fix(triggers): fail closed on missing webhook secret and clean up Zendesk orphans

Address review feedback on the auto-registration changes:
- verifyAuth now rejects (401) when webhookSecret is absent for GitLab,
  PagerDuty, and Zendesk. Since the secret is generated/fetched during
  auto-registration and stored before the webhook can receive deliveries, a
  missing secret indicates misconfiguration and must fail closed rather than
  skip signature verification. Adds an opt-in requireSecret flag to
  createHmacVerifier (default off, preserving behavior for other providers).
- Zendesk createSubscription now deletes the just-created webhook if the
  follow-up signing-secret fetch fails, avoiding an orphaned subscription in
  Zendesk when setup cannot complete.

Author: waleedlatif1

apps/sim/lib/webhooks/providers/gitlab.ts

@@ -29,12 +29,14 @@ function gitlabProjectHooksUrl(projectId: string): string {
 export const gitlabHandler: WebhookProviderHandler = {
   /**
    * GitLab echoes the configured "Secret token" verbatim in the `X-Gitlab-Token`
-   * header (plain equality, not an HMAC). Skip verification when no token is set.
+   * header (plain equality, not an HMAC). The secret is generated during
+   * auto-registration, so a missing secret means misconfiguration — fail closed.
    */
   verifyAuth({ request, requestId, providerConfig }: AuthContext) {
     const secret = providerConfig.webhookSecret as string | undefined
     if (!secret) {
-      return null
+      logger.warn(`[${requestId}] GitLab webhook secret not configured`)
+      return new NextResponse('Unauthorized - Missing GitLab webhook secret', { status: 401 })
     }
 
     const token = request.headers.get('X-Gitlab-Token')

apps/sim/lib/webhooks/providers/pagerduty.ts

@@ -60,6 +60,9 @@ export const pagerdutyHandler: WebhookProviderHandler = {
     headerName: 'X-PagerDuty-Signature',
     validateFn: validatePagerDutySignature,
     providerLabel: 'PagerDuty',
+    // The signing secret is captured during auto-registration, so a missing
+    // secret means misconfiguration — fail closed rather than skip verification.
+    requireSecret: true,
   }),
 
   async matchEvent({ body, requestId, providerConfig }: EventMatchContext) {

apps/sim/lib/webhooks/providers/utils.ts

@@ -11,6 +11,12 @@ interface HmacVerifierOptions {
   headerName: string
   validateFn: (secret: string, signature: string, rawBody: string) => boolean | Promise<boolean>
   providerLabel: string
+  /**
+   * When true, reject (401) if no secret is configured instead of skipping
+   * verification. Use for providers where the secret is always present (e.g.
+   * auto-registered webhooks) so a missing secret fails closed.
+   */
+  requireSecret?: boolean
 }
 
 /**
@@ -22,6 +28,7 @@ export function createHmacVerifier({
   headerName,
   validateFn,
   providerLabel,
+  requireSecret = false,
 }: HmacVerifierOptions) {
   return async ({
     request,
@@ -31,6 +38,12 @@ export function createHmacVerifier({
   }: AuthContext): Promise<NextResponse | null> => {
     const secret = providerConfig[configKey] as string | undefined
     if (!secret) {
+      if (requireSecret) {
+        logger.warn(`[${requestId}] ${providerLabel} webhook secret not configured`)
+        return new NextResponse(`Unauthorized - Missing ${providerLabel} webhook secret`, {
+          status: 401,
+        })
+      }
       return null
     }
 

apps/sim/lib/webhooks/providers/zendesk.ts

@@ -30,6 +30,18 @@ function zendeskAuthHeader(email: string, apiToken: string): string {
   return `Basic ${Buffer.from(`${email}/token:${apiToken}`).toString('base64')}`
 }
 
+/** Best-effort delete used to avoid orphaning a webhook when post-create setup fails. */
+async function deleteZendeskWebhookQuietly(
+  apiBase: string,
+  authHeader: string,
+  webhookId: string
+): Promise<void> {
+  await fetch(`${apiBase}/webhooks/${webhookId}`, {
+    method: 'DELETE',
+    headers: { Authorization: authHeader },
+  }).catch(() => {})
+}
+
 /** Maximum allowed clock skew (5 minutes) between Zendesk's signed timestamp and now, per Zendesk docs. */
 const ZENDESK_TIMESTAMP_MAX_SKEW_MS = 5 * 60 * 1000
 
@@ -67,7 +79,10 @@ export const zendeskHandler: WebhookProviderHandler = {
   verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext) {
     const secret = providerConfig.webhookSecret as string | undefined
     if (!secret) {
-      return null
+      // The signing secret is fetched during auto-registration, so a missing
+      // secret means misconfiguration — fail closed rather than skip.
+      logger.warn(`[${requestId}] Zendesk webhook secret not configured`)
+      return new NextResponse('Unauthorized - Missing Zendesk webhook secret', { status: 401 })
     }
 
     const signature = request.headers.get('X-Zendesk-Webhook-Signature')
@@ -201,12 +216,17 @@ export const zendeskHandler: WebhookProviderHandler = {
         `[${ctx.requestId}] Created Zendesk webhook ${externalId} but failed to fetch signing secret (${secretRes.status})`,
         { detail }
       )
+      // Avoid leaving an orphaned webhook in Zendesk when secret retrieval fails.
+      await deleteZendeskWebhookQuietly(apiBase, authHeader, externalId)
       throw new Error(`Failed to fetch Zendesk signing secret: ${secretRes.status}`)
     }
 
     const secretBody = asRecord((await secretRes.json().catch(() => ({}))) as unknown)
     const secret = asRecord(secretBody.signing_secret).secret as string | undefined
-    if (!secret) throw new Error('Zendesk did not return a signing secret for the webhook.')
+    if (!secret) {
+      await deleteZendeskWebhookQuietly(apiBase, authHeader, externalId)
+      throw new Error('Zendesk did not return a signing secret for the webhook.')
+    }
 
     logger.info(`[${ctx.requestId}] Created Zendesk webhook ${externalId}`)
     return { providerConfigUpdates: { externalId, webhookSecret: secret } }