fix(security): correct webhook signature algorithms for Webflow and Airtable

waleedlatif1 · waleedlatif1 · commit 3a3375456163 · 2026-05-14T19:19:35.000-07:00
- Webflow: sign `${timestamp}:${rawBody}` per official docs (was rawBody only),
  capture `secretKey` not `secretToken` from create response, add 5-minute
  replay protection via X-Webflow-Timestamp
- Airtable: use hmacSha256Hex for hmac-sha256=&lt;hex&gt; format (was Base64)
diff --git a/apps/sim/lib/webhooks/providers/airtable.ts b/apps/sim/lib/webhooks/providers/airtable.ts
@@ -2,7 +2,7 @@ import { db } from '@sim/db'
 import { account, webhook } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { safeCompare } from '@sim/security/compare'
-import { hmacSha256Base64 } from '@sim/security/hmac'
+import { hmacSha256Hex } from '@sim/security/hmac'
 import { eq } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { validateAirtableId } from '@/lib/core/security/input-validation'
@@ -446,7 +446,7 @@ function validateAirtableSignature(webhookSecret: string, mac: string, rawBody:
   if (!mac.startsWith(prefix)) return false
   const provided = mac.slice(prefix.length)
   const secretBuffer = Buffer.from(webhookSecret, 'base64')
-  const computed = hmacSha256Base64(rawBody, secretBuffer)
+  const computed = hmacSha256Hex(rawBody, secretBuffer)
   return safeCompare(provided, computed)
 }
 
diff --git a/apps/sim/lib/webhooks/providers/webflow.ts b/apps/sim/lib/webhooks/providers/webflow.ts
@@ -19,23 +19,41 @@ import { getOAuthToken, refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/
 
 const logger = createLogger('WebhookProvider:Webflow')
 
-function validateWebflowSignature(secret: string, signature: string, rawBody: string): boolean {
-  const computed = hmacSha256Hex(rawBody, secret)
+function validateWebflowSignature(
+  secret: string,
+  signature: string,
+  timestamp: string,
+  rawBody: string
+): boolean {
+  const computed = hmacSha256Hex(`${timestamp}:${rawBody}`, secret)
   return safeCompare(computed, signature)
 }
 
+const FIVE_MINUTES_MS = 5 * 60 * 1000
+
 export const webflowHandler: WebhookProviderHandler = {
   verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext) {
     const secret = providerConfig.webhookSecret as string | undefined
     if (!secret) return null
 
+    const timestamp = request.headers.get('x-webflow-timestamp')
+    if (!timestamp) {
+      logger.warn(`[${requestId}] Webflow webhook missing X-Webflow-Timestamp header`)
+      return new NextResponse('Unauthorized - Missing Webflow timestamp', { status: 401 })
+    }
+
     const signature = request.headers.get('x-webflow-signature')
     if (!signature) {
       logger.warn(`[${requestId}] Webflow webhook missing X-Webflow-Signature header`)
       return new NextResponse('Unauthorized - Missing Webflow signature', { status: 401 })
     }
 
-    if (!validateWebflowSignature(secret, signature, rawBody)) {
+    if (Math.abs(Date.now() - Number(timestamp)) > FIVE_MINUTES_MS) {
+      logger.warn(`[${requestId}] Webflow webhook timestamp too old, possible replay attack`)
+      return new NextResponse('Unauthorized - Webflow timestamp expired', { status: 401 })
+    }
+
+    if (!validateWebflowSignature(secret, signature, timestamp, rawBody)) {
       logger.warn(`[${requestId}] Webflow signature verification failed`)
       return new NextResponse('Unauthorized - Invalid Webflow signature', { status: 401 })
     }
@@ -162,7 +180,7 @@ export const webflowHandler: WebhookProviderHandler = {
       return {
         providerConfigUpdates: {
           externalId: responseBody.id || responseBody._id,
-          ...(responseBody.secretToken ? { webhookSecret: responseBody.secretToken } : {}),
+          ...(responseBody.secretKey ? { webhookSecret: responseBody.secretKey } : {}),
         },
       }
     } catch (error: unknown) {
