Fix webhook payload deserialize#118
Open
adv76 wants to merge 4 commits into
Open
Conversation
Cleaned up the json converter for webhook events Added missing enum members to the webhook event type category parser
There was a problem hiding this comment.
1 issue found across 2 files
Confidence score: 3/5
- There is a concrete validation gap in
src/Resend.Webhooks/Json/WebhookEventConverter.cs: required webhook fields are not guaranteed to be present or unique, so malformed payloads can pass and deserialize into partially default event objects. - Given the reported severity (7/10) and high confidence (9/10), this carries real user-impact risk around webhook correctness, so this is not a no-risk merge.
- Pay close attention to
src/Resend.Webhooks/Json/WebhookEventConverter.cs- enforce required-field presence and reject duplicate keys during conversion/validation.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="src/Resend.Webhooks/Json/WebhookEventConverter.cs">
<violation number="1" location="src/Resend.Webhooks/Json/WebhookEventConverter.cs:39">
P1: Required webhook fields are not enforced as present and unique; duplicate or missing keys can bypass validation and produce partially default-deserialized events.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic
There was a problem hiding this comment.
0 issues found across 1 file (changes from recent commits).
Requires human review: The webhook converter is a critical path for handling incoming events; rewriting the deserialization logic to handle out-of-order properties and buffer data as JsonElement adds complexity and risk, so a human reviewer should verify correctness and edge cases.
Re-trigger cubic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #107 by changing the deserialization logic in the WebhookEventHandler.
Currently the webhook payloads coming from Resend have the properties in a different order than the docs show and the converter is designed to parse. Further complicating things is the fact that the event type is required to know how to parse the data field, but the type comes after the data.
To fix this, the new converter loads the properties (in any order) and temporarily stores the webhook data as a JsonElement. After all of the fields are parsed, the JsonElement is deserialized into the correct type for the webhook.
Summary by cubic
Fix webhook payload deserialization so events are parsed correctly even when fields arrive out of order, with stricter validation. Resolves #107.
type,created_at, anddatain any order with checks for duplicates, missing fields, and unknown properties inWebhookEventConverter.dataasJsonElement, then deserialize after the event type is known.WebhookEventTypeCategory:EmailFailed,EmailReceived,EmailScheduled,EmailSuppressed.Written for commit de11f46. Summary will update on new commits. Review in cubic