fix(tools): manage lifecycle for attio tools

Author: waleedlatif1

apps/sim/blocks/blocks/attio.ts

@@ -425,8 +425,7 @@ Return ONLY the JSON array. No explanations, no markdown, no extra text.
       id: 'taskAssignees',
       title: 'Assignees',
       type: 'code',
-      placeholder:
-        '[{"referenced_actor_type":"workspace-member","referenced_actor_id":"..."}]',
+      placeholder: '[{"referenced_actor_type":"workspace-member","referenced_actor_id":"..."}]',
       condition: { field: 'operation', value: ['create_task', 'update_task'] },
       wandConfig: {
         enabled: true,
@@ -869,15 +868,15 @@ YYYY-MM-DDTHH:mm:ss.SSSZ
       type: 'short-input',
       placeholder: 'https://example.com/webhook',
       condition: { field: 'operation', value: ['create_webhook', 'update_webhook'] },
-      required: { field: 'operation', value: 'create_webhook' },
+      required: { field: 'operation', value: ['create_webhook', 'update_webhook'] },
     },
     {
       id: 'webhookSubscriptions',
       title: 'Subscriptions',
       type: 'code',
       placeholder: '[{"event_type":"record.created","filter":{"object_id":"..."}}]',
       condition: { field: 'operation', value: ['create_webhook', 'update_webhook'] },
-      required: { field: 'operation', value: 'create_webhook' },
+      required: { field: 'operation', value: ['create_webhook', 'update_webhook'] },
       wandConfig: {
         enabled: true,
         maintainHistory: true,

apps/sim/lib/webhooks/processor.ts

@@ -13,6 +13,7 @@ import { convertSquareBracketsToTwiML } from '@/lib/webhooks/utils'
 import {
   handleSlackChallenge,
   handleWhatsAppVerification,
+  validateAttioSignature,
   validateCalcomSignature,
   validateCirclebackSignature,
   validateFirefliesSignature,
@@ -597,6 +598,29 @@ export async function verifyProviderAuth(
     }
   }
 
+  if (foundWebhook.provider === 'attio') {
+    const secret = providerConfig.webhookSecret as string | undefined
+
+    if (secret) {
+      const signature = request.headers.get('Attio-Signature')
+
+      if (!signature) {
+        logger.warn(`[${requestId}] Attio webhook missing signature header`)
+        return new NextResponse('Unauthorized - Missing Attio signature', { status: 401 })
+      }
+
+      const isValidSignature = validateAttioSignature(secret, signature, rawBody)
+
+      if (!isValidSignature) {
+        logger.warn(`[${requestId}] Attio signature verification failed`, {
+          signatureLength: signature.length,
+          secretLength: secret.length,
+        })
+        return new NextResponse('Unauthorized - Invalid Attio signature', { status: 401 })
+      }
+    }
+  }
+
   if (foundWebhook.provider === 'linear') {
     const secret = providerConfig.webhookSecret as string | undefined
 

apps/sim/lib/webhooks/provider-subscriptions.ts

@@ -19,6 +19,7 @@ const calendlyLogger = createLogger('CalendlyWebhook')
 const grainLogger = createLogger('GrainWebhook')
 const lemlistLogger = createLogger('LemlistWebhook')
 const webflowLogger = createLogger('WebflowWebhook')
+const attioLogger = createLogger('AttioWebhook')
 const providerSubscriptionsLogger = createLogger('WebhookProviderSubscriptions')
 
 function getProviderConfig(webhook: any): Record<string, any> {
@@ -976,6 +977,196 @@ export async function deleteWebflowWebhook(
   }
 }
 
+export async function createAttioWebhookSubscription(
+  userId: string,
+  webhookData: any,
+  requestId: string
+): Promise<{ externalId: string; webhookSecret: string } | undefined> {
+  try {
+    const { path, providerConfig } = webhookData
+    const { triggerId, credentialId } = providerConfig || {}
+
+    if (!credentialId) {
+      attioLogger.warn(`[${requestId}] Missing credentialId for Attio webhook creation.`, {
+        webhookId: webhookData.id,
+      })
+      throw new Error(
+        'Attio account connection required. Please connect your Attio account in the trigger configuration and try again.'
+      )
+    }
+
+    const credentialOwner = await getCredentialOwner(credentialId, requestId)
+    const accessToken = credentialOwner
+      ? await refreshAccessTokenIfNeeded(
+          credentialOwner.accountId,
+          credentialOwner.userId,
+          requestId
+        )
+      : null
+
+    if (!accessToken) {
+      attioLogger.warn(
+        `[${requestId}] Could not retrieve Attio access token for user ${userId}. Cannot create webhook.`
+      )
+      throw new Error(
+        'Attio account connection required. Please connect your Attio account in the trigger configuration and try again.'
+      )
+    }
+
+    const notificationUrl = `${getBaseUrl()}/api/webhooks/trigger/${path}`
+
+    const { TRIGGER_EVENT_MAP } = await import('@/triggers/attio/utils')
+
+    let subscriptions: Array<{ event_type: string }> = []
+    if (triggerId === 'attio_webhook') {
+      const allEvents = new Set<string>()
+      for (const events of Object.values(TRIGGER_EVENT_MAP)) {
+        for (const event of events) {
+          allEvents.add(event)
+        }
+      }
+      subscriptions = Array.from(allEvents).map((event_type) => ({ event_type }))
+    } else {
+      const events = TRIGGER_EVENT_MAP[triggerId]
+      if (!events || events.length === 0) {
+        attioLogger.warn(`[${requestId}] No event types mapped for trigger ${triggerId}`, {
+          webhookId: webhookData.id,
+        })
+        throw new Error(`Unknown Attio trigger type: ${triggerId}`)
+      }
+      subscriptions = events.map((event_type) => ({ event_type }))
+    }
+
+    const requestBody = {
+      target_url: notificationUrl,
+      subscriptions,
+    }
+
+    const attioResponse = await fetch('https://api.attio.com/v2/webhooks', {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify(requestBody),
+    })
+
+    if (!attioResponse.ok) {
+      const errorBody = await attioResponse.json().catch(() => ({}))
+      attioLogger.error(
+        `[${requestId}] Failed to create webhook in Attio for webhook ${webhookData.id}. Status: ${attioResponse.status}`,
+        { response: errorBody }
+      )
+
+      let userFriendlyMessage = 'Failed to create webhook subscription in Attio'
+      if (attioResponse.status === 401) {
+        userFriendlyMessage = 'Attio authentication failed. Please reconnect your Attio account.'
+      } else if (attioResponse.status === 403) {
+        userFriendlyMessage =
+          'Attio access denied. Please ensure your integration has webhook permissions.'
+      }
+
+      throw new Error(userFriendlyMessage)
+    }
+
+    const responseBody = await attioResponse.json()
+    const data = responseBody.data || responseBody
+    const webhookId = data.id?.webhook_id || data.webhook_id || data.id
+    const secret = data.secret
+
+    if (!webhookId) {
+      attioLogger.error(
+        `[${requestId}] Attio webhook created but no webhook_id returned for webhook ${webhookData.id}`,
+        { response: responseBody }
+      )
+      throw new Error('Attio webhook creation succeeded but no webhook ID was returned')
+    }
+
+    if (!secret) {
+      attioLogger.warn(
+        `[${requestId}] Attio webhook created but no secret returned for webhook ${webhookData.id}. Signature verification will be skipped.`,
+        { response: responseBody }
+      )
+    }
+
+    attioLogger.info(
+      `[${requestId}] Successfully created webhook in Attio for webhook ${webhookData.id}.`,
+      { attioWebhookId: webhookId }
+    )
+
+    return { externalId: webhookId, webhookSecret: secret || '' }
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : String(error)
+    attioLogger.error(
+      `[${requestId}] Exception during Attio webhook creation for webhook ${webhookData.id}.`,
+      { message }
+    )
+    throw error
+  }
+}
+
+export async function deleteAttioWebhook(
+  webhook: any,
+  _workflow: any,
+  requestId: string
+): Promise<void> {
+  try {
+    const config = getProviderConfig(webhook)
+    const externalId = config.externalId as string | undefined
+    const credentialId = config.credentialId as string | undefined
+
+    if (!externalId) {
+      attioLogger.warn(
+        `[${requestId}] Missing externalId for Attio webhook deletion ${webhook.id}, skipping cleanup`
+      )
+      return
+    }
+
+    if (!credentialId) {
+      attioLogger.warn(
+        `[${requestId}] Missing credentialId for Attio webhook deletion ${webhook.id}, skipping cleanup`
+      )
+      return
+    }
+
+    const credentialOwner = await getCredentialOwner(credentialId, requestId)
+    const accessToken = credentialOwner
+      ? await refreshAccessTokenIfNeeded(
+          credentialOwner.accountId,
+          credentialOwner.userId,
+          requestId
+        )
+      : null
+
+    if (!accessToken) {
+      attioLogger.warn(
+        `[${requestId}] Could not retrieve Attio access token. Cannot delete webhook.`,
+        { webhookId: webhook.id }
+      )
+      return
+    }
+
+    const attioResponse = await fetch(`https://api.attio.com/v2/webhooks/${externalId}`, {
+      method: 'DELETE',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    })
+
+    if (!attioResponse.ok && attioResponse.status !== 404) {
+      const responseBody = await attioResponse.json().catch(() => ({}))
+      attioLogger.warn(
+        `[${requestId}] Failed to delete Attio webhook (non-fatal): ${attioResponse.status}`,
+        { response: responseBody }
+      )
+    } else {
+      attioLogger.info(`[${requestId}] Successfully deleted Attio webhook ${externalId}`)
+    }
+  } catch (error) {
+    attioLogger.warn(`[${requestId}] Error deleting Attio webhook (non-fatal)`, error)
+  }
+}
+
 export async function createGrainWebhookSubscription(
   _request: NextRequest,
   webhookData: any,
@@ -1611,6 +1802,7 @@ type RecreateCheckInput = {
 /** Providers that create external webhook subscriptions */
 const PROVIDERS_WITH_EXTERNAL_SUBSCRIPTIONS = new Set([
   'airtable',
+  'attio',
   'calendly',
   'webflow',
   'typeform',
@@ -1626,6 +1818,7 @@ const SYSTEM_MANAGED_FIELDS = new Set([
   'externalSubscriptionId',
   'eventTypes',
   'webhookTag',
+  'webhookSecret',
   'historyId',
   'lastCheckedTimestamp',
   'setupCompleted',
@@ -1686,6 +1879,16 @@ export async function createExternalWebhookSubscription(
       updatedProviderConfig = { ...updatedProviderConfig, externalId }
       externalSubscriptionCreated = true
     }
+  } else if (provider === 'attio') {
+    const result = await createAttioWebhookSubscription(userId, webhookData, requestId)
+    if (result) {
+      updatedProviderConfig = {
+        ...updatedProviderConfig,
+        externalId: result.externalId,
+        webhookSecret: result.webhookSecret,
+      }
+      externalSubscriptionCreated = true
+    }
   } else if (provider === 'calendly') {
     const externalId = await createCalendlyWebhookSubscription(webhookData, requestId)
     if (externalId) {
@@ -1736,7 +1939,7 @@ export async function createExternalWebhookSubscription(
 
 /**
  * Clean up external webhook subscriptions for a webhook
- * Handles Airtable, Teams, Telegram, Typeform, Calendly, Grain, and Lemlist cleanup
+ * Handles Airtable, Attio, Teams, Telegram, Typeform, Calendly, Grain, and Lemlist cleanup
  * Don't fail deletion if cleanup fails
  */
 export async function cleanupExternalWebhook(
@@ -1746,6 +1949,8 @@ export async function cleanupExternalWebhook(
 ): Promise<void> {
   if (webhook.provider === 'airtable') {
     await deleteAirtableWebhook(webhook, workflow, requestId)
+  } else if (webhook.provider === 'attio') {
+    await deleteAttioWebhook(webhook, workflow, requestId)
   } else if (webhook.provider === 'microsoft-teams') {
     await deleteTeamsSubscription(webhook, workflow, requestId)
   } else if (webhook.provider === 'telegram') {

apps/sim/lib/webhooks/utils.server.ts

@@ -1395,6 +1395,41 @@ export function validateLinearSignature(secret: string, signature: string, body:
   }
 }
 
+/**
+ * Validates an Attio webhook request signature using HMAC SHA-256
+ * @param secret - Attio webhook signing secret (plain text)
+ * @param signature - Attio-Signature header value (hex-encoded HMAC SHA-256 signature)
+ * @param body - Raw request body string
+ * @returns Whether the signature is valid
+ */
+export function validateAttioSignature(secret: string, signature: string, body: string): boolean {
+  try {
+    if (!secret || !signature || !body) {
+      logger.warn('Attio signature validation missing required fields', {
+        hasSecret: !!secret,
+        hasSignature: !!signature,
+        hasBody: !!body,
+      })
+      return false
+    }
+
+    const computedHash = crypto.createHmac('sha256', secret).update(body, 'utf8').digest('hex')
+
+    logger.debug('Attio signature comparison', {
+      computedSignature: `${computedHash.substring(0, 10)}...`,
+      providedSignature: `${signature.substring(0, 10)}...`,
+      computedLength: computedHash.length,
+      providedLength: signature.length,
+      match: computedHash === signature,
+    })
+
+    return safeCompare(computedHash, signature)
+  } catch (error) {
+    logger.error('Error validating Attio signature:', error)
+    return false
+  }
+}
+
 /**
  * Validates a Circleback webhook request signature using HMAC SHA-256
  * @param secret - Circleback signing secret (plain text)

apps/sim/tools/attio/create_list.ts

@@ -66,7 +66,11 @@ export const attioCreateListTool: ToolConfig<AttioCreateListParams, AttioCreateL
     }),
     body: (params) => {
       const apiSlug =
-        params.apiSlug || params.name?.toLowerCase().replace(/[^a-z0-9]+/g, '_').replace(/^_|_$/g, '')
+        params.apiSlug ||
+        params.name
+          ?.toLowerCase()
+          .replace(/[^a-z0-9]+/g, '_')
+          .replace(/^_|_$/g, '')
       const data: Record<string, unknown> = {
         name: params.name,
         api_slug: apiSlug,