fix(webhooks): verify Graph clientState on Teams chat-subscription notifications

The microsoftteams_chat_subscription trigger set clientState=webhook.id when
creating the Graph subscription but never validated it on inbound change
notifications, so any request to the webhook path with a crafted notification
body was treated as authentic (CWE-345). verifyAuth now requires every
notification in the value array to carry a clientState matching the stored
webhook id (constant-time compare) and rejects payloads without notifications.
Validation handshakes (validationToken) are handled before auth and remain
unaffected; outgoing-webhook HMAC auth is unchanged.

Author: waleedlatif1

apps/sim/lib/webhooks/providers/microsoft-teams.test.ts

@@ -0,0 +1,108 @@
+/**
+ * @vitest-environment node
+ */
+import { authOAuthUtilsMock, inputValidationMock } from '@sim/testing'
+import { NextRequest } from 'next/server'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+vi.mock('@/lib/core/security/input-validation.server', () => inputValidationMock)
+vi.mock('@/app/api/auth/oauth/utils', () => authOAuthUtilsMock)
+
+import { microsoftTeamsHandler } from '@/lib/webhooks/providers/microsoft-teams'
+
+const WEBHOOK_ID = 'webhook-uuid-1234'
+
+function makeRequest(body: string): NextRequest {
+  return new NextRequest('https://app.example.com/api/webhooks/trigger/abc', {
+    method: 'POST',
+    body,
+    headers: { 'Content-Type': 'application/json' },
+  })
+}
+
+function makeNotificationBody(clientState?: unknown): string {
+  return JSON.stringify({
+    value: [
+      {
+        subscriptionId: 'sub-1',
+        changeType: 'created',
+        resource: 'chats/19:abc@thread.v2/messages/1700000000000',
+        resourceData: { id: '1700000000000' },
+        ...(clientState !== undefined ? { clientState } : {}),
+      },
+    ],
+  })
+}
+
+async function runVerifyAuth(rawBody: string, providerConfig: Record<string, unknown>) {
+  return microsoftTeamsHandler.verifyAuth!({
+    webhook: { id: WEBHOOK_ID },
+    workflow: {},
+    request: makeRequest(rawBody),
+    rawBody,
+    requestId: 'test-req',
+    providerConfig,
+  })
+}
+
+describe('microsoftTeamsHandler verifyAuth (chat subscription clientState)', () => {
+  const chatSubscriptionConfig = { triggerId: 'microsoftteams_chat_subscription' }
+
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('accepts notifications whose clientState matches the webhook id', async () => {
+    const res = await runVerifyAuth(makeNotificationBody(WEBHOOK_ID), chatSubscriptionConfig)
+    expect(res).toBeNull()
+  })
+
+  it('rejects notifications with a forged clientState', async () => {
+    const res = await runVerifyAuth(makeNotificationBody('forged'), chatSubscriptionConfig)
+    expect(res?.status).toBe(401)
+  })
+
+  it('rejects notifications missing clientState', async () => {
+    const res = await runVerifyAuth(makeNotificationBody(), chatSubscriptionConfig)
+    expect(res?.status).toBe(401)
+  })
+
+  it('rejects non-string clientState values', async () => {
+    const res = await runVerifyAuth(
+      makeNotificationBody({ nested: WEBHOOK_ID }),
+      chatSubscriptionConfig
+    )
+    expect(res?.status).toBe(401)
+  })
+
+  it('rejects payloads without a value array', async () => {
+    const res = await runVerifyAuth(JSON.stringify({ hello: 'world' }), chatSubscriptionConfig)
+    expect(res?.status).toBe(401)
+  })
+
+  it('rejects payloads with an empty value array', async () => {
+    const res = await runVerifyAuth(JSON.stringify({ value: [] }), chatSubscriptionConfig)
+    expect(res?.status).toBe(401)
+  })
+
+  it('rejects unparseable bodies', async () => {
+    const res = await runVerifyAuth('not-json', chatSubscriptionConfig)
+    expect(res?.status).toBe(401)
+  })
+
+  it('rejects batches where any notification has a mismatched clientState', async () => {
+    const rawBody = JSON.stringify({
+      value: [
+        { subscriptionId: 'sub-1', resourceData: { id: '1' }, clientState: WEBHOOK_ID },
+        { subscriptionId: 'sub-2', resourceData: { id: '2' }, clientState: 'forged' },
+      ],
+    })
+    const res = await runVerifyAuth(rawBody, chatSubscriptionConfig)
+    expect(res?.status).toBe(401)
+  })
+
+  it('does not require clientState for non-subscription trigger types', async () => {
+    const res = await runVerifyAuth(JSON.stringify({ type: 'message', text: 'hi' }), {})
+    expect(res).toBeNull()
+  })
+})

apps/sim/lib/webhooks/providers/microsoft-teams.ts

@@ -477,7 +477,7 @@ export const microsoftTeamsHandler: WebhookProviderHandler = {
     return null
   },
 
-  verifyAuth({ request, rawBody, requestId, providerConfig }: AuthContext) {
+  verifyAuth({ webhook, request, rawBody, requestId, providerConfig }: AuthContext) {
     if (providerConfig.hmacSecret) {
       const authHeader = request.headers.get('authorization')
 
@@ -496,6 +496,36 @@ export const microsoftTeamsHandler: WebhookProviderHandler = {
       }
     }
 
+    if (providerConfig.triggerId === 'microsoftteams_chat_subscription') {
+      const expectedClientState = String(webhook.id ?? '')
+      let notifications: unknown[] = []
+      try {
+        const parsed = JSON.parse(rawBody) as Record<string, unknown>
+        if (Array.isArray(parsed?.value)) {
+          notifications = parsed.value
+        }
+      } catch {
+        notifications = []
+      }
+
+      if (notifications.length === 0) {
+        logger.warn(
+          `[${requestId}] Microsoft Teams chat subscription notification missing value array`
+        )
+        return new NextResponse('Unauthorized - Invalid notification payload', { status: 401 })
+      }
+
+      for (const notification of notifications) {
+        const clientState = (notification as Record<string, unknown>)?.clientState
+        if (typeof clientState !== 'string' || !safeCompare(clientState, expectedClientState)) {
+          logger.warn(
+            `[${requestId}] Microsoft Teams chat subscription clientState verification failed`
+          )
+          return new NextResponse('Unauthorized - Invalid clientState', { status: 401 })
+        }
+      }
+    }
+
     return null
   },