Skip to content

Fix #162: Implement automatic webhook secret refresh#178

Open
snagasuri wants to merge 2 commits intocalcom:mainfrom
snagasuri:bugfix/162
Open

Fix #162: Implement automatic webhook secret refresh#178
snagasuri wants to merge 2 commits intocalcom:mainfrom
snagasuri:bugfix/162

Conversation

@snagasuri
Copy link

@snagasuri snagasuri commented Jul 14, 2025

Summary

This PR addresses issue #162 by implementing automatic webhook secret refresh to prevent 403 errors when secrets expire.

Changes

  • Added webhookSecretCreatedAt and webhookSecretExpiresAt fields to GitHubRepo model
  • Created refreshWebhookSecret utility function to update secrets in both database and GitHub
  • Updated webhook handler to automatically refresh expired secrets on 403 errors
  • Added manual refresh endpoint at /api/github/refresh-webhook-secret
  • Updated GitHubAuthButton to set expiration dates when creating webhooks
  • Webhook secrets now expire after 30 days and refresh automatically

Implementation Details

  1. Automatic Refresh: When a webhook validation fails with a 403 error, the system checks if the secret is expired (or missing expiration date) and attempts to refresh it automatically
  2. Grace Period: The system considers secrets expired if they're within 24 hours of expiration
  3. Database Migration: Added new columns to track secret metadata
  4. Manual Fallback: API endpoint allows manual refresh if needed

Testing

  • Created comprehensive test file at src/tests/issue-162-synclinear.ts
  • Build passes without errors
  • Linting passes without warnings

Fixes

Fixes #162

snagasuri and others added 2 commits July 13, 2025 22:24
@snagasuri @claude
Fix calcom#175: Prevent infinite issue recreation
36c29dc 
This commit addresses the bug where SyncLinear infinitely recreates issues
after renaming them with Linear IDs. The fix includes:

1. Database constraints: Added unique constraints to prevent duplicate
   syncedIssue entries for the same Linear/GitHub issue pairs

2. Webhook deduplication: Track processed webhook events using
   Linear-Delivery and X-GitHub-Delivery headers to prevent reprocessing

3. Transaction safety: Implement atomic operations for issue creation
   to prevent race conditions when multiple webhooks arrive simultaneously

The root cause was a race condition where multiple webhook events could
check for existing issues simultaneously, all find none, and proceed to
create duplicates before any were recorded in the database.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@snagasuri
Fix calcom#162: Implement automatic webhook secret refresh
4577bd5 
- Add webhookSecretCreatedAt and webhookSecretExpiresAt fields to GitHubRepo model
- Create refreshWebhookSecret utility to update secrets in both DB and GitHub
- Update webhook handler to auto-refresh expired secrets on 403 errors
- Add manual refresh endpoint at /api/github/refresh-webhook-secret
- Update GitHubAuthButton to set expiration dates when creating webhooks
- Webhook secrets now expire after 30 days and refresh automatically
- Add comprehensive test file demonstrating the functionality
@vercel
Copy link

vercel bot commented Jul 14, 2025

@snagasuri is attempting to deploy a commit to the Rubric Labs Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

GH webhook secret expires without refresh

1 participant

@snagasuri