( foundWebhook: any, foundWorkflow: any, request: NextRequest, rawBody: string, requestId: string )
| 440 | * Delegates to the provider handler registry. |
| 441 | */ |
| 442 | export async function verifyProviderAuth( |
| 443 | foundWebhook: any, |
| 444 | foundWorkflow: any, |
| 445 | request: NextRequest, |
| 446 | rawBody: string, |
| 447 | requestId: string |
| 448 | ): Promise<NextResponse | null> { |
| 449 | const handler = getProviderHandler(foundWebhook.provider) |
| 450 | const rawProviderConfig = (foundWebhook.providerConfig as Record<string, unknown>) || {} |
| 451 | |
| 452 | /** |
| 453 | * Only fetch + decrypt the effective env when there is auth to verify AND the |
| 454 | * provider config actually references env vars (`{{VAR}}`). This avoids a DB |
| 455 | * read and decryption on the synchronous pre-ack path for the common case. |
| 456 | */ |
| 457 | let decryptedEnvVars: Record<string, string> = {} |
| 458 | if (handler.verifyAuth && providerConfigReferencesEnvVars(rawProviderConfig)) { |
| 459 | try { |
| 460 | decryptedEnvVars = await getEffectiveDecryptedEnv( |
| 461 | foundWorkflow.userId, |
| 462 | foundWorkflow.workspaceId |
| 463 | ) |
| 464 | } catch (error) { |
| 465 | logger.error(`[${requestId}] Failed to fetch environment variables`, { |
| 466 | error, |
| 467 | }) |
| 468 | } |
| 469 | } |
| 470 | |
| 471 | const providerConfig = resolveProviderConfigEnvVars(rawProviderConfig, decryptedEnvVars) |
| 472 | |
| 473 | if (handler.verifyAuth) { |
| 474 | const authResult = await handler.verifyAuth({ |
| 475 | webhook: foundWebhook, |
| 476 | workflow: foundWorkflow, |
| 477 | request, |
| 478 | rawBody, |
| 479 | requestId, |
| 480 | providerConfig, |
| 481 | }) |
| 482 | if (authResult) return authResult |
| 483 | } |
| 484 | |
| 485 | return null |
| 486 | } |
| 487 | |
| 488 | /** |
| 489 | * Run preprocessing checks for webhook execution |
no test coverage detected