TW-5728: add webhooks server --register to auto-register the tunnel webhook#115
Merged
qasim-nylas merged 1 commit intoJun 26, 2026
Conversation
… webhook Run one command to receive verified webhooks locally. With --register, once the cloudflared tunnel is up the CLI creates a Nylas webhook for the live tunnel URL, fetches the signing secret into memory (HMAC verification on, nothing to copy), and deletes the webhook on exit. Creation is retried while Nylas verification returns error 70005 (a fresh tunnel hostname is still propagating). - POST events are rejected (503) until the secret is installed, so the public tunnel never processes an unsigned event; the GET challenge stays open so Nylas's create-time verification still succeeds - read the signing secret under the lock and pass it into the replay check to close the data race with the post-start UpdateSecret swap - stale auto-webhook sweep on start; teardown on shutdown (warns if delete fails) - signal-aware context so Ctrl+C aborts tunnel start / registration cleanly - reject an empty-secret response and remove the half-created webhook - early cloudflared check (with brew install offer); prompts go to stderr under --json
qasim-nylas
deleted the
feature/TW-5728-webhook-server-register-cloudflared-tunnel
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
--registertonylas webhooks server. One command now gives a customer verified webhooks locally: once the cloudflared tunnel is up, the CLI creates a Nylas webhook for the live tunnel URL, fetches the signing secret into memory (HMAC verification on, nothing to copy), and deletes the webhook on exit. Creation is retried while Nylas verification returns error 70005 (a fresh tunnel hostname is still propagating).What & why
UpdateSecretinstalls it post-start.--registercannot combine with--secret/--allow-unsigned/--no-tunnel.--json.Testing
make ci-fullgreen (quality + unit + race + integration + security + vuln + build)UpdateSecret-race, empty-secret cleanup,isWebhookVerifyError(incl. request-id false-positive), retry/timeout/sweep, flag conflictsRelated docs