Tenant PATCH request may lose webhook configuration for non-global Webhooks

[robotdan]

Tenant PATCH request may lose webhook configuration for non-global Webhooks

Description

If you have one or more webhooks configured with global: false which means you have to assign one or more tenants to the webhook instead of just receiving events for all tenants - calling PATCH w/out providing the webhookIds in the JSON body will remove this tenant from all webhooks.

Observed in version

1.46.1

Affects versions

TBD

Steps to reproduce

1. Create a tenant and enable at least one event.
2. Create a webhook as global: false with this tenant configured.
3. Make a PATCH request and change only tenant.name..
4. This tenant will be removed from the Webhook configuration.

Expected behavior

The webhook configuration should not be modified on a PATCH request unless webhookIds are specified in the JSON request body.

Workaround

Various options:

1. Provide the webhookIds in the request body just as you would with a PUT request.
2. Use PUT instead of PATCH
3. Configure webhooks to be global instead.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

Additional context

Add any other context about the problem here.

Release Notes

When using the PATCH method on the Tenant API, if you previously had any explicit webhooks configured for this tenant, the association between the tenant and the webhook was lost. If you are not using webhooks, or all of your webhooks are configured for All tenants (webhook.global), this bug would not affect you.

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/commit/6e4ae720428350cdd78b198b324981890275851a
• https://github.com/FusionAuth/fusionauth-app/pull/297

[labiang]

PUT also has the same effect if retrieving the tenant using GET and then including it in the next PUT call (with any other data that you want to update).

This is happening because when you retrieve a tenant, it does not have a JSON key for the tenant's webhook configuration.

Although patch/put tenant does accept a webhookIds property (in the same JSON hierarchical level as tenant and not inside), if you retrieve a tenant using GET, that property will not be returned to you.

[robotdan]

Thanks for the additional detail @itstriolink this is helpful.

This is perhaps a confusing feature of this API. However, we do document the webhookIds for the PUT request so I think this is working as designed. I would be hesitant to change this documented behavior.

https://fusionauth.io/docs/v1/tech/apis/tenants#update-a-tenant

Maybe we should consider adding a flag to this API to indicate if you are trying to update the webhook config on a Tenant Update.

[robotdan]

I opened a separate issue to track this request @itstriolink thanks!

• Optionally require wehbook Ids on the Tenant Update API (PUT/PATCH) #2413