revert(webhooks): undo trigger auth hardening pending compat plan

waleedlatif1 · waleedlatif1 · commit 9b246bae88b8 · 2026-06-10T09:18:27.000-07:00
Reverts the Telegram inbound-token verification (3ed97a4, 41f133a) and the HMAC fail-closed change (5b6cae9). Production data shows ~79 live webhooks have no signing secret configured (63 GitHub, 9 Fireflies, 3 Jira, 2 Circleback, 1 Confluence, 1 Cal.com), so failing closed would 401 them. Restoring fail-open behavior until a backwards-compatible rollout (grandfather existing secretless webhooks / migration) is designed. Other security fixes on this branch are unaffected.
diff --git a/apps/sim/app/api/webhooks/trigger/[path]/route.ts b/apps/sim/app/api/webhooks/trigger/[path]/route.ts
@@ -111,11 +111,6 @@ async function handleWebhookPost(
   const responses: NextResponse[] = []
 
   for (const { webhook: foundWebhook, workflow: foundWorkflow } of webhooksForPath) {
-    const reachabilityResponse = handleProviderReachabilityTest(foundWebhook, body, requestId)
-    if (reachabilityResponse) {
-      return reachabilityResponse
-    }
-
     const authError = await verifyProviderAuth(
       foundWebhook,
       foundWorkflow,
@@ -131,6 +126,11 @@ async function handleWebhookPost(
       return authError
     }
 
+    const reachabilityResponse = handleProviderReachabilityTest(foundWebhook, body, requestId)
+    if (reachabilityResponse) {
+      return reachabilityResponse
+    }
+
     const preprocessResult = await checkWebhookPreprocessing(foundWorkflow, foundWebhook, requestId)
     if (preprocessResult.error) {
       if (webhooksForPath.length > 1) {
diff --git a/apps/sim/lib/webhooks/providers/github.ts b/apps/sim/lib/webhooks/providers/github.ts
@@ -48,12 +48,7 @@ export const githubHandler: WebhookProviderHandler = {
   verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext) {
     const secret = providerConfig.webhookSecret as string | undefined
     if (!secret) {
-      logger.warn(
-        `[${requestId}] GitHub webhook missing webhookSecret in providerConfig — rejecting request`
-      )
-      return new NextResponse('Unauthorized - GitHub signing secret not configured', {
-        status: 401,
-      })
+      return null
     }
 
     const signature =
diff --git a/apps/sim/lib/webhooks/providers/intercom.ts b/apps/sim/lib/webhooks/providers/intercom.ts
@@ -49,12 +49,7 @@ export const intercomHandler: WebhookProviderHandler = {
   verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext) {
     const secret = providerConfig.webhookSecret as string | undefined
     if (!secret) {
-      logger.warn(
-        `[${requestId}] Intercom webhook missing webhookSecret in providerConfig — rejecting request`
-      )
-      return new NextResponse('Unauthorized - Intercom signing secret not configured', {
-        status: 401,
-      })
+      return null
     }
 
     const signature = request.headers.get('X-Hub-Signature')
diff --git a/apps/sim/lib/webhooks/providers/telegram.test.ts b/apps/sim/lib/webhooks/providers/telegram.test.ts
diff --git a/apps/sim/lib/webhooks/providers/telegram.ts b/apps/sim/lib/webhooks/providers/telegram.ts
@@ -1,11 +1,6 @@
 import { db, webhook, workflowDeploymentVersion } from '@sim/db'
 import { createLogger } from '@sim/logger'
-import { safeCompare } from '@sim/security/compare'
-import { generateId } from '@sim/utils/id'
 import { and, eq, isNull, ne } from 'drizzle-orm'
-import * as ipaddr from 'ipaddr.js'
-import { NextResponse } from 'next/server'
-import { getClientIp } from '@/lib/core/utils/request'
 import { getNotificationUrl, getProviderConfig } from '@/lib/webhooks/provider-subscription-utils'
 import type {
   AuthContext,
@@ -19,63 +14,14 @@ import type {
 
 const logger = createLogger('WebhookProvider:Telegram')
 
-/**
- * Telegram's published source ranges for webhook delivery.
- * @see https://core.telegram.org/bots/webhooks
- */
-const TELEGRAM_WEBHOOK_CIDRS: ReadonlyArray<readonly [string, number]> = [
-  ['149.154.160.0', 20],
-  ['91.108.4.0', 22],
-] as const
-
-/** Whether a client IP falls inside Telegram's documented webhook source ranges. */
-function isTelegramWebhookIp(ip: string): boolean {
-  if (!ip || ip === 'unknown' || !ipaddr.isValid(ip)) {
-    return false
-  }
-  try {
-    const addr = ipaddr.process(ip)
-    if (addr.kind() !== 'ipv4') {
-      return false
-    }
-    return TELEGRAM_WEBHOOK_CIDRS.some(([network, prefix]) =>
-      addr.match([ipaddr.parse(network), prefix])
-    )
-  } catch {
-    return false
-  }
-}
-
 export const telegramHandler: WebhookProviderHandler = {
-  verifyAuth({ request, requestId, providerConfig }: AuthContext): NextResponse | null {
-    const secretToken = (providerConfig.secretToken as string | undefined)?.trim()
-
-    if (secretToken) {
-      const providedToken = request.headers.get('x-telegram-bot-api-secret-token')
-      if (!providedToken) {
-        logger.warn(
-          `[${requestId}] Telegram webhook missing secret token header — rejecting request`
-        )
-        return new NextResponse('Unauthorized - Missing Telegram secret token', { status: 401 })
-      }
-
-      if (!safeCompare(providedToken, secretToken)) {
-        logger.warn(`[${requestId}] Telegram secret token verification failed`)
-        return new NextResponse('Unauthorized - Invalid Telegram secret token', { status: 401 })
-      }
-
-      return null
-    }
-
-    const clientIp = getClientIp(request)
-    if (!isTelegramWebhookIp(clientIp)) {
+  verifyAuth({ request, requestId }: AuthContext) {
+    const userAgent = request.headers.get('user-agent')
+    if (!userAgent) {
       logger.warn(
-        `[${requestId}] Telegram webhook without a registered secret token rejected — source IP is not in Telegram's published ranges. Re-save the trigger to enable secret-token verification.`,
-        { clientIp }
+        `[${requestId}] Telegram webhook request has empty User-Agent header. This may be blocked by middleware.`
       )
-      return new NextResponse('Unauthorized - Untrusted Telegram webhook source', { status: 401 })
     }
-
     return null
   },
 
@@ -179,17 +125,14 @@ export const telegramHandler: WebhookProviderHandler = {
     const notificationUrl = getNotificationUrl(ctx.webhook)
     const telegramApiUrl = `https://api.telegram.org/bot${botToken}/setWebhook`
 
-    const existingSecretToken = (config.secretToken as string | undefined)?.trim()
-    const secretToken = existingSecretToken || generateId()
-
     try {
       const telegramResponse = await fetch(telegramApiUrl, {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
           'User-Agent': 'TelegramBot/1.0',
         },
-        body: JSON.stringify({ url: notificationUrl, secret_token: secretToken }),
+        body: JSON.stringify({ url: notificationUrl }),
       })
 
       const responseBody = await telegramResponse.json()
@@ -213,7 +156,7 @@ export const telegramHandler: WebhookProviderHandler = {
       logger.info(
         `[${ctx.requestId}] Successfully created Telegram webhook for webhook ${ctx.webhook.id}`
       )
-      return { providerConfigUpdates: { secretToken } }
+      return {}
     } catch (error: unknown) {
       if (
         error instanceof Error &&
diff --git a/apps/sim/lib/webhooks/providers/utils.ts b/apps/sim/lib/webhooks/providers/utils.ts
@@ -16,10 +16,6 @@ interface HmacVerifierOptions {
 /**
  * Factory that creates a `verifyAuth` implementation for HMAC-signature-based providers.
  * Covers the common pattern: get secret → check header → validate signature → return 401 or null.
- *
- * Fails closed: when no signing secret is configured the request is rejected (401), matching
- * Stripe/WhatsApp/Vercel. A signed-provider webhook with no secret would otherwise accept any
- * unauthenticated body that knows the URL, downgrading the provider's mandatory signature check.
  */
 export function createHmacVerifier({
   configKey,
@@ -35,12 +31,7 @@ export function createHmacVerifier({
   }: AuthContext): Promise<NextResponse | null> => {
     const secret = providerConfig[configKey] as string | undefined
     if (!secret) {
-      logger.warn(
-        `[${requestId}] ${providerLabel} webhook missing signing secret in providerConfig — rejecting request`
-      )
-      return new NextResponse(`Unauthorized - ${providerLabel} signing secret not configured`, {
-        status: 401,
-      })
+      return null
     }
 
     const signature = request.headers.get(headerName)
diff --git a/apps/sim/triggers/circleback/webhook.ts b/apps/sim/triggers/circleback/webhook.ts
@@ -38,9 +38,8 @@ export const circlebackWebhookTrigger: TriggerConfig = {
       id: 'webhookSecret',
       title: 'Signing Secret',
       type: 'short-input',
-      placeholder: 'Paste signing secret from Circleback',
-      description:
-        'Validates that webhook deliveries originate from Circleback using HMAC-SHA256. Required: deliveries are rejected until this is set.',
+      placeholder: 'Paste signing secret from Circleback (optional)',
+      description: 'Validates that webhook deliveries originate from Circleback using HMAC-SHA256.',
       password: true,
       required: false,
       mode: 'trigger',
diff --git a/apps/sim/triggers/confluence/utils.ts b/apps/sim/triggers/confluence/utils.ts
@@ -54,7 +54,7 @@ export function buildConfluenceExtraFields(triggerId: string): SubBlockConfig[]
       type: 'short-input',
       placeholder: 'Enter a strong secret',
       description:
-        'Secret to validate webhook deliveries from Confluence using HMAC signature. Required: deliveries are rejected until this is set.',
+        'Optional secret to validate webhook deliveries from Confluence using HMAC signature',
       password: true,
       required: false,
       mode: 'trigger',
diff --git a/apps/sim/triggers/fireflies/transcription_complete.ts b/apps/sim/triggers/fireflies/transcription_complete.ts
@@ -25,8 +25,7 @@ export const firefliesTranscriptionCompleteTrigger: TriggerConfig = {
       title: 'Webhook Secret',
       type: 'short-input',
       placeholder: 'Enter your 16-32 character secret',
-      description:
-        'Secret key for HMAC signature verification (set in Fireflies dashboard). Required: deliveries are rejected until this is set.',
+      description: 'Secret key for HMAC signature verification (set in Fireflies dashboard)',
       password: true,
       required: false,
       mode: 'trigger',
diff --git a/apps/sim/triggers/github/webhook.ts b/apps/sim/triggers/github/webhook.ts
@@ -46,8 +46,7 @@ export const githubWebhookTrigger: TriggerConfig = {
       title: 'Webhook Secret',
       type: 'short-input',
       placeholder: 'Generate or enter a strong secret',
-      description:
-        'Validates that webhook deliveries originate from GitHub. Required: deliveries are rejected until this is set.',
+      description: 'Validates that webhook deliveries originate from GitHub.',
       password: true,
       required: false,
       mode: 'trigger',
diff --git a/apps/sim/triggers/greenhouse/utils.ts b/apps/sim/triggers/greenhouse/utils.ts
@@ -62,17 +62,17 @@ export function isGreenhouseEventMatch(triggerId: string, action: string): boole
 
 /**
  * Builds extra fields for Greenhouse triggers.
- * Includes the secret key used for HMAC signature verification.
+ * Includes an optional secret key for HMAC signature verification.
  */
 export function buildGreenhouseExtraFields(triggerId: string): SubBlockConfig[] {
   return [
     {
       id: 'secretKey',
-      title: 'Secret Key',
+      title: 'Secret Key (Optional)',
       type: 'short-input',
       placeholder: 'Enter the same secret key configured in Greenhouse',
       description:
-        'Used to verify the HMAC-SHA256 Signature header. Required: deliveries are rejected until a secret key is configured here and in Greenhouse.',
+        'When set, requests must include a valid Signature header (HMAC-SHA256). If left empty, the endpoint does not verify signatures—only use on a private URL you fully control.',
       password: true,
       mode: 'trigger',
       condition: { field: 'selectedTriggerId', value: triggerId },
@@ -101,7 +101,7 @@ export function greenhouseSetupInstructions(eventType: string): string {
     'In Greenhouse, go to <strong>Configure &gt; Dev Center &gt; Webhooks</strong>.',
     'Click <strong>Create New Webhook</strong>.',
     'Paste the Webhook URL into the <strong>Endpoint URL</strong> field.',
-    'Enter a <strong>Secret Key</strong> for HMAC signature verification. This is required — deliveries without a valid signature are rejected.',
+    'Enter a <strong>Secret Key</strong> for HMAC signature verification (recommended). Leave empty only if you accept unauthenticated POSTs to this URL.',
     `Under <strong>When</strong>, select the appropriate <strong>${eventType}</strong>.`,
     'Click <strong>Create Webhook</strong> to save.',
     'Click "Save" above to activate your trigger.',
diff --git a/apps/sim/triggers/jira/webhook.ts b/apps/sim/triggers/jira/webhook.ts
@@ -34,8 +34,7 @@ export const jiraWebhookTrigger: TriggerConfig = {
       title: 'Webhook Secret',
       type: 'short-input',
       placeholder: 'Enter a strong secret',
-      description:
-        'Secret to validate webhook deliveries from Jira using HMAC signature. Required: deliveries are rejected until this is set.',
+      description: 'Optional secret to validate webhook deliveries from Jira using HMAC signature',
       password: true,
       required: false,
       mode: 'trigger',
diff --git a/apps/sim/triggers/jsm/utils.ts b/apps/sim/triggers/jsm/utils.ts
@@ -49,8 +49,7 @@ function jsmWebhookSecretField(triggerId: string): SubBlockConfig {
     title: 'Webhook Secret',
     type: 'short-input',
     placeholder: 'Enter a strong secret',
-    description:
-      'Secret to validate webhook deliveries from Jira using HMAC signature. Required: deliveries are rejected until this is set.',
+    description: 'Optional secret to validate webhook deliveries from Jira using HMAC signature',
     password: true,
     required: false,
     mode: 'trigger',
diff --git a/apps/sim/triggers/typeform/webhook.ts b/apps/sim/triggers/typeform/webhook.ts
@@ -45,9 +45,9 @@ export const typeformWebhookTrigger: TriggerConfig = {
       id: 'secret',
       title: 'Webhook Secret',
       type: 'short-input',
-      placeholder: 'Enter a secret for webhook signature verification',
+      placeholder: 'Enter a secret for webhook signature verification (optional)',
       description:
-        'A secret string used to verify webhook authenticity. Required: deliveries are rejected until this is set. Generate a secure random string (min 20 characters recommended).',
+        'A secret string used to verify webhook authenticity. Highly recommended for security. Generate a secure random string (min 20 characters recommended).',
       password: true,
       required: false,
       mode: 'trigger',
