feat(triggers): add Notion webhook triggers

[waleedlatif1]

Summary

• Adds 9 Notion webhook triggers covering the full event lifecycle: page (created, properties updated, content updated, deleted), database (created, schema updated, deleted), comment (created), and a generic all-events webhook trigger
• Implements Notion provider handler with HMAC SHA-256 signature verification, event filtering via matchEvent, and structured input formatting — following the new WebhookProviderHandler registry pattern
• Webhooks are configured manually through the Notion integration UI (Notion does not support programmatic webhook creation)

Test plan

• Verify each trigger appears in the Notion block's trigger dropdown
• Confirm webhook signature verification works with a valid X-Notion-Signature header
• Test event filtering: sending a page.created event only triggers notion_page_created, not other triggers
• Test generic notion_webhook trigger receives all event types
• Verify setup instructions display correctly with manual webhook configuration steps

[cursor]

PR Summary

Medium Risk
Adds a new Notion webhook provider with HMAC signature verification and event filtering, which affects webhook ingestion/security-sensitive paths. Main risk is misconfigured signature handling or trigger/event mapping causing missed or unintended workflow executions.

Overview
Adds Notion webhook triggers for page, database, and comment lifecycle events plus a generic all-events trigger, and exposes them in the Notion integration metadata and Notion block trigger dropdown.

Implements and registers a notion WebhookProviderHandler with HMAC SHA-256 X-Notion-Signature verification, normalized webhook input formatting, and per-trigger event matching via isNotionPayloadMatch (with notion_webhook bypassing filtering).

^{Reviewed by Cursor Bugbot for commit d2719f5. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 6, 2026 6:45pm

[greptile-apps]

Greptile Summary

This PR adds 9 Notion webhook triggers covering the full event lifecycle: page (created, properties updated, content updated, deleted), database (created, schema updated, deleted), comment (created), and a generic all-events trigger. It introduces a notionHandler following the WebhookProviderHandler registry pattern with HMAC SHA-256 signature verification via createHmacVerifier, and a shared utils.ts with output builders, event-to-trigger mapping, and setup instructions.

Key implementation highlights:

• Event filtering in matchEvent uses a TRIGGER_EVENT_MAP lookup and isNotionPayloadMatch to route payloads to the correct specific trigger, or passes all events to notion_webhook
• The webhookSecret field is optional (required: false) and uses password: true masking — appropriate since signature verification gracefully skips if no secret is configured
• Previously-reported bugs (type field collision from ...buildAuthorOutputs() spread, misleading signing secret description) have been resolved in subsequent commits (a4eef8b, 0a77dad)
• The generic trigger correctly returns true for all events; specific triggers return a 200 "ignored" response for mismatched event types (correct behavior for Notion's delivery expectations)

Minor findings:

• notionSetupInstructions('all desired') in webhook.ts produces the phrase "Select the all desired event type(s)." which is grammatically awkward
• logger.debug is used in notion.ts — the project guidelines only enumerate logger.info, logger.warn, and logger.error as approved methods

Confidence Score: 5/5

This PR is safe to merge; only minor style suggestions remain after previously-reported P1 issues were resolved.

Both prior P1 findings (type field collision from spread in output builders, confusing verification_token description) were fixed in follow-up commits. The remaining findings are P2 style issues (awkward setup instructions text, logger.debug usage) that do not affect correctness or security. The HMAC verification logic, event routing, output schemas, and registry wiring are all correct.

No files require special attention; webhook.ts has minor text wording worth cleaning up but does not block merge.

Important Files Changed

Filename	Overview
apps/sim/lib/webhooks/providers/notion.ts	New Notion HMAC provider handler using createHmacVerifier factory; matchEvent routes by triggerId with dynamic import of isNotionPayloadMatch
apps/sim/lib/webhooks/providers/registry.ts	notionHandler registered under 'notion' key, alphabetical ordering maintained
apps/sim/triggers/notion/utils.ts	Shared utilities: output builders (page/database/comment/generic), event-to-trigger map, setup instructions, and isNotionPayloadMatch; previously-reported spread/type collision bug fixed
apps/sim/triggers/notion/webhook.ts	Generic all-events trigger; setup instructions text uses 'all desired' producing slightly awkward rendered phrase
apps/sim/triggers/notion/page_created.ts	Primary trigger with dropdown selector (includeDropdown: true), correct output builder and provider assignment
apps/sim/triggers/notion/index.ts	Clean barrel export of all 9 Notion triggers
apps/sim/triggers/registry.ts	All 9 Notion triggers (notion_page_created through notion_webhook) registered correctly
apps/sim/blocks/blocks/notion.ts	NotionV2Block extended with all 9 trigger subBlocks spread and triggers.available list populated

Sequence Diagram

sequenceDiagram
    participant N as Notion
    participant S as Sim Webhook Endpoint
    participant H as notionHandler
    participant U as isNotionPayloadMatch
    participant W as Workflow

    N->>S: POST /webhook/{path} + X-Notion-Signature header
    S->>H: verifyAuth (createHmacVerifier)
    H-->>H: validateNotionSignature (HMAC SHA-256)
    alt no webhookSecret configured
        H-->>S: null (pass-through)
    else signature missing
        H-->>S: 401 Unauthorized
        S-->>N: 401
    else signature invalid
        H-->>S: 401 Unauthorized
        S-->>N: 401
    else valid
        H-->>S: null (continue)
    end
    S->>H: matchEvent (triggerId from providerConfig)
    alt triggerId == notion_webhook
        H-->>S: true (accept all events)
    else specific trigger ID
        H->>U: isNotionPayloadMatch(triggerId, body)
        alt body.type in TRIGGER_EVENT_MAP[triggerId]
            U-->>H: true
            H-->>S: true
        else event type mismatch
            U-->>H: false
            H-->>S: 200 {message: ignored}
            S-->>N: 200
        end
    end
    S->>H: formatInput
    H-->>S: {id, type, timestamp, authors, entity, data, …}
    S->>W: execute workflow with structured input
    W-->>N: 200 OK

Loading

_{Reviews (3): Last reviewed commit: "refactor(webhooks): use createHmacVerifi..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit d2719f5. Configure here.}