fix: address greptile routine review

2026-03-20 16:26:29 -05:00
parent 99eb317600
commit 9093cfbe4f
6 changed files with 157 additions and 19 deletions
--- a/server/src/tests/routines-service.test.ts
+++ b/server/src/tests/routines-service.test.ts
@@ -1,4 +1,4 @@
-import { randomUUID } from "node:crypto";
+import { createHmac, randomUUID } from "node:crypto";
 import fs from "node:fs";
 import net from "node:net";
 import os from "node:os";
@@ -6,9 +6,12 @@ import path from "node:path";
 import { eq } from "drizzle-orm";
 import { afterAll, afterEach, beforeAll, describe, expect, it } from "vitest";
 import {
+  activityLog,
  agents,
  applyPendingMigrations,
  companies,
+  companySecrets,
+  companySecretVersions,
  createDb,
  ensurePostgresDatabase,
  heartbeatRuns,
@@ -16,6 +19,7 @@ import {
  projects,
  routineRuns,
  routines,
+  routineTriggers,
 } from "@paperclipai/db";
 import { issueService } from "../services/issues.ts";
 import { routineService } from "../services/routines.ts";
@@ -99,8 +103,12 @@ describe("routine service live-execution coalescing", () => {
  }, 20_000);

  afterEach(async () => {
+    await db.delete(activityLog);
    await db.delete(routineRuns);
+    await db.delete(routineTriggers);
    await db.delete(routines);
+    await db.delete(companySecretVersions);
+    await db.delete(companySecrets);
    await db.delete(heartbeatRuns);
    await db.delete(issues);
    await db.delete(projects);
@@ -421,4 +429,39 @@ describe("routine service live-execution coalescing", () => {

    expect(routineIssues).toHaveLength(1);
  });
+
+  it("accepts standard second-precision webhook timestamps for HMAC triggers", async () => {
+    const { routine, svc } = await seedFixture();
+    const { trigger, secretMaterial } = await svc.createTrigger(
+      routine.id,
+      {
+        kind: "webhook",
+        signingMode: "hmac_sha256",
+        replayWindowSec: 300,
+      },
+      {},
+    );
+
+    expect(trigger.publicId).toBeTruthy();
+    expect(secretMaterial?.webhookSecret).toBeTruthy();
+
+    const payload = { ok: true };
+    const rawBody = Buffer.from(JSON.stringify(payload));
+    const timestampSeconds = String(Math.floor(Date.now() / 1000));
+    const signature = `sha256=${createHmac("sha256", secretMaterial!.webhookSecret)
+      .update(`${timestampSeconds}.`)
+      .update(rawBody)
+      .digest("hex")}`;
+
+    const run = await svc.firePublicTrigger(trigger.publicId!, {
+      signatureHeader: signature,
+      timestampHeader: timestampSeconds,
+      rawBody,
+      payload,
+    });
+
+    expect(run.source).toBe("webhook");
+    expect(run.status).toBe("issue_created");
+    expect(run.linkedIssueId).toBeTruthy();
+  });
 });
--- a/server/src/services/routines.ts
+++ b/server/src/services/routines.ts
@@ -132,6 +132,12 @@ function nextResultText(status: string, issueId?: string | null) {
  return status;
 }

+function normalizeWebhookTimestampMs(rawTimestamp: string) {
+  const parsed = Number(rawTimestamp);
+  if (!Number.isFinite(parsed)) return null;
+  return parsed > 1e12 ? parsed : parsed * 1000;
+}
+
 export function routineService(db: Db, deps: { heartbeat?: IssueAssignmentWakeupDeps } = {}) {
  const issueSvc = issueService(db);
  const secretsSvc = secretService(db);
@@ -1064,8 +1070,8 @@ export function routineService(db: Db, deps: { heartbeat?: IssueAssignmentWakeup
        const providedSignature = input.signatureHeader?.trim() ?? "";
        const providedTimestamp = input.timestampHeader?.trim() ?? "";
        if (!providedSignature || !providedTimestamp) throw unauthorized();
-        const tsMillis = Number(providedTimestamp);
-        if (!Number.isFinite(tsMillis)) throw unauthorized();
+        const tsMillis = normalizeWebhookTimestampMs(providedTimestamp);
+        if (tsMillis == null) throw unauthorized();
        const replayWindowSec = trigger.replayWindowSec ?? 300;
        if (Math.abs(Date.now() - tsMillis) > replayWindowSec * 1000) {
          throw unauthorized();