Skip to content

Fix webhook payload deserialize#118

Open
adv76 wants to merge 4 commits into
resend:mainfrom
adv76:fix-webhook-payload-deserialize
Open

Fix webhook payload deserialize#118
adv76 wants to merge 4 commits into
resend:mainfrom
adv76:fix-webhook-payload-deserialize

Conversation

@adv76

@adv76 adv76 commented May 16, 2026

Copy link
Copy Markdown
Contributor

Resolves #107 by changing the deserialization logic in the WebhookEventHandler.

Currently the webhook payloads coming from Resend have the properties in a different order than the docs show and the converter is designed to parse. Further complicating things is the fact that the event type is required to know how to parse the data field, but the type comes after the data.

To fix this, the new converter loads the properties (in any order) and temporarily stores the webhook data as a JsonElement. After all of the fields are parsed, the JsonElement is deserialized into the correct type for the webhook.


Summary by cubic

Fix webhook payload deserialization so events are parsed correctly even when fields arrive out of order, with stricter validation. Resolves #107.

  • Bug Fixes
    • Read type, created_at, and data in any order with checks for duplicates, missing fields, and unknown properties in WebhookEventConverter.
    • Buffer data as JsonElement, then deserialize after the event type is known.
    • Map missing email event types in WebhookEventTypeCategory: EmailFailed, EmailReceived, EmailScheduled, EmailSuppressed.

Written for commit de11f46. Summary will update on new commits. Review in cubic

adv76 added 3 commits May 15, 2026 22:53
Cleaned up the json converter for webhook events
Added missing enum members to the webhook event type category parser

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Confidence score: 3/5

  • There is a concrete validation gap in src/Resend.Webhooks/Json/WebhookEventConverter.cs: required webhook fields are not guaranteed to be present or unique, so malformed payloads can pass and deserialize into partially default event objects.
  • Given the reported severity (7/10) and high confidence (9/10), this carries real user-impact risk around webhook correctness, so this is not a no-risk merge.
  • Pay close attention to src/Resend.Webhooks/Json/WebhookEventConverter.cs - enforce required-field presence and reject duplicate keys during conversion/validation.
Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/Resend.Webhooks/Json/WebhookEventConverter.cs">

<violation number="1" location="src/Resend.Webhooks/Json/WebhookEventConverter.cs:39">
P1: Required webhook fields are not enforced as present and unique; duplicate or missing keys can bypass validation and produce partially default-deserialized events.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic

Comment thread src/Resend.Webhooks/Json/WebhookEventConverter.cs

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Requires human review: The webhook converter is a critical path for handling incoming events; rewriting the deserialization logic to handle out-of-order properties and buffer data as JsonElement adds complexity and risk, so a human reviewer should verify correctness and edge cases.
Re-trigger cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Webhook Deserialization Issue

1 participant