feat: add object/array body param types and per-option show/hide on d… (#6273)

jchui-wd · web-flow · commit 0a50bf91977c · 2026-04-24T14:06:23.000-07:00
* feat: add webhook secret &amp; HMAC signature verification to webhook trigger

Adds server-side webhook secret management (generate/clear/verify) and a
UI control in the Start node for configuring the secret, signature header,
and signature type (HMAC-SHA256 or plain token). Raw request body is now
captured before JSON parsing so HMAC signatures can be verified against the
original bytes. Migrations added for all four supported databases.

* fix: accept string-coerced numbers and booleans in webhook body type validation

application/x-www-form-urlencoded payloads deliver all values as strings,
so the strict typeof check was incorrectly rejecting valid numeric ("42")
and boolean ("true"/"false") values. Updated the filter to coerce and
validate instead, with tests covering both JSON and form-encoded cases.

* Added HITL support for webhooks

* feat: add async callback URL to webhook trigger
Optional Callback URL / Secret on the Start node (or x-callback-url
header). Webhook now returns 202 immediately and POSTs SUCCESS,
STOPPED (HITL), or ERROR to the callback URL, signed with HMAC-SHA256
when a secret is set. Retries 3x with 0s/3s/6s backoff.

* feat: add object/array body param types and per-option show/hide on dropdowns

- Add object, array[string/number/boolean/object] as webhook body param types, available when content type is application/json
- Extend options fields with show/hide conditions so individual dropdown choices can be hidden based on other param values
diff --git a/packages/agentflow/src/core/types/node.ts b/packages/agentflow/src/core/types/node.ts
@@ -84,7 +84,17 @@ export interface InputParam {
     type: string
     default?: unknown
     optional?: boolean
-    options?: Array<{ label: string; name: string; description?: string; client?: Array<ClientType> } | string>
+    options?: Array<
+        | {
+              label: string
+              name: string
+              description?: string
+              client?: Array<ClientType>
+              show?: Record<string, unknown>
+              hide?: Record<string, unknown>
+          }
+        | string
+    >
     placeholder?: string
     rows?: number
     description?: string
diff --git a/packages/agentflow/src/core/utils/fieldVisibility.test.ts b/packages/agentflow/src/core/utils/fieldVisibility.test.ts
@@ -194,6 +194,104 @@ describe('evaluateFieldVisibility', () => {
         expect(params[0].display).toBeUndefined()
         expect(params[1].display).toBeUndefined()
     })
+
+    describe('option-level show/hide filtering', () => {
+        it('removes options whose hide condition matches', () => {
+            const param = makeParam({
+                type: 'options',
+                options: [
+                    { label: 'String', name: 'string' },
+                    { label: 'Object', name: 'object', hide: { contentType: 'application/x-www-form-urlencoded' } }
+                ] as any
+            })
+
+            const result = evaluateFieldVisibility([param], { contentType: 'application/x-www-form-urlencoded' })
+            expect(result[0].options).toHaveLength(1)
+            expect(result[0].options![0]).toMatchObject({ name: 'string' })
+        })
+
+        it('keeps options whose hide condition does not match', () => {
+            const param = makeParam({
+                type: 'options',
+                options: [
+                    { label: 'String', name: 'string' },
+                    { label: 'Object', name: 'object', hide: { contentType: 'application/x-www-form-urlencoded' } }
+                ] as any
+            })
+
+            const result = evaluateFieldVisibility([param], { contentType: 'application/json' })
+            expect(result[0].options).toHaveLength(2)
+        })
+
+        it('removes options whose show condition does not match', () => {
+            const param = makeParam({
+                type: 'options',
+                options: [
+                    { label: 'Basic', name: 'basic' },
+                    { label: 'Advanced', name: 'advanced', show: { mode: 'expert' } }
+                ] as any
+            })
+
+            const result = evaluateFieldVisibility([param], { mode: 'beginner' })
+            expect(result[0].options).toHaveLength(1)
+            expect(result[0].options![0]).toMatchObject({ name: 'basic' })
+        })
+
+        it('keeps options whose show condition matches', () => {
+            const param = makeParam({
+                type: 'options',
+                options: [
+                    { label: 'Basic', name: 'basic' },
+                    { label: 'Advanced', name: 'advanced', show: { mode: 'expert' } }
+                ] as any
+            })
+
+            const result = evaluateFieldVisibility([param], { mode: 'expert' })
+            expect(result[0].options).toHaveLength(2)
+        })
+
+        it('passes through string options unchanged', () => {
+            const param = makeParam({
+                type: 'options',
+                options: ['one', 'two', 'three'] as any
+            })
+
+            const result = evaluateFieldVisibility([param], {})
+            expect(result[0].options).toHaveLength(3)
+        })
+
+        it('passes through options with no show/hide unchanged', () => {
+            const param = makeParam({
+                type: 'options',
+                options: [
+                    { label: 'A', name: 'a' },
+                    { label: 'B', name: 'b' }
+                ] as any
+            })
+
+            const result = evaluateFieldVisibility([param], {})
+            expect(result[0].options).toHaveLength(2)
+        })
+
+        it('does not mutate the original options array', () => {
+            const options = [
+                { label: 'String', name: 'string' },
+                { label: 'Object', name: 'object', hide: { contentType: 'application/x-www-form-urlencoded' } }
+            ] as any
+            const param = makeParam({ type: 'options', options })
+
+            evaluateFieldVisibility([param], { contentType: 'application/x-www-form-urlencoded' })
+
+            // Original options array is untouched
+            expect(options).toHaveLength(2)
+        })
+
+        it('does not affect non-options params', () => {
+            const param = makeParam({ type: 'string' })
+            const result = evaluateFieldVisibility([param], {})
+            expect(result[0].options).toBeUndefined()
+        })
+    })
 })
 
 describe('evaluateFieldVisibility – nested array $index pattern (Start node formInputTypes)', () => {
diff --git a/packages/agentflow/src/core/utils/fieldVisibility.ts b/packages/agentflow/src/core/utils/fieldVisibility.ts
@@ -129,13 +129,27 @@ export function evaluateParamVisibility(param: InputParam, inputValues: Record<s
 
 /**
  * Evaluate visibility for all params, returning new param objects with computed `display`.
+ * Also filters individual options within `type: 'options'` params based on their own show/hide conditions.
  * Does not mutate the originals.
  */
 export function evaluateFieldVisibility(params: InputParam[], inputValues: Record<string, unknown>, arrayIndex?: number): InputParam[] {
-    return params.map((param) => ({
-        ...param,
-        display: evaluateParamVisibility(param, inputValues, arrayIndex)
-    }))
+    return params.map((param) => {
+        const withDisplay = { ...param, display: evaluateParamVisibility(param, inputValues, arrayIndex) }
+
+        if (withDisplay.type === 'options' && withDisplay.options) {
+            const filteredOptions = withDisplay.options.filter((opt) => {
+                if (typeof opt === 'string' || (!opt.show && !opt.hide)) return true
+                return evaluateParamVisibility(
+                    { id: '', name: '', label: '', type: '', show: opt.show, hide: opt.hide },
+                    inputValues,
+                    arrayIndex
+                )
+            })
+            return filteredOptions.length === withDisplay.options.length ? withDisplay : { ...withDisplay, options: filteredOptions }
+        }
+
+        return withDisplay
+    })
 }
 
 /**
diff --git a/packages/components/nodes/agentflow/Start/Start.ts b/packages/components/nodes/agentflow/Start/Start.ts
@@ -291,6 +291,31 @@ class Start_Agentflow implements INode {
                             {
                                 label: 'Boolean',
                                 name: 'boolean'
+                            },
+                            {
+                                label: 'Object',
+                                name: 'object',
+                                hide: { webhookContentType: 'application/x-www-form-urlencoded' }
+                            },
+                            {
+                                label: 'Array[String]',
+                                name: 'array[string]',
+                                hide: { webhookContentType: 'application/x-www-form-urlencoded' }
+                            },
+                            {
+                                label: 'Array[Number]',
+                                name: 'array[number]',
+                                hide: { webhookContentType: 'application/x-www-form-urlencoded' }
+                            },
+                            {
+                                label: 'Array[Boolean]',
+                                name: 'array[boolean]',
+                                hide: { webhookContentType: 'application/x-www-form-urlencoded' }
+                            },
+                            {
+                                label: 'Array[Object]',
+                                name: 'array[object]',
+                                hide: { webhookContentType: 'application/x-www-form-urlencoded' }
                             }
                         ],
                         default: 'string'
diff --git a/packages/components/src/Interface.ts b/packages/components/src/Interface.ts
@@ -64,6 +64,8 @@ export interface INodeOptionsValue {
     description?: string
     imageSrc?: string
     client?: Array<ClientType>
+    show?: INodeDisplay
+    hide?: INodeDisplay
 }
 
 export interface INodeOutputsValue {
diff --git a/packages/server/src/services/webhook/index.test.ts b/packages/server/src/services/webhook/index.test.ts
@@ -260,6 +260,146 @@ describe('validateWebhookChatflow', () => {
         })
     })
 
+    // --- object type ---
+
+    it('resolves when object param is a plain object', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'meta', type: 'object', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { meta: { key: 'val' } })).resolves.toMatchObject({})
+    })
+
+    it('throws 400 when object param is a string', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'meta', type: 'object', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { meta: 'hello' })).rejects.toMatchObject({
+            statusCode: StatusCodes.BAD_REQUEST,
+            message: expect.stringContaining('meta')
+        })
+    })
+
+    it('throws 400 when object param is an array', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'meta', type: 'object', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { meta: [1, 2] })).rejects.toMatchObject({
+            statusCode: StatusCodes.BAD_REQUEST,
+            message: expect.stringContaining('meta')
+        })
+    })
+
+    // --- array[string] type ---
+
+    it('resolves when array[string] param is an array of strings', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'tags', type: 'array[string]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { tags: ['a', 'b'] })).resolves.toMatchObject({})
+    })
+
+    it('throws 400 when array[string] param contains non-strings', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'tags', type: 'array[string]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { tags: [1, 2] })).rejects.toMatchObject({
+            statusCode: StatusCodes.BAD_REQUEST,
+            message: expect.stringContaining('tags')
+        })
+    })
+
+    it('throws 400 when array[string] param is not an array', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'tags', type: 'array[string]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { tags: 'hello' })).rejects.toMatchObject({
+            statusCode: StatusCodes.BAD_REQUEST,
+            message: expect.stringContaining('tags')
+        })
+    })
+
+    // --- array[number] type ---
+
+    it('resolves when array[number] param is an array of numbers', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'scores', type: 'array[number]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { scores: [1, 2, 3] })).resolves.toMatchObject({})
+    })
+
+    it('throws 400 when array[number] param contains non-numbers', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'scores', type: 'array[number]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { scores: ['a', 'b'] })).rejects.toMatchObject({
+            statusCode: StatusCodes.BAD_REQUEST,
+            message: expect.stringContaining('scores')
+        })
+    })
+
+    // --- array[boolean] type ---
+
+    it('resolves when array[boolean] param is an array of booleans', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'flags', type: 'array[boolean]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { flags: [true, false] })).resolves.toMatchObject({})
+    })
+
+    it('throws 400 when array[boolean] param contains boolean strings (no coercion for array elements)', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'flags', type: 'array[boolean]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { flags: ['true', 'false'] })).rejects.toMatchObject({
+            statusCode: StatusCodes.BAD_REQUEST,
+            message: expect.stringContaining('flags')
+        })
+    })
+
+    // --- array[object] type ---
+
+    it('resolves when array[object] param is an array of plain objects', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'items', type: 'array[object]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { items: [{ a: 1 }, { b: 2 }] })).resolves.toMatchObject(
+            {}
+        )
+    })
+
+    it('throws 400 when array[object] param contains non-objects', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'items', type: 'array[object]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { items: ['a', 'b'] })).rejects.toMatchObject({
+            statusCode: StatusCodes.BAD_REQUEST,
+            message: expect.stringContaining('items')
+        })
+    })
+
+    it('throws 400 when array[object] param contains nested arrays', async () => {
+        mockGetChatflowById.mockResolvedValue(
+            makeChatflow('webhookTrigger', { webhookBodyParams: [{ name: 'items', type: 'array[object]', required: false }] })
+        )
+
+        await expect(webhookService.validateWebhookChatflow('some-id', undefined, { items: [[1, 2]] })).rejects.toMatchObject({
+            statusCode: StatusCodes.BAD_REQUEST,
+            message: expect.stringContaining('items')
+        })
+    })
+
     // --- Query param validation ---
 
     it('throws 400 when a required query param is missing', async () => {
diff --git a/packages/server/src/services/webhook/index.ts b/packages/server/src/services/webhook/index.ts
@@ -96,6 +96,14 @@ const validateWebhookChatflow = async (
                 const val = body[p.name]
                 if (p.type === 'number') return val === '' || isNaN(Number(val))
                 if (p.type === 'boolean') return typeof val !== 'boolean' && val !== 'true' && val !== 'false'
+                if (p.type === 'object') return typeof val !== 'object' || val === null || Array.isArray(val)
+                if (p.type === 'array[string]') return !Array.isArray(val) || (val as unknown[]).some((el) => typeof el !== 'string')
+                if (p.type === 'array[number]') return !Array.isArray(val) || (val as unknown[]).some((el) => typeof el !== 'number')
+                if (p.type === 'array[boolean]') return !Array.isArray(val) || (val as unknown[]).some((el) => typeof el !== 'boolean')
+                if (p.type === 'array[object]')
+                    return (
+                        !Array.isArray(val) || (val as unknown[]).some((el) => typeof el !== 'object' || el === null || Array.isArray(el))
+                    )
                 return typeof val !== p.type
             })
             .map((p) => p.name)
diff --git a/packages/ui/src/utils/genericHelper.js b/packages/ui/src/utils/genericHelper.js
@@ -1292,6 +1292,17 @@ export const showHideInputs = (nodeData, inputType, overrideParams, arrayIndex)
         if (inputParam.hide) {
             _showHideOperation(nodeData, inputParam, 'hide', arrayIndex)
         }
+
+        // Filter individual options within dropdowns based on their own show/hide conditions
+        if (inputParam.type === 'options' && inputParam.options) {
+            inputParam.options = inputParam.options.filter((opt) => {
+                if (typeof opt === 'string' || (!opt.show && !opt.hide)) return true
+                const synthetic = { show: opt.show, hide: opt.hide, display: true }
+                if (opt.show) _showHideOperation(nodeData, synthetic, 'show', arrayIndex)
+                if (opt.hide) _showHideOperation(nodeData, synthetic, 'hide', arrayIndex)
+                return synthetic.display !== false
+            })
+        }
     }
 
     return params

Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,8 @@ export interface INodeOptionsValue {`
`64`	`64`	`description?: string`
`65`	`65`	`imageSrc?: string`
`66`	`66`	`client?: Array<ClientType>`
	`67`	`+ show?: INodeDisplay`
	`68`	`+ hide?: INodeDisplay`
`67`	`69`	`}`
`68`	`70`
`69`	`71`	`export interface INodeOutputsValue {`