fix(triggers): scope webhook secrets to owner and add Zendesk replay protection

Address review feedback:
- Add paramVisibility: 'user-only' to the webhookSecret fields for GitLab,
  PagerDuty, and Zendesk so signing secrets are scoped to the credential
  owner and not exposed to workspace collaborators (repo convention).
- Reject Zendesk deliveries whose signed timestamp is more than 5 minutes
  from now, closing a replay window once an event id ages out of the
  idempotency cache. The X-Zendesk-Webhook-Signature-Timestamp header is
  ISO-8601, so it is parsed with Date.parse (matches the Slack handler's
  skew-check convention).

Author: waleedlatif1

apps/sim/lib/webhooks/providers/zendesk.ts

@@ -16,6 +16,20 @@ function asRecord(value: unknown): Record<string, unknown> {
   return (value as Record<string, unknown>) || {}
 }
 
+/** Maximum allowed clock skew (5 minutes) between Zendesk's signed timestamp and now, per Zendesk docs. */
+const ZENDESK_TIMESTAMP_MAX_SKEW_MS = 5 * 60 * 1000
+
+/**
+ * Verify the signed timestamp is recent to prevent replay of captured deliveries.
+ * Zendesk sends `X-Zendesk-Webhook-Signature-Timestamp` as an ISO-8601 string
+ * (e.g. `2025-01-24T15:30:00.000Z`), so it is parsed with `Date.parse`.
+ */
+function isZendeskTimestampFresh(timestamp: string): boolean {
+  const signedAt = Date.parse(timestamp)
+  if (Number.isNaN(signedAt)) return false
+  return Math.abs(Date.now() - signedAt) <= ZENDESK_TIMESTAMP_MAX_SKEW_MS
+}
+
 /**
  * Zendesk signs `timestamp + rawBody` (no separator) with HMAC-SHA256 keyed by
  * the webhook's signing secret, then base64-encodes it into
@@ -49,6 +63,13 @@ export const zendeskHandler: WebhookProviderHandler = {
       return new NextResponse('Unauthorized - Missing Zendesk signature', { status: 401 })
     }
 
+    if (!isZendeskTimestampFresh(timestamp)) {
+      logger.warn(`[${requestId}] Zendesk webhook timestamp outside the allowed window`, {
+        timestamp,
+      })
+      return new NextResponse('Unauthorized - Stale Zendesk timestamp', { status: 401 })
+    }
+
     if (!validateZendeskSignature(secret, signature, timestamp, rawBody)) {
       logger.warn(`[${requestId}] Zendesk signature verification failed`)
       return new NextResponse('Unauthorized - Invalid Zendesk signature', { status: 401 })

apps/sim/triggers/gitlab/utils.ts

@@ -59,6 +59,7 @@ export function buildGitLabExtraFields(triggerId: string): SubBlockConfig[] {
       placeholder: 'Generate or enter a strong secret token',
       description: 'Validates that webhook deliveries originate from GitLab (X-Gitlab-Token).',
       password: true,
+      paramVisibility: 'user-only',
       required: false,
       mode: 'trigger',
       condition: { field: 'selectedTriggerId', value: triggerId },

apps/sim/triggers/pagerduty/utils.ts

@@ -57,6 +57,7 @@ export function buildPagerDutyExtraFields(triggerId: string): SubBlockConfig[] {
       description:
         'Validates that webhook deliveries originate from PagerDuty (X-PagerDuty-Signature).',
       password: true,
+      paramVisibility: 'user-only',
       required: false,
       mode: 'trigger',
       condition: { field: 'selectedTriggerId', value: triggerId },

apps/sim/triggers/zendesk/utils.ts

@@ -55,6 +55,7 @@ export function buildZendeskExtraFields(triggerId: string): SubBlockConfig[] {
       description:
         'Validates that webhook deliveries originate from Zendesk (X-Zendesk-Webhook-Signature).',
       password: true,
+      paramVisibility: 'user-only',
       required: false,
       mode: 'trigger',
       condition: { field: 'selectedTriggerId', value: triggerId },