feat/533 webhook secrets#6227
feat/533 webhook secrets#6227jchui-wd wants to merge 2 commits intofeat/344-ambient-agents-webhooksfrom
Conversation
jchui-wd
changed the base branch from
feat/344-ambient-agents-webhooks
to
feat/389-Headers-Query-Params-Methods-Validation-Etc
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances the webhook trigger functionality in Agentflows by adding support for HTTP method selection, Content-Type validation, and secure signature verification (HMAC-SHA256 and Plain Token). It introduces new configuration fields in the Start node, updates the database schema to store webhook secrets, and implements comprehensive validation logic in the backend. Additionally, the UI is updated to allow users to manage webhook secrets and access namespaced variables for headers, query parameters, and body content. Review feedback suggests refining the raw body storage type and improving type validation for form-encoded webhook payloads.
I am having trouble creating individual review comments. Click here to see my feedback.
packages/server/src/index.ts (168)
The buf provided by the verify callback of express.json and express.urlencoded is a Buffer. Casting it to a string using as unknown as string is misleading and potentially problematic if other parts of the application expect a string. Since verifyWebhookSignature correctly expects a Buffer, it is better to store it as such.
;(req as any).rawBody = buf
packages/server/src/services/webhook/index.ts (87-89)
The strict typeof check will fail for number and boolean types when the incoming request is application/x-www-form-urlencoded, as all values in the request body are parsed as strings by default. Consider adding logic to handle numeric strings and boolean strings (e.g., "true", "false") to improve compatibility with various webhook senders.
const typeMismatch = webhookBodyParams
.filter((p) => {
if (p.type == null || body?.[p.name] == null) return false
const val = body[p.name]
if (p.type === 'number') return isNaN(Number(val))
if (p.type === 'boolean') return typeof val !== 'boolean' && val !== 'true' && val !== 'false'
return typeof val !== p.type
})
.map((p) => p.name)
…gger Adds server-side webhook secret management (generate/clear/verify) and a UI control in the Start node for configuring the secret, signature header, and signature type (HMAC-SHA256 or plain token). Raw request body is now captured before JSON parsing so HMAC signatures can be verified against the original bytes. Migrations added for all four supported databases.
…validation
application/x-www-form-urlencoded payloads deliver all values as strings,
so the strict typeof check was incorrectly rejecting valid numeric ("42")
and boolean ("true"/"false") values. Updated the filter to coerce and
validate instead, with tests covering both JSON and form-encoded cases.
jchui-wd
force-pushed
the
feat/533-webhook-secrets
branch
from
6b46af4 to
e1affad
Compare
1 participant
Adds opt-in secret-based authentication for webhook-triggered agentflows.
Is Tied to #6217
Changes
Backend
webhookSecret(hidden) andwebhookSecretConfigured(boolean) columns onChatFlow, with migrations for all 4 databasesPOST /chatflows/:id/webhook-secretandDELETE /chatflows/:id/webhook-secretto generate/remove secretsStart Node (v1.2)
UI
Test Videos Demo
WrongSignatureType-Fail.mp4
WrongSignatureType-Fail.mp4
PlainToken-WrongHeaderName-Fail.mp4
PlainToken-WrongHeaderName-Fail.mp4
PlainToken-working.mp4
PlainToken-working.mp4
No-Secret-401.mp4
No-Secret-401.mp4
HMAC-non256-working.mp4
HMAC-non256-working.mp4
HMAC-256-working.mp4
HMAC-256-working.mp4
Screenshots
Signature Type
No Secrets Generated
Tests
