From 53cecc18e9ce6f8bebd29ccc21bb4af31cd11f39 Mon Sep 17 00:00:00 2001
From: Olivier Sambourg <AdamSelene@users.noreply.github.com>
Date: Tue, 4 Feb 2025 21:38:37 +0100
Subject: [PATCH] feat: enable multiple webhook secrets for APP_WEBHOOK

---
 .../pieces/community/framework/package.json   |  2 +-
 .../community/framework/src/lib/piece.ts      |  2 +-
 .../pieces/community/intercom/package.json    |  2 +-
 .../pieces/community/intercom/src/index.ts    | 12 ++++++-
 packages/pieces/community/slack/package.json  |  2 +-
 packages/pieces/community/slack/src/index.ts  |  2 +-
 packages/pieces/community/square/package.json |  4 +--
 packages/pieces/community/square/src/index.ts |  2 +-
 .../shared/src/lib/webhook-secrets-util.ts    | 36 +++++++++++++++----
 packages/server/worker/package.json           |  2 +-
 .../server/worker/src/lib/utils/machine.ts    |  1 +
 packages/shared/package.json                  |  2 +-
 .../shared/src/lib/engine/engine-operation.ts |  2 +-
 13 files changed, 53 insertions(+), 18 deletions(-)

diff --git a/packages/pieces/community/framework/package.json b/packages/pieces/community/framework/package.json
index 37977ed8bb..9257266bc9 100644
--- a/packages/pieces/community/framework/package.json
+++ b/packages/pieces/community/framework/package.json
@@ -1,5 +1,5 @@
 {
   "name": "@activepieces/pieces-framework",
-  "version": "0.7.42",
+  "version": "0.7.43",
   "type": "commonjs"
 }
diff --git a/packages/pieces/community/framework/src/lib/piece.ts b/packages/pieces/community/framework/src/lib/piece.ts
index 9f204af818..df554b5971 100644
--- a/packages/pieces/community/framework/src/lib/piece.ts
+++ b/packages/pieces/community/framework/src/lib/piece.ts
@@ -100,7 +100,7 @@ type CreatePieceParams<
 type PieceEventProcessors = {
   parseAndReply: (ctx: { payload: EventPayload }) => ParseEventResponse;
   verify: (ctx: {
-    webhookSecret: string;
+    webhookSecret: string | Record<string, string>;
     payload: EventPayload;
     appWebhookUrl: string;
   }) => boolean;
diff --git a/packages/pieces/community/intercom/package.json b/packages/pieces/community/intercom/package.json
index 0b58d84413..31de9d4be8 100644
--- a/packages/pieces/community/intercom/package.json
+++ b/packages/pieces/community/intercom/package.json
@@ -1,4 +1,4 @@
 {
   "name": "@activepieces/piece-intercom",
-  "version": "0.4.6"
+  "version": "0.4.7"
 }
diff --git a/packages/pieces/community/intercom/src/index.ts b/packages/pieces/community/intercom/src/index.ts
index 5a450d9149..f1ae023bbe 100644
--- a/packages/pieces/community/intercom/src/index.ts
+++ b/packages/pieces/community/intercom/src/index.ts
@@ -97,7 +97,17 @@ export const intercom = createPiece({
     },
     verify: ({ payload, webhookSecret }) => {
       const signature = payload.headers['x-hub-signature'];
-      const hmac = crypto.createHmac('sha1', webhookSecret);
+      let hmac: crypto.Hmac;
+      if (typeof webhookSecret === 'string') {
+        hmac = crypto.createHmac('sha1', webhookSecret);
+      } else {
+        const app_id = (payload.body as PayloadBody).app_id;
+        const webhookSecrets = webhookSecret as Record<string, string>;
+        if (!(app_id in webhookSecrets)) {
+          return false;
+        }
+        hmac = crypto.createHmac('sha1', webhookSecrets[app_id]);
+      }
       hmac.update(`${payload.rawBody}`);
       const computedSignature = `sha1=${hmac.digest('hex')}`;
       return signature === computedSignature;
diff --git a/packages/pieces/community/slack/package.json b/packages/pieces/community/slack/package.json
index 4c43b941e1..562899580d 100644
--- a/packages/pieces/community/slack/package.json
+++ b/packages/pieces/community/slack/package.json
@@ -1,4 +1,4 @@
 {
   "name": "@activepieces/piece-slack",
-  "version": "0.7.10"
+  "version": "0.7.11"
 }
diff --git a/packages/pieces/community/slack/src/index.ts b/packages/pieces/community/slack/src/index.ts
index b95afd0e79..76b23b2cce 100644
--- a/packages/pieces/community/slack/src/index.ts
+++ b/packages/pieces/community/slack/src/index.ts
@@ -86,7 +86,7 @@ export const slack = createPiece({
       const timestamp = payload.headers['x-slack-request-timestamp'];
       const signature = payload.headers['x-slack-signature'];
       const signatureBaseString = `v0:${timestamp}:${payload.rawBody}`;
-      const hmac = crypto.createHmac('sha256', webhookSecret);
+      const hmac = crypto.createHmac('sha256', webhookSecret as string);
       hmac.update(signatureBaseString);
       const computedSignature = `v0=${hmac.digest('hex')}`;
       return signature === computedSignature;
diff --git a/packages/pieces/community/square/package.json b/packages/pieces/community/square/package.json
index 91d0bd3014..3279084604 100644
--- a/packages/pieces/community/square/package.json
+++ b/packages/pieces/community/square/package.json
@@ -1,4 +1,4 @@
 {
   "name": "@activepieces/piece-square",
-  "version": "0.3.4"
-}
\ No newline at end of file
+  "version": "0.3.5"
+}
diff --git a/packages/pieces/community/square/src/index.ts b/packages/pieces/community/square/src/index.ts
index d87268fca7..b0b907bf23 100644
--- a/packages/pieces/community/square/src/index.ts
+++ b/packages/pieces/community/square/src/index.ts
@@ -35,7 +35,7 @@ export const square = createPiece({
   events: {
     verify: ({ webhookSecret, payload, appWebhookUrl }) => {
       const signature = payload.headers['x-square-hmacsha256-signature'];
-      const hmac = crypto.createHmac('sha256', webhookSecret);
+      const hmac = crypto.createHmac('sha256', webhookSecret as string);
       hmac.update(appWebhookUrl + payload.rawBody);
       const hash = hmac.digest('base64');
       return hash === signature;
diff --git a/packages/server/shared/src/lib/webhook-secrets-util.ts b/packages/server/shared/src/lib/webhook-secrets-util.ts
index efdecc3a89..8274e6ef5b 100644
--- a/packages/server/shared/src/lib/webhook-secrets-util.ts
+++ b/packages/server/shared/src/lib/webhook-secrets-util.ts
@@ -1,6 +1,13 @@
-import { assertNotNullOrUndefined, FlowVersion, isNil, parseToJsonIfPossible } from '@activepieces/shared'
+import {
+    assertNotNullOrUndefined,
+    FlowVersion,
+    isNil,
+    parseToJsonIfPossible,
+} from '@activepieces/shared'
 
-let webhookSecrets: Record<string, { webhookSecret: string }> | undefined = undefined
+let webhookSecrets:
+| Record<string, { webhookSecret: string | Record<string, string> }>
+| undefined = undefined
 
 export const webhookSecretsUtils = {
     init,
@@ -13,18 +20,35 @@ async function init(_webhookSecrets: string) {
     webhookSecrets = parsed
 }
 
-function parseWebhookSecrets(webhookSecrets: string): Record<string, { webhookSecret: string }> {
-    return parseToJsonIfPossible(webhookSecrets) as Record<string, { webhookSecret: string }> | undefined ?? {}
+function parseWebhookSecrets(webhookSecrets: string): Record<
+string,
+{
+    webhookSecret: string | Record<string, string>
+}
+> {
+    return (
+        (parseToJsonIfPossible(webhookSecrets) as
+      | Record<
+      string,
+      {
+          webhookSecret: string | Record<string, string>
+      }
+      >
+      | undefined) ?? {}
+    )
 }
 
 async function getWebhookSecret(
     flowVersion: FlowVersion,
-): Promise<string | undefined> {
+): Promise<string | Record<string, string> | undefined> {
     const appName = flowVersion.trigger.settings.pieceName
     if (!appName) {
         return undefined
     }
-    assertNotNullOrUndefined(webhookSecrets, 'Webhook secrets are not initialized')
+    assertNotNullOrUndefined(
+        webhookSecrets,
+        'Webhook secrets are not initialized',
+    )
     const appConfig = webhookSecrets[appName]
     if (isNil(appConfig)) {
         return undefined
diff --git a/packages/server/worker/package.json b/packages/server/worker/package.json
index b3d1d7c8dd..3440f13cfe 100644
--- a/packages/server/worker/package.json
+++ b/packages/server/worker/package.json
@@ -5,7 +5,7 @@
   "main": "./src/index.js",
   "typings": "./src/index.d.ts",
   "dependencies": {
-    "@activepieces/pieces-framework": "0.7.42",
+    "@activepieces/pieces-framework": "0.7.43",
     "@activepieces/server-shared": "0.0.1",
     "@activepieces/shared": "0.10.146",
     "async-mutex": "0.4.0",
diff --git a/packages/server/worker/src/lib/utils/machine.ts b/packages/server/worker/src/lib/utils/machine.ts
index 4afce74603..303885161f 100644
--- a/packages/server/worker/src/lib/utils/machine.ts
+++ b/packages/server/worker/src/lib/utils/machine.ts
@@ -97,6 +97,7 @@ function appendSlashAndApi(url: string): string {
     return `${url}${slash}api/`
 }
 
+
 async function getContainerMemoryUsage() {
     const memLimitPath = '/sys/fs/cgroup/memory/memory.limit_in_bytes'
     const memUsagePath = '/sys/fs/cgroup/memory/memory.usage_in_bytes'
diff --git a/packages/shared/package.json b/packages/shared/package.json
index 9b9892a7e3..c32c1d23e5 100644
--- a/packages/shared/package.json
+++ b/packages/shared/package.json
@@ -2,4 +2,4 @@
   "name": "@activepieces/shared",
   "version": "0.10.146",
   "type": "commonjs"
-}
\ No newline at end of file
+}
diff --git a/packages/shared/src/lib/engine/engine-operation.ts b/packages/shared/src/lib/engine/engine-operation.ts
index 1821d7d745..523eb2cd49 100644
--- a/packages/shared/src/lib/engine/engine-operation.ts
+++ b/packages/shared/src/lib/engine/engine-operation.ts
@@ -99,7 +99,7 @@ export type ExecuteTriggerOperation<HT extends TriggerHookType> = BaseEngineOper
     webhookUrl: string
     triggerPayload?: TriggerPayload
     appWebhookUrl?: string
-    webhookSecret?: string
+    webhookSecret?: string | Record<string, string>
 }