feat(webhooks): add GitLab webhook routing#6683
Open
nick-rui wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
1 issue found across 5 files
Confidence score: 4/5
- In
packages/server/lib/webhook/gitlab-webhook-routing.ts, the fallback access tobody.nangoConnectionIdcan throw whenbodyisnull/undefinedor not an object, which would return an unhandled runtime failure instead of the expectedwebhook_missing_connection_idresponse for bad webhook payloads — add an object/null guard (or optional chaining with type checks) before reading the fallback field before merging.
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
3b48de4 to
af93008
Compare
GitLab project/group webhooks were dropped at the routing gate because the gitlab and gitlab-pat providers had no webhook_routing_script. Route GitLab webhooks the same way cal.com and folk do: read a nangoConnectionId query param from the webhook URL (with a body-field fallback) and resolve the connection directly via propName 'connectionId'. Authenticity is verified with GitLab's X-Gitlab-Token shared-secret header (constant-time compare against the integration's configured webhook secret), and the X-Gitlab-Event header is used as the event type for subscription matching.
af93008 to
f45ca88
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds a webhook routing script for GitLab, so GitLab project/group webhooks can be routed to a Nango connection like other providers. Today the
gitlabandgitlab-patproviders have nowebhook_routing_script, so incoming GitLab webhooks are dropped at the routing gate inwebhook.manager.ts(if (!provider['webhook_routing_script']) return 204).Why
GitLab webhook payloads carry project/group/user identity but no Nango connection id and no single account-level id, and one Nango connection can span many GitLab projects. There was therefore no existing way to map a GitLab webhook to a connection.
How
Routing follows the same query-param pattern already used by
cal.comandfolk:?nangoConnectionId=<connectionId>to the Nango webhook URL when registering the GitLab project/group hook (e.g.https://api.nango.dev/webhook/<environmentUuid>/gitlab?nangoConnectionId=<connectionId>). The handler reads it from the query string (falling back to anangoConnectionIdbody field, mirroringcal.com) and resolves the connection directly viapropName: 'connectionId'.X-Gitlab-Tokenheader. Unlike most providers GitLab does not sign the payload — it echoes back verbatim the secret token configured on the hook — so verification is a constant-time compare against the integration's webhook secret (configured viawebhook_user_defined_secret: true, stored inintegration.custom.webhookSecret, same asfolk/linear/autotask). If no secret is configured the request is allowed through, mirroring the other query-param-routed providers.X-Gitlab-Eventheader (e.g.Issue Hook,Merge Request Hook,Note Hook) is passed aswebhookHeaderValueand matched against sync-config webhook subscriptions (same mechanismgithub-appuses withx-github-event).This works for both project-level and group-level GitLab webhooks, since both send the same
X-Gitlab-Token/X-Gitlab-Eventheaders and are routed purely by thenangoConnectionIdquery param.Changes
packages/server/lib/webhook/gitlab-webhook-routing.ts— new handler.packages/server/lib/webhook/index.ts— export the handler.packages/providers/providers.yaml— addwebhook_routing_script: gitlabWebhookRouting,webhook_user_defined_secret: true, andwebhook_allowed_query_params: [nangoConnectionId]to bothgitlab(OAuth2) andgitlab-pat(API key), since GitLab hooks can target a connection regardless of how it authenticates.packages/server/lib/webhook/gitlab-webhook-routing.unit.test.ts— unit tests mirroring the existingautotaskhandler tests (query/header routing, body fallback, token validation, missing connection id, forwarding).docs/integrations/all/gitlab.mdx— short "API gotchas" note on webhook routing.Testing
npx prettier --checkon the touched files — clean.oxlint -c .oxlintrc.jsonon the touched files — no errors (only the sameno-unsafe-*warnings the existingcal-comhandler emits on theany-typed body).npx tsx scripts/validation/providers/validate.ts—✅ All providers are valid.vitest runon the new unit test — passing.Notes for reviewers
integration.custom.webhookSecret+webhook_user_defined_secret: true(asfolk/linear/autotaskdo). Happy to adjust if connection-level secrets are preferred for GitLab.gitlabandgitlab-pat; let me know if only one is wanted.X-Gitlab-Eventheader strings verbatim (Issue Hook,Merge Request Hook,Note Hook, etc.).webhooksguide if that's the preference.