fix(security): add webhook HMAC signature verification for Airtable, HubSpot, and Webflow

[waleedlatif1]

Summary

• Airtable: implement verifyAuth using HMAC-SHA256 of the raw body keyed by the base64-decoded macSecretBase64 from providerConfig; compare against the hmac-sha256=<hex> prefix in X-Airtable-Content-MAC; fail-open with a warning when macSecretBase64 is absent (existing webhooks created before secret storage — no migration path since Airtable only returns the secret once at creation)
• HubSpot: implement verifyAuth using SHA-256(clientSecret + raw body) compared against X-HubSpot-Signature per the v1 CRM webhook spec; clientSecret is already a required subBlock field in all HubSpot triggers so no existing webhooks break
• Webflow: implement verifyAuth using HMAC-SHA256(secretKey, ${timestamp}:${rawBody}) compared against X-Webflow-Signature; store the secretKey from the webhook creation API response in providerConfig; add 5-minute replay protection via x-webflow-timestamp; fail-open when secretKey is absent for pre-existing webhooks
• All three implementations use safeCompare from @sim/security/compare for constant-time comparison and fail-closed on missing secrets (except for migration backwards-compat cases which fail-open with a warning log)

Type of Change

• Bug fix

Testing

Tested manually. Algorithms validated against official provider docs: Airtable webhooks overview, HubSpot webhook validation docs (v1 confirmed for CRM object subscriptions), Webflow Data API webhook docs. Airtable hmac-sha256= prefix confirmed from live header examples in community threads.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 11, 2026 1:49am

[cursor]

PR Summary

High Risk
Adds/changes webhook request authentication logic; mistakes could incorrectly reject legitimate webhooks or allow spoofed requests, impacting workflow executions.

Overview
Secures webhook ingestion by adding per-provider request signature verification via new verifyAuth handlers for airtable, hubspot, and webflow.

Airtable now verifies X-Airtable-Content-MAC (HMAC-SHA256 of raw body using stored macSecretBase64, fail-open when missing) and persists macSecretBase64 when creating the webhook; HubSpot now verifies X-HubSpot-Signature using the v1 SHA-256 scheme and fails closed when clientSecret is absent; Webflow now verifies x-webflow-signature with timestamped HMAC plus 5-minute replay protection, stores secretKey at subscription creation, and fails open when legacy webhooks lack the secret.

Also normalizes the generated TOOL_RUNTIME_SCHEMAS object keys in tool-schemas-v1.ts (removing bracketed string keys) without changing schema content.

^{Reviewed by Cursor Bugbot for commit 6ccc7b4. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds HMAC-based webhook signature verification to three providers (Airtable, HubSpot, Webflow) that previously had no verifyAuth implementation. All three handlers use safeCompare for constant-time comparison and follow provider-specific signing specs.

• Airtable: HMAC-SHA256 with a base64-decoded macSecretBase64 key against the hmac-sha256= prefixed header; fail-open when macSecretBase64 is absent (one-time creation secret, no migration path for existing webhooks).
• HubSpot: SHA-256 of clientSecret + rawBody against X-HubSpot-Signature; fail-closed since clientSecret is a required sub-block field; TSDoc comment explains the intentional v1 scheme choice.
• Webflow: HMAC-SHA256 of timestamp:rawBody with 5-minute replay protection; secretKey stored from the Webflow creation response; fail-open for pre-existing webhooks. The tool-schemas-v1.ts change is an unrelated cosmetic cleanup.

Confidence Score: 5/5

Safe to merge — the three new verifyAuth implementations are self-contained, follow provider-specific signing specs, and use constant-time comparison throughout.

All three handlers correctly compute and compare HMAC/hash signatures using Node's built-in crypto module. Constant-time comparison via safeCompare is used in every path. Fail-open/fail-closed decisions match the PR description and documented backwards-compat constraints. No functional regressions found in existing subscription creation or deletion logic.

No files require special attention — the security-critical verification paths in all three provider files look correct.

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/providers/airtable.ts	Adds verifyAuth with HMAC-SHA256 validation using base64-decoded macSecretBase64; fail-open on missing secret; stores macSecretBase64 from creation response in providerConfig.
apps/sim/lib/webhooks/providers/hubspot.ts	Adds verifyAuth with SHA-256(clientSecret + rawBody) against X-HubSpot-Signature (v1 scheme); fail-closed on missing secret; TSDoc comment explains intentional v1 choice.
apps/sim/lib/webhooks/providers/webflow.ts	Adds verifyAuth with HMAC-SHA256(secretKey, timestamp:rawBody) and 5-minute replay protection; secretKey stored from creation response; fail-open on missing secret; timestamp treated as milliseconds.
apps/sim/lib/copilot/generated/tool-schemas-v1.ts	Cosmetic cleanup: converts computed property keys from bracket notation to bare identifier notation; no functional change.

_{Reviews (3): Last reviewed commit: "fix(security): correct Webflow timestamp..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 6ccc7b4. Configure here.}