fix(webhooks): restore auth-before-reachability ordering and remove dead credentialAccountUserId field

waleedlatif1 · waleedlatif1 · commit 065f9a427127 · 2026-03-11T14:50:55.000-07:00
- Move reachability test back after auth to prevent path enumeration
- Remove dead credentialAccountUserId from WebhookExecutionPayload
- Simplify credential resolution condition in background job
diff --git a/apps/sim/app/api/webhooks/trigger/[path]/route.ts b/apps/sim/app/api/webhooks/trigger/[path]/route.ts
@@ -73,12 +73,6 @@ export async function POST(
   const responses: NextResponse[] = []
 
   for (const { webhook: foundWebhook, workflow: foundWorkflow } of webhooksForPath) {
-    // Short-circuit: reachability test is a quick body-only check
-    const reachabilityResponse = handleProviderReachabilityTest(foundWebhook, body, requestId)
-    if (reachabilityResponse) {
-      return reachabilityResponse
-    }
-
     const authError = await verifyProviderAuth(
       foundWebhook,
       foundWorkflow,
@@ -94,6 +88,11 @@ export async function POST(
       return authError
     }
 
+    const reachabilityResponse = handleProviderReachabilityTest(foundWebhook, body, requestId)
+    if (reachabilityResponse) {
+      return reachabilityResponse
+    }
+
     const preprocessResult = await checkWebhookPreprocessing(foundWorkflow, foundWebhook, requestId)
     if (preprocessResult.error) {
       if (webhooksForPath.length > 1) {
diff --git a/apps/sim/background/webhook-execution.ts b/apps/sim/background/webhook-execution.ts
@@ -106,7 +106,6 @@ export type WebhookExecutionPayload = {
   blockId?: string
   workspaceId?: string
   credentialId?: string
-  credentialAccountUserId?: string
 }
 
 export async function executeWebhookJob(payload: WebhookExecutionPayload) {
@@ -206,9 +205,9 @@ async function executeWebhookJobInternal(
     const [workflowData, webhookRows, resolvedCredentialUserId] = await Promise.all([
       loadDeployedWorkflowState(payload.workflowId, workspaceId),
       db.select().from(webhook).where(eq(webhook.id, payload.webhookId)).limit(1),
-      !payload.credentialAccountUserId && payload.credentialId
+      payload.credentialId
         ? resolveCredentialAccountUserId(payload.credentialId)
-        : Promise.resolve(payload.credentialAccountUserId),
+        : Promise.resolve(undefined),
     ])
     const credentialAccountUserId = resolvedCredentialUserId
     if (payload.credentialId && !credentialAccountUserId) {
