feat(webhook): expand internal fields filtering in webhook payload

Dobrunia · Dobrunia · commit c89717b6f68d · 2026-02-18T14:31:16.000+03:00
diff --git a/workers/webhook/src/templates/generic.ts b/workers/webhook/src/templates/generic.ts
@@ -2,9 +2,18 @@ import { Notification } from 'hawk-worker-sender/types/template-variables';
 import { WebhookDelivery } from '../../types/template';
 
 /**
- * List of internal fields that should not be exposed in webhook payload
+ * Internal/sensitive fields stripped from webhook payload at any nesting level
  */
-const INTERNAL_FIELDS = new Set(['host', 'hostOfStatic']);
+const INTERNAL_FIELDS = new Set([
+  'host',
+  'hostOfStatic',
+  'token',
+  'notifications',
+  'integrationId',
+  'notificationRuleId',
+  'visitedBy',
+  'uidAdded',
+]);
 
 /**
  * Recursively converts MongoDB ObjectIds and other non-JSON-safe values to strings
diff --git a/workers/webhook/tests/provider.test.ts b/workers/webhook/tests/provider.test.ts
@@ -61,24 +61,43 @@ describe('WebhookProvider', () => {
     expect(deliver.mock.calls[0][1].type).toBe('assignee');
   });
 
-  it('should strip internal fields (host, hostOfStatic) from payload', async () => {
+  it('should strip all internal/sensitive fields from payload', async () => {
     const provider = new WebhookProvider();
 
     await provider.send(webhookEndpointSample, {
-      type: 'payment-failed',
+      type: 'event',
       payload: {
         host: 'https://garage.hawk.so',
         hostOfStatic: 'https://api.hawk.so',
-        workspace: { name: 'Workspace' },
-        reason: 'Insufficient funds',
+        notificationRuleId: '123',
+        project: {
+          name: 'My Project',
+          token: 'secret-token',
+          integrationId: 'uuid',
+          uidAdded: 'user-id',
+          notifications: [{ rule: 'data' }],
+        },
+        events: [{
+          event: {
+            groupHash: 'abc',
+            visitedBy: ['user1'],
+          },
+        }],
       },
     } as any);
 
     const delivery = deliver.mock.calls[0][1];
 
     expect(delivery.payload).not.toHaveProperty('host');
     expect(delivery.payload).not.toHaveProperty('hostOfStatic');
-    expect(delivery.payload).toHaveProperty('reason', 'Insufficient funds');
+    expect(delivery.payload).not.toHaveProperty('notificationRuleId');
+    expect(delivery.payload.project).not.toHaveProperty('token');
+    expect(delivery.payload.project).not.toHaveProperty('integrationId');
+    expect(delivery.payload.project).not.toHaveProperty('uidAdded');
+    expect(delivery.payload.project).not.toHaveProperty('notifications');
+    expect(delivery.payload.project).toHaveProperty('name', 'My Project');
+    expect((delivery.payload.events as any[])[0].event).not.toHaveProperty('visitedBy');
+    expect((delivery.payload.events as any[])[0].event).toHaveProperty('groupHash', 'abc');
   });
 
   it('should handle all known notification types without throwing', async () => {
