Files
simstudioai--sim/apps/sim/lib/webhooks/providers/zendesk.ts
T
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

285 lines
11 KiB
TypeScript

import crypto from 'crypto'
import { createLogger } from '@sim/logger'
import { safeCompare } from '@sim/security/compare'
import { NextResponse } from 'next/server'
import { getNotificationUrl, getProviderConfig } from '@/lib/webhooks/provider-subscription-utils'
import type {
AuthContext,
DeleteSubscriptionContext,
EventMatchContext,
FormatInputContext,
FormatInputResult,
SubscriptionContext,
SubscriptionResult,
WebhookProviderHandler,
} from '@/lib/webhooks/providers/types'
const logger = createLogger('WebhookProvider:Zendesk')
function asRecord(value: unknown): Record<string, unknown> {
return (value as Record<string, unknown>) || {}
}
/** Zendesk API base for a subdomain. */
function zendeskApiBase(subdomain: string): string {
return `https://${subdomain}.zendesk.com/api/v2`
}
/**
* Zendesk subdomains are bare hostname labels (letters, digits, internal hyphens).
* Rejecting anything else prevents the value from escaping the host portion of the
* interpolated URL (e.g. a subdomain containing `/` would redirect the request —
* and its Basic-auth admin credentials — to an attacker-controlled host).
*/
const ZENDESK_SUBDOMAIN_PATTERN = /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?$/i
function isValidZendeskSubdomain(subdomain: string): boolean {
return ZENDESK_SUBDOMAIN_PATTERN.test(subdomain)
}
/** Basic auth header for the Zendesk API-token scheme (`email/token:apiToken`). */
function zendeskAuthHeader(email: string, apiToken: string): string {
return `Basic ${Buffer.from(`${email}/token:${apiToken}`).toString('base64')}`
}
/** Best-effort delete used to avoid orphaning a webhook when post-create setup fails. */
async function deleteZendeskWebhookQuietly(
apiBase: string,
authHeader: string,
webhookId: string
): Promise<void> {
await fetch(`${apiBase}/webhooks/${webhookId}`, {
method: 'DELETE',
headers: { Authorization: authHeader },
}).catch(() => {})
}
/** Maximum allowed clock skew (5 minutes) between Zendesk's signed timestamp and now, per Zendesk docs. */
const ZENDESK_TIMESTAMP_MAX_SKEW_MS = 5 * 60 * 1000
/**
* Verify the signed timestamp is recent to prevent replay of captured deliveries.
* Zendesk sends `X-Zendesk-Webhook-Signature-Timestamp` as an ISO-8601 string
* (e.g. `2025-01-24T15:30:00.000Z`), so it is parsed with `Date.parse`.
*/
function isZendeskTimestampFresh(timestamp: string): boolean {
const signedAt = Date.parse(timestamp)
if (Number.isNaN(signedAt)) return false
return Math.abs(Date.now() - signedAt) <= ZENDESK_TIMESTAMP_MAX_SKEW_MS
}
/**
* Zendesk signs `timestamp + rawBody` (no separator) with HMAC-SHA256 keyed by
* the webhook's signing secret, then base64-encodes it into
* `X-Zendesk-Webhook-Signature`. The timestamp is sent in a separate header.
*/
function validateZendeskSignature(
secret: string,
signature: string,
timestamp: string,
body: string
): boolean {
if (!secret || !signature || !timestamp) return false
const computed = crypto
.createHmac('sha256', secret)
.update(timestamp + body, 'utf8')
.digest('base64')
return safeCompare(computed, signature)
}
export const zendeskHandler: WebhookProviderHandler = {
verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext) {
const secret = providerConfig.webhookSecret as string | undefined
if (!secret) {
logger.warn(`[${requestId}] Zendesk webhook secret not configured`)
return new NextResponse('Unauthorized - Missing Zendesk webhook secret', { status: 401 })
}
const signature = request.headers.get('X-Zendesk-Webhook-Signature')
const timestamp = request.headers.get('X-Zendesk-Webhook-Signature-Timestamp')
if (!signature || !timestamp) {
logger.warn(`[${requestId}] Zendesk webhook missing signature headers`)
return new NextResponse('Unauthorized - Missing Zendesk signature', { status: 401 })
}
if (!isZendeskTimestampFresh(timestamp)) {
logger.warn(`[${requestId}] Zendesk webhook timestamp outside the allowed window`, {
timestamp,
})
return new NextResponse('Unauthorized - Stale Zendesk timestamp', { status: 401 })
}
if (!validateZendeskSignature(secret, signature, timestamp, rawBody)) {
logger.warn(`[${requestId}] Zendesk signature verification failed`)
return new NextResponse('Unauthorized - Invalid Zendesk signature', { status: 401 })
}
return null
},
async matchEvent({ body, requestId, providerConfig }: EventMatchContext) {
const triggerId = providerConfig.triggerId as string | undefined
if (!triggerId || triggerId === 'zendesk_webhook') return true
const eventType = asRecord(body).type as string | undefined
const { isZendeskEventMatch } = await import('@/triggers/zendesk/utils')
if (!isZendeskEventMatch(triggerId, eventType || '')) {
logger.debug(
`[${requestId}] Zendesk event '${eventType}' does not match trigger ${triggerId}, skipping`
)
return false
}
return true
},
async formatInput({ body }: FormatInputContext): Promise<FormatInputResult> {
const b = asRecord(body)
const detail = asRecord(b.detail)
const via = asRecord(detail.via)
return {
input: {
event_id: b.id,
event_type: b.type,
time: b.time,
account_id: b.account_id,
ticket: {
id: detail.id,
subject: detail.subject,
status: detail.status,
priority: detail.priority,
ticket_type: detail.type,
description: detail.description,
requester_id: detail.requester_id,
assignee_id: detail.assignee_id,
group_id: detail.group_id,
organization_id: detail.organization_id,
tags: Array.isArray(detail.tags) ? detail.tags : [],
via_channel: via.channel,
is_public: detail.is_public,
created_at: detail.created_at,
updated_at: detail.updated_at,
},
event: b.event ?? null,
},
}
},
extractIdempotencyId(body: unknown) {
return (asRecord(body).id as string | undefined) || null
},
async createSubscription(ctx: SubscriptionContext): Promise<SubscriptionResult | undefined> {
const config = getProviderConfig(ctx.webhook)
const subdomain = config.subdomain as string | undefined
const email = config.email as string | undefined
const apiToken = config.apiToken as string | undefined
const triggerId = config.triggerId as string | undefined
if (!subdomain) throw new Error('Zendesk subdomain is required to create the webhook.')
if (!isValidZendeskSubdomain(subdomain)) {
throw new Error(
'Zendesk subdomain must contain only letters, numbers, and hyphens (e.g. "yourcompany").'
)
}
if (!email) throw new Error('Zendesk admin email is required to create the webhook.')
if (!apiToken) throw new Error('Zendesk API token is required to create the webhook.')
const { getZendeskSubscriptions } = await import('@/triggers/zendesk/utils')
const apiBase = zendeskApiBase(subdomain)
const authHeader = zendeskAuthHeader(email, apiToken)
const createRes = await fetch(`${apiBase}/webhooks`, {
method: 'POST',
headers: { Authorization: authHeader, 'Content-Type': 'application/json' },
body: JSON.stringify({
webhook: {
name: `Sim webhook (${ctx.webhook.id})`,
endpoint: getNotificationUrl(ctx.webhook),
http_method: 'POST',
request_format: 'json',
status: 'active',
subscriptions: getZendeskSubscriptions(triggerId ?? 'zendesk_webhook'),
},
}),
})
if (!createRes.ok) {
const detail = await createRes.text().catch(() => '')
logger.error(`[${ctx.requestId}] Failed to create Zendesk webhook (${createRes.status})`, {
detail,
})
if (createRes.status === 401 || createRes.status === 403) {
throw new Error(
'Zendesk authentication failed. Verify the subdomain, admin email, and API token.'
)
}
throw new Error(`Failed to create Zendesk webhook: ${createRes.status}`)
}
const created = asRecord((await createRes.json().catch(() => ({}))) as unknown)
const externalId = asRecord(created.webhook).id as string | undefined
if (!externalId) throw new Error('Zendesk webhook created but no webhook ID was returned.')
const secretRes = await fetch(`${apiBase}/webhooks/${externalId}/signing_secret`, {
headers: { Authorization: authHeader },
})
if (!secretRes.ok) {
const detail = await secretRes.text().catch(() => '')
logger.error(
`[${ctx.requestId}] Created Zendesk webhook ${externalId} but failed to fetch signing secret (${secretRes.status})`,
{ detail }
)
await deleteZendeskWebhookQuietly(apiBase, authHeader, externalId)
throw new Error(`Failed to fetch Zendesk signing secret: ${secretRes.status}`)
}
const secretBody = asRecord((await secretRes.json().catch(() => ({}))) as unknown)
const secret = asRecord(secretBody.signing_secret).secret as string | undefined
if (!secret) {
await deleteZendeskWebhookQuietly(apiBase, authHeader, externalId)
throw new Error('Zendesk did not return a signing secret for the webhook.')
}
logger.info(`[${ctx.requestId}] Created Zendesk webhook ${externalId}`)
return { providerConfigUpdates: { externalId, webhookSecret: secret } }
},
async deleteSubscription(ctx: DeleteSubscriptionContext): Promise<void> {
const config = getProviderConfig(ctx.webhook)
const subdomain = config.subdomain as string | undefined
const email = config.email as string | undefined
const apiToken = config.apiToken as string | undefined
const externalId = config.externalId as string | undefined
if (!subdomain || !email || !apiToken || !externalId) {
if (ctx.strict) throw new Error('Missing Zendesk credentials or webhook ID for deletion.')
logger.warn(
`[${ctx.requestId}] Skipping Zendesk webhook cleanup — missing credentials or webhook ID`
)
return
}
if (!isValidZendeskSubdomain(subdomain)) {
if (ctx.strict) throw new Error('Invalid Zendesk subdomain for deletion.')
logger.warn(`[${ctx.requestId}] Skipping Zendesk webhook cleanup — invalid subdomain`)
return
}
const res = await fetch(`${zendeskApiBase(subdomain)}/webhooks/${externalId}`, {
method: 'DELETE',
headers: { Authorization: zendeskAuthHeader(email, apiToken) },
})
if (!res.ok && res.status !== 404) {
if (ctx.strict) throw new Error(`Failed to delete Zendesk webhook: ${res.status}`)
logger.warn(
`[${ctx.requestId}] Failed to delete Zendesk webhook ${externalId} (non-fatal): ${res.status}`
)
return
}
logger.info(`[${ctx.requestId}] Deleted Zendesk webhook ${externalId}`)
},
}