fix(webhooks): fail closed when Teams chat-subscription webhook id is unavailable

Hardens the clientState check so a missing webhook id (theoretically
unreachable, since the row is looked up by primary key) can never collapse
the expected value to an empty string that a forged clientState could match.

Author: waleedlatif1

apps/sim/lib/webhooks/providers/microsoft-teams.test.ts

@@ -101,6 +101,18 @@ describe('microsoftTeamsHandler verifyAuth (chat subscription clientState)', ()
     expect(res?.status).toBe(401)
   })
 
+  it('fails closed when the webhook record has no id', async () => {
+    const res = await microsoftTeamsHandler.verifyAuth!({
+      webhook: {},
+      workflow: {},
+      request: makeRequest(makeNotificationBody('')),
+      rawBody: makeNotificationBody(''),
+      requestId: 'test-req',
+      providerConfig: chatSubscriptionConfig,
+    })
+    expect(res?.status).toBe(401)
+  })
+
   it('does not require clientState for non-subscription trigger types', async () => {
     const res = await runVerifyAuth(JSON.stringify({ type: 'message', text: 'hi' }), {})
     expect(res).toBeNull()

apps/sim/lib/webhooks/providers/microsoft-teams.ts

@@ -498,6 +498,13 @@ export const microsoftTeamsHandler: WebhookProviderHandler = {
 
     if (providerConfig.triggerId === 'microsoftteams_chat_subscription') {
       const expectedClientState = String(webhook.id ?? '')
+      if (!expectedClientState) {
+        logger.warn(
+          `[${requestId}] Microsoft Teams chat subscription webhook missing id for clientState verification`
+        )
+        return new NextResponse('Unauthorized - Invalid clientState', { status: 401 })
+      }
+
       let notifications: unknown[] = []
       try {
         const parsed = JSON.parse(rawBody) as Record<string, unknown>