return new NextResponse('Unauthorized - Webhook timestamp expired', { status: 401 })
     }
 
     try {
-      // HMAC-SHA256 of "${timestamp}:${rawBody}"
       const computedHash = crypto
         .createHmac('sha256', secretKey)
         .update(`${timestamp}:${rawBody}`, 'utf8')
@@ -188,11 +186,11 @@ export const webflowHandler: WebhookProviderHandler = {
       return {
         providerConfigUpdates: {
           externalId: responseBody.id || responseBody._id,
-          secretKey: responseBody.secretKey,
+          secretKey: responseBody.secretKey ?? env.WEBFLOW_CLIENT_SECRET ?? null,
         },
       }
     } catch (error: unknown) {
-      const err = error as Error
+      const err = toError(error)
       logger.error(
         `[${requestId}] Exception during Webflow webhook creation for webhook ${webhookRecord.id}.`,
         {