feat:533 webhook secrets (#6227)

* feat: add webhook secret & HMAC signature verification to webhook trigger

Adds server-side webhook secret management (generate/clear/verify) and a
UI control in the Start node for configuring the secret, signature header,
and signature type (HMAC-SHA256 or plain token). Raw request body is now
captured before JSON parsing so HMAC signatures can be verified against the
original bytes. Migrations added for all four supported databases.

* fix: accept string-coerced numbers and booleans in webhook body type validation

application/x-www-form-urlencoded payloads deliver all values as strings,
so the strict typeof check was incorrectly rejecting valid numeric ("42")
and boolean ("true"/"false") values. Updated the filter to coerce and
validate instead, with tests covering both JSON and form-encoded cases.

* fix: prevent mass-assignment of webhookSecret fields in chatflow create/update

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jchui-wd

packages/components/nodes/agentflow/Start/Start.ts

@@ -174,6 +174,45 @@ class Start_Agentflow implements INode {
                     startInputType: 'webhookTrigger'
                 }
             },
+            {
+                label: 'Webhook Secret',
+                name: 'webhookSecret',
+                type: 'string',
+                description:
+                    'Optional secret used to verify incoming requests. When set, configure Signature Header and Signature Type below to match your sender.',
+                optional: true,
+                show: {
+                    startInputType: 'webhookTrigger'
+                }
+            },
+            {
+                label: 'Signature Header',
+                name: 'webhookSignatureHeader',
+                type: 'string',
+                description:
+                    'The request header that carries the signature. e.g. x-hub-signature-256 for GitHub, stripe-signature for Stripe, x-gitlab-token for GitLab.',
+                placeholder: 'x-webhook-signature',
+                optional: true,
+                show: {
+                    startInputType: 'webhookTrigger'
+                }
+            },
+            {
+                label: 'Signature Type',
+                name: 'webhookSignatureType',
+                type: 'options',
+                description:
+                    'How to verify the signature. HMAC-SHA256 for GitHub, Stripe, Slack (supports sha256=<hex> prefix automatically). Plain Token for GitLab-style plain secret comparison.',
+                options: [
+                    { label: 'HMAC-SHA256', name: 'hmac-sha256' },
+                    { label: 'Plain Token', name: 'plain-token' }
+                ],
+                default: 'hmac-sha256',
+                optional: true,
+                show: {
+                    startInputType: 'webhookTrigger'
+                }
+            },
             {
                 label: 'Expected Query Parameters',
                 name: 'webhookQueryParams',

packages/server/src/Interface.ts

@@ -73,6 +73,8 @@ export interface IChatFlow {
     type?: ChatflowType
     mcpServerConfig?: string
     workspaceId: string
+    webhookSecret?: string | null
+    webhookSecretConfigured?: boolean
 }
 
 export interface IChatMessage {

packages/server/src/controllers/chatflows/index.ts

@@ -275,6 +275,44 @@ const checkIfChatflowHasChanged = async (req: Request, res: Response, next: Next
     }
 }
 
+const setWebhookSecret = async (req: Request, res: Response, next: NextFunction) => {
+    try {
+        if (!req.params.id) {
+            throw new InternalFlowiseError(
+                StatusCodes.PRECONDITION_FAILED,
+                `Error: chatflowsController.setWebhookSecret - id not provided!`
+            )
+        }
+        const workspaceId = req.user?.activeWorkspaceId
+        if (!workspaceId) {
+            throw new InternalFlowiseError(StatusCodes.UNAUTHORIZED, `Error: chatflowsController.setWebhookSecret - workspace not found!`)
+        }
+        const apiResponse = await chatflowsService.setWebhookSecret(req.params.id, workspaceId)
+        return res.json(apiResponse)
+    } catch (error) {
+        next(error)
+    }
+}
+
+const clearWebhookSecret = async (req: Request, res: Response, next: NextFunction) => {
+    try {
+        if (!req.params.id) {
+            throw new InternalFlowiseError(
+                StatusCodes.PRECONDITION_FAILED,
+                `Error: chatflowsController.clearWebhookSecret - id not provided!`
+            )
+        }
+        const workspaceId = req.user?.activeWorkspaceId
+        if (!workspaceId) {
+            throw new InternalFlowiseError(StatusCodes.UNAUTHORIZED, `Error: chatflowsController.clearWebhookSecret - workspace not found!`)
+        }
+        await chatflowsService.clearWebhookSecret(req.params.id, workspaceId)
+        return res.sendStatus(StatusCodes.NO_CONTENT)
+    } catch (error) {
+        next(error)
+    }
+}
+
 export default {
     checkIfChatflowIsValidForStreaming,
     checkIfChatflowIsValidForUploads,
@@ -286,5 +324,7 @@ export default {
     updateChatflow,
     getSinglePublicChatflow,
     getSinglePublicChatbotConfig,
-    checkIfChatflowHasChanged
+    checkIfChatflowHasChanged,
+    setWebhookSecret,
+    clearWebhookSecret
 }

packages/server/src/controllers/webhook/index.test.ts

@@ -165,7 +165,8 @@ describe('createWebhook', () => {
             { foo: 'bar' },
             'POST',
             expect.any(Object),
-            expect.any(Object)
+            expect.any(Object),
+            undefined // rawBody — not set on mock request
         )
     })
 })

packages/server/src/controllers/webhook/index.ts

@@ -7,7 +7,7 @@ import { InternalFlowiseError } from '../../errors/internalFlowiseError'
 
 const createWebhook = async (req: Request, res: Response, next: NextFunction) => {
     try {
-        if (req.params.id == null) {
+        if (typeof req.params === 'undefined' || !req.params.id) {
             throw new InternalFlowiseError(StatusCodes.PRECONDITION_FAILED, `Error: webhookController.createWebhook - id not provided!`)
         }
 
@@ -25,7 +25,15 @@ const createWebhook = async (req: Request, res: Response, next: NextFunction) =>
             }
         }
 
-        await webhookService.validateWebhookChatflow(req.params.id, workspaceId, body, req.method, req.headers, req.query)
+        await webhookService.validateWebhookChatflow(
+            req.params.id,
+            workspaceId,
+            body,
+            req.method,
+            req.headers,
+            req.query,
+            (req as any).rawBody
+        )
 
         // Namespace the webhook payload so $webhook.body.*, $webhook.headers.*, $webhook.query.* can coexist
         req.body = {

packages/server/src/database/entities/ChatFlow.ts

@@ -64,6 +64,12 @@ export class ChatFlow implements IChatFlow {
     @Column({ nullable: true, type: 'text' })
     mcpServerConfig?: string
 
+    @Column({ nullable: true, type: 'text', select: false })
+    webhookSecret?: string | null
+
+    @Column({ nullable: true, default: false })
+    webhookSecretConfigured?: boolean
+
     @Column({ nullable: false, type: 'text' })
     workspaceId: string
 }

packages/server/src/database/migrations/mariadb/1776240000003-AddWebhookSecretToChatFlow.ts

@@ -0,0 +1,14 @@
+import { MigrationInterface, QueryRunner } from 'typeorm'
+
+export class AddWebhookSecretToChatFlow1776240000003 implements MigrationInterface {
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query('ALTER TABLE `chat_flow` ADD COLUMN `webhookSecret` TEXT;')
+        await queryRunner.query('ALTER TABLE `chat_flow` ADD COLUMN `webhookSecretConfigured` BOOLEAN DEFAULT FALSE;')
+        await queryRunner.query('UPDATE `chat_flow` SET `webhookSecretConfigured` = TRUE WHERE `webhookSecret` IS NOT NULL;')
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query('ALTER TABLE `chat_flow` DROP COLUMN `webhookSecretConfigured`;')
+        await queryRunner.query('ALTER TABLE `chat_flow` DROP COLUMN `webhookSecret`;')
+    }
+}

packages/server/src/database/migrations/mariadb/index.ts

@@ -43,6 +43,7 @@ import { AddChatFlowNameIndex1759424809984 } from './1759424809984-AddChatFlowNa
 import { FixDocumentStoreFileChunkLongText1765000000000 } from './1765000000000-FixDocumentStoreFileChunkLongText'
 import { AddApiKeyPermission1765360298674 } from './1765360298674-AddApiKeyPermission'
 import { AddReasonContentToChatMessage1764759496768 } from './1764759496768-AddReasonContentToChatMessage'
+import { AddWebhookSecretToChatFlow1776240000003 } from './1776240000003-AddWebhookSecretToChatFlow'
 import { AddMcpServerConfigToChatFlow1767000000000 } from './1767000000000-AddMcpServerConfigToChatFlow'
 
 import { AddAuthTables1720230151482 } from '../../../enterprise/database/migrations/mariadb/1720230151482-AddAuthTables'
@@ -114,5 +115,6 @@ export const mariadbMigrations = [
     FixDocumentStoreFileChunkLongText1765000000000,
     AddApiKeyPermission1765360298674,
     AddReasonContentToChatMessage1764759496768,
+    AddWebhookSecretToChatFlow1776240000003,
     AddMcpServerConfigToChatFlow1767000000000
 ]

packages/server/src/database/migrations/mysql/1776240000002-AddWebhookSecretToChatFlow.ts

@@ -0,0 +1,14 @@
+import { MigrationInterface, QueryRunner } from 'typeorm'
+
+export class AddWebhookSecretToChatFlow1776240000002 implements MigrationInterface {
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query('ALTER TABLE `chat_flow` ADD COLUMN `webhookSecret` TEXT;')
+        await queryRunner.query('ALTER TABLE `chat_flow` ADD COLUMN `webhookSecretConfigured` BOOLEAN DEFAULT FALSE;')
+        await queryRunner.query('UPDATE `chat_flow` SET `webhookSecretConfigured` = TRUE WHERE `webhookSecret` IS NOT NULL;')
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query('ALTER TABLE `chat_flow` DROP COLUMN `webhookSecretConfigured`;')
+        await queryRunner.query('ALTER TABLE `chat_flow` DROP COLUMN `webhookSecret`;')
+    }
+}

packages/server/src/database/migrations/mysql/index.ts

@@ -44,6 +44,7 @@ import { AddChatFlowNameIndex1759424828558 } from './1759424828558-AddChatFlowNa
 import { FixDocumentStoreFileChunkLongText1765000000000 } from './1765000000000-FixDocumentStoreFileChunkLongText'
 import { AddApiKeyPermission1765360298674 } from './1765360298674-AddApiKeyPermission'
 import { AddReasonContentToChatMessage1764759496768 } from './1764759496768-AddReasonContentToChatMessage'
+import { AddWebhookSecretToChatFlow1776240000002 } from './1776240000002-AddWebhookSecretToChatFlow'
 import { AddMcpServerConfigToChatFlow1767000000000 } from './1767000000000-AddMcpServerConfigToChatFlow'
 
 import { AddAuthTables1720230151482 } from '../../../enterprise/database/migrations/mysql/1720230151482-AddAuthTables'
@@ -116,5 +117,6 @@ export const mysqlMigrations = [
     FixDocumentStoreFileChunkLongText1765000000000,
     AddApiKeyPermission1765360298674,
     AddReasonContentToChatMessage1764759496768,
+    AddWebhookSecretToChatFlow1776240000002,
     AddMcpServerConfigToChatFlow1767000000000
 ]