fix: add the X-Cal-Signature-256 header to MEETING_ENDED webhook requ…

…ests (calcom#13986) * add the X-Cal-Signature-256 header to MEETING_ENDED webhook requests * take care of null value for appId --------- Co-authored-by: Carina Wollendorfer <[email protected]>
dev-rahulbhadoriya · Mar 6, 2024 · 9fd3594 · 9fd3594
1 parent 531371b
commit 9fd3594
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 6 deletions.
diff --git a/packages/features/webhooks/lib/cron.ts b/packages/features/webhooks/lib/cron.ts
@@ -5,7 +5,7 @@ import dayjs from "@calcom/dayjs";
 import { defaultHandler } from "@calcom/lib/server";
 import prisma from "@calcom/prisma";
 
-import { jsonParse } from "./sendPayload";
+import { createWebhookSignature, jsonParse } from "./sendPayload";
 
 async function handler(req: NextApiRequest, res: NextApiResponse) {
   const apiKey = req.headers.authorization || req.query.apiKey;
@@ -25,13 +25,19 @@ async function handler(req: NextApiRequest, res: NextApiResponse) {
 
   // run jobs
   for (const job of jobsToRun) {
+    // Fetch the webhook configuration so that we can get the secret.
+    const [appId, subscriberId] = job.jobName.split("_");
+    const webhook = await prisma.webhook.findUniqueOrThrow({
+      where: { id: subscriberId, appId: appId !== "null" ? appId : null },
+    });
     try {
       await fetch(job.subscriberUrl, {
         method: "POST",
         body: job.payload,
         headers: {
           "Content-Type":
             !job.payload || jsonParse(job.payload) ? "application/json" : "application/x-www-form-urlencoded",
+          "X-Cal-Signature-256": createWebhookSignature({ secret: webhook.secret, body: job.payload }),
         },
       });
     } catch (error) {

diff --git a/packages/features/webhooks/lib/sendPayload.ts b/packages/features/webhooks/lib/sendPayload.ts
@@ -189,6 +189,11 @@ export const sendGenericWebhookPayload = async ({
   return _sendPayload(secretKey, webhook, body, "application/json");
 };
 
+export const createWebhookSignature = (params: { secret?: string | null; body: string }) =>
+  params.secret
+    ? createHmac("sha256", params.secret).update(`${params.body}`).digest("hex")
+    : "no-secret-provided";
+
 const _sendPayload = async (
   secretKey: string | null,
   webhook: Pick<Webhook, "subscriberUrl" | "appId" | "payloadTemplate">,
@@ -200,15 +205,11 @@ const _sendPayload = async (
     throw new Error("Missing required elements to send webhook payload.");
   }
 
-  const secretSignature = secretKey
-    ? createHmac("sha256", secretKey).update(`${body}`).digest("hex")
-    : "no-secret-provided";
-
   const response = await fetch(subscriberUrl, {
     method: "POST",
     headers: {
       "Content-Type": contentType,
-      "X-Cal-Signature-256": secretSignature,
+      "X-Cal-Signature-256": createWebhookSignature({ secret: secretKey, body }),
     },
     redirect: "manual",
     body,