Allow internal webhook call on the HTTP action on local dev environment (#2213)

MarceloRGonc · web-flow · commit 803a9f6a9445 · 2026-04-10T09:29:28.000+01:00
Fixes OPS-4101
diff --git a/packages/blocks/http/src/lib/common/webhook-url-validator.ts b/packages/blocks/http/src/lib/common/webhook-url-validator.ts
@@ -1,5 +1,45 @@
 import { networkUtls, validateHost } from '@openops/server-shared';
 
+const WEBHOOK_SYNC_PATH_REGEX = /^\/v1\/webhooks\/[0-9A-Za-z]{21}\/sync$/;
+
+function normalizeBasePath(pathname: string): string {
+  return pathname.replace(/\/$/, '');
+}
+
+function normalizePath(pathname: string): string {
+  const withLeadingSlash = pathname.startsWith('/') ? pathname : `/${pathname}`;
+  return withLeadingSlash.replace(/\/{2,}/g, '/');
+}
+
+function stripBasePath(pathname: string, basePath: string): string {
+  if (!basePath || basePath === '/') {
+    return pathname;
+  }
+
+  if (!pathname.startsWith(basePath)) {
+    return pathname;
+  }
+
+  return pathname.slice(basePath.length) || '/';
+}
+
+function extractWebhookPath(
+  pathname: string,
+  publicBasePath: string,
+  internalBasePath: string,
+): string | null {
+  const candidates = [
+    normalizePath(stripBasePath(pathname, publicBasePath)),
+    normalizePath(stripBasePath(pathname, internalBasePath)),
+    normalizePath(pathname),
+  ];
+
+  return (
+    candidates.find((candidate) => WEBHOOK_SYNC_PATH_REGEX.test(candidate)) ??
+    null
+  );
+}
+
 export async function validateAndRewritePublicWebhookUrl(
   userUrl: string,
 ): Promise<string> {
@@ -10,42 +50,33 @@ export async function validateAndRewritePublicWebhookUrl(
   try {
     await validateHost(userUrl);
     return userUrl;
-  } catch (error) {
+  } catch (originalError) {
     const publicUrl = await networkUtls.getPublicUrl();
     const internalApiUrl = networkUtls.getInternalApiUrl();
 
     const publicUrlObj = new URL(publicUrl);
     const internalUrlObj = new URL(internalApiUrl);
     const userUrlObj = new URL(userUrl);
 
-    if (userUrlObj.origin !== publicUrlObj.origin) {
-      throw error;
+    if (userUrlObj.host !== publicUrlObj.host) {
+      throw originalError;
     }
 
-    const internalBasePath = internalUrlObj.pathname.replace(/\/$/, '');
-    let relativePath = userUrlObj.pathname;
+    const publicBasePath = normalizeBasePath(publicUrlObj.pathname);
+    const internalBasePath = normalizeBasePath(internalUrlObj.pathname);
 
-    if (
-      internalBasePath &&
-      internalBasePath !== '/' &&
-      relativePath.startsWith(internalBasePath)
-    ) {
-      relativePath = relativePath.slice(internalBasePath.length);
-    }
-
-    if (!relativePath.startsWith('/')) {
-      relativePath = `/${relativePath}`;
-    }
+    const webhookPath = extractWebhookPath(
+      userUrlObj.pathname,
+      publicBasePath,
+      internalBasePath,
+    );
 
-    if (!/^\/v1\/webhooks\/[0-9A-Za-z]{21}\/sync$/.test(relativePath)) {
-      throw error;
+    if (!webhookPath) {
+      throw originalError;
     }
 
-    const rewrittenPath = `${internalBasePath}${relativePath}`.replace(
-      /\/{2,}/g,
-      '/',
-    );
+    const rewrittenPath = normalizePath(`${internalBasePath}${webhookPath}`);
 
-    return `${internalUrlObj.origin}${rewrittenPath}`;
+    return `${internalUrlObj.origin}${rewrittenPath}${userUrlObj.search}${userUrlObj.hash}`;
   }
 }
diff --git a/packages/blocks/http/test/webhook-url-validator.test.ts b/packages/blocks/http/test/webhook-url-validator.test.ts
@@ -27,95 +27,141 @@ describe('webhook-url-validator', () => {
     expect(validateHost).toHaveBeenCalledWith(userUrl);
   });
 
-  it('should rewrite the URL if it matches the public URL origin and valid webhook path', async () => {
-    const error = new Error('Host must not be an internal address');
-    (validateHost as jest.Mock).mockRejectedValue(error);
-    (networkUtls.getPublicUrl as jest.Mock).mockResolvedValue(
+  test.each([
+    [
+      'rewrites when public URL has no base path and internal URL has no base path',
       'https://public.openops.com',
-    );
-    (networkUtls.getInternalApiUrl as jest.Mock).mockReturnValue(
       'http://internal-api:3000',
-    );
-
-    const userUrl =
-      'https://public.openops.com/v1/webhooks/123456789012345678901/sync';
-    const result = await validateAndRewritePublicWebhookUrl(userUrl);
-
-    expect(result).toBe(
+      'https://public.openops.com/v1/webhooks/123456789012345678901/sync',
       'http://internal-api:3000/v1/webhooks/123456789012345678901/sync',
-    );
-  });
-
-  it('should rewrite the URL when public URL has a base path', async () => {
-    const error = new Error('Host must not be an internal address');
-    (validateHost as jest.Mock).mockRejectedValue(error);
-    (networkUtls.getPublicUrl as jest.Mock).mockResolvedValue(
-      'https://openops.com/',
-    );
-    (networkUtls.getInternalApiUrl as jest.Mock).mockReturnValue(
+    ],
+    [
+      'rewrites when public URL has a base path and internal URL has no base path',
+      'http://localhost:4200/api',
+      'http://127.0.0.1:3000',
+      'http://localhost:4200/api/v1/webhooks/123456789012345678901/sync',
+      'http://127.0.0.1:3000/v1/webhooks/123456789012345678901/sync',
+    ],
+    [
+      'rewrites when public URL has a base path and internal URL has a different base path',
+      'https://public.openops.com/api',
+      'http://internal-api:3000/internal',
+      'https://public.openops.com/api/v1/webhooks/123456789012345678901/sync',
+      'http://internal-api:3000/internal/v1/webhooks/123456789012345678901/sync',
+    ],
+    [
+      'rewrites when public URL and internal URL share the same base path',
+      'https://public.openops.com/api',
       'http://internal-api:3000/api',
-    );
-
-    const userUrl =
-      'https://openops.com/api/v1/webhooks/123456789012345678901/sync';
-    const result = await validateAndRewritePublicWebhookUrl(userUrl);
-
-    expect(result).toBe(
+      'https://public.openops.com/api/v1/webhooks/123456789012345678901/sync',
       'http://internal-api:3000/api/v1/webhooks/123456789012345678901/sync',
-    );
-  });
-
-  it('should throw the original error if origin does not match public URL origin', async () => {
-    const error = new Error('Host must not be an internal address');
-    (validateHost as jest.Mock).mockRejectedValue(error);
-    (networkUtls.getPublicUrl as jest.Mock).mockResolvedValue(
+    ],
+    [
+      'rewrites when public URL ends with a trailing slash',
+      'https://public.openops.com/api/',
+      'http://internal-api:3000',
+      'https://public.openops.com/api/v1/webhooks/123456789012345678901/sync',
+      'http://internal-api:3000/v1/webhooks/123456789012345678901/sync',
+    ],
+    [
+      'rewrites when internal URL ends with a trailing slash',
+      'https://public.openops.com/api',
+      'http://internal-api:3000/',
+      'https://public.openops.com/api/v1/webhooks/123456789012345678901/sync',
+      'http://internal-api:3000/v1/webhooks/123456789012345678901/sync',
+    ],
+    [
+      'rewrites when both public and internal URLs end with trailing slashes',
+      'https://public.openops.com/api/',
+      'http://internal-api:3000/internal/',
+      'https://public.openops.com/api/v1/webhooks/123456789012345678901/sync',
+      'http://internal-api:3000/internal/v1/webhooks/123456789012345678901/sync',
+    ],
+    [
+      'rewrites localhost public URL to internal host',
+      'http://localhost:4200',
+      'http://internal-api:3000',
+      'http://localhost:4200/v1/webhooks/123456789012345678901/sync',
+      'http://internal-api:3000/v1/webhooks/123456789012345678901/sync',
+    ],
+    [
+      'rewrites when user URL already contains the internal base path after public host matching',
+      'https://public.openops.com',
+      'http://internal-api:3000/api',
+      'https://public.openops.com/api/v1/webhooks/123456789012345678901/sync',
+      'http://internal-api:3000/api/v1/webhooks/123456789012345678901/sync',
+    ],
+  ])(
+    '%s',
+    async (
+      _caseName: string,
+      publicUrl: string,
+      internalApiUrl: string,
+      userUrl: string,
+      expectedUrl: string,
+    ) => {
+      const originalError = new Error('Host must not be an internal address');
+
+      (validateHost as jest.Mock).mockRejectedValue(originalError);
+      (networkUtls.getPublicUrl as jest.Mock).mockResolvedValue(publicUrl);
+      (networkUtls.getInternalApiUrl as jest.Mock).mockReturnValue(
+        internalApiUrl,
+      );
+
+      await expect(validateAndRewritePublicWebhookUrl(userUrl)).resolves.toBe(
+        expectedUrl,
+      );
+
+      expect(validateHost).toHaveBeenCalledWith(userUrl);
+      expect(networkUtls.getPublicUrl).toHaveBeenCalledTimes(1);
+      expect(networkUtls.getInternalApiUrl).toHaveBeenCalledTimes(1);
+    },
+  );
+
+  test.each([
+    [
+      'throws when user URL host does not match public URL host',
       'https://public.openops.com',
-    );
-    (networkUtls.getInternalApiUrl as jest.Mock).mockReturnValue(
       'http://internal-api:3000',
-    );
-
-    const userUrl =
-      'https://other-domain.com/v1/webhooks/123456789012345678901/sync';
-
-    await expect(validateAndRewritePublicWebhookUrl(userUrl)).rejects.toThrow(
-      error,
-    );
-  });
-
-  it('should throw the original error if the path does not match the webhook pattern', async () => {
-    const error = new Error('Host must not be an internal address');
-    (validateHost as jest.Mock).mockRejectedValue(error);
-    (networkUtls.getPublicUrl as jest.Mock).mockResolvedValue(
+      'https://other.openops.com/v1/webhooks/123456789012345678901/sync',
+    ],
+    [
+      'throws when path is not a valid webhook sync path',
       'https://public.openops.com',
-    );
-    (networkUtls.getInternalApiUrl as jest.Mock).mockReturnValue(
       'http://internal-api:3000',
-    );
-
-    const userUrl = 'https://public.openops.com/v1/webhooks/invalid-id/sync';
-
-    await expect(validateAndRewritePublicWebhookUrl(userUrl)).rejects.toThrow(
-      error,
-    );
-  });
-
-  it('should handle multiple slashes correctly during rewrite', async () => {
-    const error = new Error('Host must not be an internal address');
-    (validateHost as jest.Mock).mockRejectedValue(error);
-    (networkUtls.getPublicUrl as jest.Mock).mockResolvedValue(
-      'https://public.openops.com/',
-    );
-    (networkUtls.getInternalApiUrl as jest.Mock).mockReturnValue(
-      'http://internal-api:3000/',
-    );
-
-    const userUrl =
-      'https://public.openops.com/v1/webhooks/123456789012345678901/sync';
-    const result = await validateAndRewritePublicWebhookUrl(userUrl);
-
-    expect(result).toBe(
-      'http://internal-api:3000/v1/webhooks/123456789012345678901/sync',
-    );
-  });
+      'https://public.openops.com/v1/webhooks/invalid/sync',
+    ],
+    [
+      'throws when path does not match webhook route',
+      'https://public.openops.com/api',
+      'http://internal-api:3000',
+      'https://public.openops.com/api/v1/other/123456789012345678901/sync',
+    ],
+    [
+      'throws when webhook path has extra suffix',
+      'https://public.openops.com',
+      'http://internal-api:3000',
+      'https://public.openops.com/v1/webhooks/123456789012345678901/sync/extra',
+    ],
+  ])(
+    '%s',
+    async (
+      _caseName: string,
+      publicUrl: string,
+      internalApiUrl: string,
+      userUrl: string,
+    ) => {
+      const originalError = new Error('Host must not be an internal address');
+
+      (validateHost as jest.Mock).mockRejectedValue(originalError);
+      (networkUtls.getPublicUrl as jest.Mock).mockResolvedValue(publicUrl);
+      (networkUtls.getInternalApiUrl as jest.Mock).mockReturnValue(
+        internalApiUrl,
+      );
+
+      await expect(validateAndRewritePublicWebhookUrl(userUrl)).rejects.toBe(
+        originalError,
+      );
+    },
+  );
 });
