apps/web/lib/integrations/hubspot/api.ts (1)

8-8: Avoid hard‑coding HubSpot API host; keep an env override for staging/mocks.

Restoring an env fallback preserves flexibility (proxies, sandboxes, future region changes) without altering behavior in prod.

Apply:

-  private readonly baseUrl = "https://api.hubapi.com/crm/v3";
+  private readonly baseUrl =
+    process.env.HUBSPOT_API_HOST ?? "https://api.hubapi.com/crm/v3";

apps/web/lib/integrations/hubspot/track-lead.ts (1)

5-5: Replace magic HubSpot objectTypeId literals with shared constants
• Define named constants (e.g. CONTACT_OBJECT_TYPE_ID and DEAL_OBJECT_TYPE_ID) in apps/web/lib/integrations/hubspot/constants.ts alongside HUBSPOT_OBJECT_TYPE_IDS.
• In api.ts (line 114) and track-lead.ts (lines 25, 68), import and use those constants instead of the literal "0-1"/"0-3".

apps/web/lib/paypal/schema.ts (1)

7-10: Strengthen user info validation

Validate email format and consider normalizing case. Keep schema strict or passthrough per logging/PII policy.

-export const paypalUserInfoSchema = z.object({
-  email: z.string(),
-  email_verified: z.boolean(), // Indicates whether the user's paypal email address is verified.
-});
+export const paypalUserInfoSchema = z
+  .object({
+    email: z.string().email().toLowerCase(),
+    email_verified: z.boolean(), // Indicates whether the user's paypal email address is verified.
+  })
+  .strict();

apps/web/app/api/integrations/uninstall/route.ts (1)

60-63: Avoid nulls inside Promise.all

Filter non-link-level webhooks before mapping to Promises.

-        ...webhooks.map((webhook) =>
-          isLinkLevelWebhook(webhook) ? webhookCache.delete(webhook.id) : null,
-        ),
+        ...webhooks
+          .filter((w) => isLinkLevelWebhook(w))
+          .map((w) => webhookCache.delete(w.id)),

apps/web/lib/integrations/types.ts (1)

8-25: Derive SlackAuthToken from the Slack schema to avoid drift

Hard-coding this shape risks divergence from slack/schema.ts. Re-export a z.infer from the authoritative schema.

-import { z } from "zod";
-import { hubSpotAuthTokenSchema, hubSpotContactSchema } from "./hubspot/schema";
+import { z } from "zod";
+import {
+  hubSpotAuthTokenSchema,
+  hubSpotContactSchema,
+} from "./hubspot/schema";
+import { slackAuthTokenSchema } from "./slack/schema";
@@
-export type SlackAuthToken = {
-  appId: string;
-  botUserId: string;
-  scope: string;
-  accessToken: string;
-  tokenType: string;
-  authUser: {
-    id: string;
-  };
-  team: {
-    id: string;
-    name: string;
-  };
-  incomingWebhook: {
-    channel: string;
-    channelId: string;
-  };
-};
+export type SlackAuthToken = z.infer<typeof slackAuthTokenSchema>;

apps/web/app/(ee)/api/hubspot/webhook/route.ts (1)

95-97: Token refresh: ensure typed return and error handling

If refreshTokenForInstallation can return null, guard before passing authToken to trackers, or make it throw on permanent failures.

-  const authToken =
-    await hubSpotOAuthProvider.refreshTokenForInstallation(installation);
+  const authToken =
+    await hubSpotOAuthProvider.refreshTokenForInstallation(installation);
+  // Consider: if (!authToken) return early with 2xx to avoid retries storm.

apps/web/lib/actions/get-integration-install-url.ts (1)

22-28: Use a provider map and narrow integrationSlug with z.enum
Switch to a providers map keyed by a z.enum(["slack", "hubspot"]) for integrationSlug to eliminate branching and catch invalid slugs at parse-time. PayPal is handled separately in apps/web/lib/actions/partners/generate-paypal-oauth-url.ts, so no changes needed there.

apps/web/app/(ee)/api/hubspot/callback/route.ts (1)

98-109: Use stable object type name instead of numeric ID "0-1".

HubSpot’s property APIs accept the canonical object type name ("contacts"); relying on numeric IDs is brittle.

Apply this diff:

-      waitUntil(
-        hubSpotApi.createPropertiesBatch({
-          objectType: "0-1",
-          properties: HUBSPOT_DUB_CONTACT_PROPERTIES,
-        }),
-      );
+      waitUntil(
+        hubSpotApi.createPropertiesBatch({
+          objectType: "contacts",
+          properties: HUBSPOT_DUB_CONTACT_PROPERTIES,
+        }),
+      );

apps/web/lib/integrations/hubspot/oauth.ts (1)

55-73: Refine HubSpot OAuth configuration

• “oauth” is a valid HubSpot scope and is automatically added to public apps; you can omit it for clarity but it isn’t required.
• Consider increasing the token-refresh buffer to 2–5 minutes (instead of the default) if your integration issues bursty requests.

apps/web/lib/integrations/slack/oauth.ts (1)

41-64: Consider Basic auth for code exchange.

Slack recommends HTTP Basic for oauth.v2.access. Your abstraction supports it; switching authorizationMethod to "header" would align with guidance. Optional but safer default. (api.slack.com)

   tokenSchema: slackAuthTokenSchema,
   bodyFormat: "form",
-  authorizationMethod: "body",
+  authorizationMethod: "header",

apps/web/lib/integrations/oauth-provider.ts (1)

28-44: Optional: add request timeouts for token calls.

Prevent hung requests by adding AbortController to exchange/refresh paths with a sane default (e.g., 10s) or a configurable timeoutMs in OAuthProviderConfig.

Also applies to: 122-131, 132-138

apps/web/lib/paypal/oauth.ts (1)

14-34: Set proper headers for userinfo and keep the call lean.

Use Accept: application/json and drop Content-Type on a GET.

   async getUserInfo(token: string) {
     const response = await fetch(
       `${paypalEnv.PAYPAL_API_HOST}/v1/identity/openidconnect/userinfo?schema=openid`,
       {
         headers: {
-          Authorization: `Bearer ${token}`,
-          "Content-Type": "application/x-www-form-urlencoded",
+          Authorization: `Bearer ${token}`,
+          Accept: "application/json",
         },
       },
     );

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Learnt from: CR
PR: dubinc/dub#0
File: packages/hubspot-app/CLAUDE.md:0-0
Timestamp: 2025-09-19T18:46:43.787Z
Learning: Applies to packages/hubspot-app/app/settings/**/*.{js,jsx,ts,tsx} : Do not use React components from hubspot/ui-extensions/crm in settings components

Learnt from: CR
PR: dubinc/dub#0
File: packages/hubspot-app/CLAUDE.md:0-0
Timestamp: 2025-09-19T18:46:43.787Z
Learning: Applies to packages/hubspot-app/app/settings/**/*.{js,jsx,ts,tsx} : Only use components exported by hubspot/ui-extensions in settings components

Learnt from: devkiran
PR: dubinc/dub#2839
File: apps/web/lib/integrations/hubspot/schema.ts:5-12
Timestamp: 2025-09-17T02:53:28.359Z
Learning: HubSpot's OAuth token response returns `scopes` as an array of strings, not as a space-delimited string. The schema `scopes: z.array(z.string())` in hubSpotAuthTokenSchema is correct for HubSpot's actual API response format.

apps/web/scripts/create-integration.ts (1)

10-13: Keep the integration description meaningful

Previously this script seeded a full sentence describing the integration; dropping it to the single word “Slack” will make the integrations catalog less informative for admins. Let’s keep a short actionable description so the seed data stays consistent with the other entries.

Apply this diff to restore a descriptive summary:

-      description: "Slack",
+      description: "Send Dub link activity to Slack.",

apps/web/lib/integrations/hubspot/ui/settings.tsx (1)

38-41: Trim input on submit to avoid stray spaces.
Prevents saving " closedwon ".

Apply this diff:

-      closedWonDealStageId: closedWonDealStageId || null,
+      closedWonDealStageId: closedWonDealStageId?.trim() || null,

apps/web/lib/integrations/hubspot/track-lead.ts (1)

127-163: Wrap background contact update with try/catch.
Prevents unhandled errors (e.g., partner not found) from failing the background task.

Apply this diff:

-export const _updateHubSpotContact = async ({
+export const _updateHubSpotContact = async ({
   hubSpotApi,
   contact,
   trackLeadResult,
 }: {
   hubSpotApi: HubSpotApi;
   contact: HubSpotContact;
   trackLeadResult: TrackLeadResponse;
 }) => {
-  if (contact.properties.dub_link && contact.properties.dub_partner_email) {
-    console.log(
-      `[HubSpot] Contact ${contact.id} already has dub_link and dub_partner_email. Skipping update.`,
-    );
-    return;
-  }
-
-  const properties: Record<string, string> = {};
-
-  if (trackLeadResult.link?.partnerId) {
-    const partner = await prisma.partner.findUniqueOrThrow({
-      where: {
-        id: trackLeadResult.link.partnerId,
-      },
-      select: {
-        email: true,
-      },
-    });
-
-    if (partner.email) {
-      properties["dub_partner_email"] = partner.email;
-    }
-  }
-
-  if (trackLeadResult.link?.shortLink) {
-    properties["dub_link"] = trackLeadResult.link.shortLink;
-  }
-
-  if (Object.keys(properties).length === 0) {
-    return;
-  }
-
-  await hubSpotApi.updateContact({
-    contactId: contact.id,
-    properties,
-  });
+  try {
+    if (contact.properties.dub_link && contact.properties.dub_partner_email) {
+      console.log(
+        `[HubSpot] Contact ${contact.id} already has dub_link and dub_partner_email. Skipping update.`,
+      );
+      return;
+    }
+
+    const properties: Record<string, string> = {};
+
+    if (trackLeadResult.link?.partnerId) {
+      const partner = await prisma.partner.findUnique({
+        where: { id: trackLeadResult.link.partnerId },
+        select: { email: true },
+      });
+      if (partner?.email) {
+        properties["dub_partner_email"] = partner.email;
+      }
+    }
+
+    if (trackLeadResult.link?.shortLink) {
+      properties["dub_link"] = trackLeadResult.link.shortLink;
+    }
+
+    if (Object.keys(properties).length === 0) {
+      return;
+    }
+
+    await hubSpotApi.updateContact({
+      contactId: contact.id,
+      properties,
+    });
+  } catch (err) {
+    console.error(
+      `[HubSpot] Failed to update contact ${contact.id}:`,
+      err,
+    );
+  }
 };

apps/web/lib/integrations/hubspot/api.ts (2)

7-13: Make baseUrl configurable for testing/overrides.
Allows pointing to mocks or future API host changes without edits.

Apply this diff:

 export class HubSpotApi {
-  private readonly baseUrl = "https://api.hubapi.com/crm/v3";
+  private readonly baseUrl: string;
   private readonly token: string;

-  constructor({ token }: { token: string }) {
-    this.token = token;
-  }
+  constructor({
+    token,
+    baseUrl = "https://api.hubapi.com/crm/v3",
+  }: {
+    token: string;
+    baseUrl?: string;
+  }) {
+    this.token = token;
+    this.baseUrl = baseUrl;
+  }

---

3-5: Add request timeout to avoid hanging fetches.
Prevents indefinite waits on HubSpot outages.

Apply this diff:

-type FetchOptions = Omit<RequestInit, "body"> & {
-  body?: Record<string, unknown>;
-};
+type FetchOptions = Omit<RequestInit, "body" | "signal"> & {
+  body?: Record<string, unknown>;
+  timeoutMs?: number;
+};

   private async fetch<T>(
     input: string,
     options: FetchOptions = {},
   ): Promise<T> {
-    const { body, headers, ...rest } = options;
+    const { body, headers, timeoutMs, ...rest } = options;

     const url = `${this.baseUrl}${input}`;

+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs ?? 10_000);
     const fetchOptions: RequestInit = {
       ...rest,
+      signal: controller.signal,
       headers: {
         Authorization: `Bearer ${this.token}`,
         ...(body ? { "Content-Type": "application/json" } : {}),
         ...headers,
       },
       body: body ? JSON.stringify(body) : undefined,
     };
 
-    const response = await fetch(url, fetchOptions);
+    const response = await fetch(url, fetchOptions).finally(() =>
+      clearTimeout(timer),
+    );

Also applies to: 15-33

apps/web/lib/integrations/slack/verify-request.ts (1)

36-47: Check absolute timestamp drift (future and past), not just staleness.

Use absolute delta to match Slack guidance and avoid clock-skew edge cases.

Apply:

-  const requestTimestampMaxDeltaMin = 5;
-  const fiveMinutesAgoSec =
-    Math.floor(nowMs / 1000) - 60 * requestTimestampMaxDeltaMin;
+  const requestTimestampMaxDeltaMin = 5;
+  const nowSec = Math.floor(nowMs / 1000);
+  const deltaSec = Math.abs(nowSec - requestTimestampSec);
@@
-  if (requestTimestampSec < fiveMinutesAgoSec) {
+  if (deltaSec > 60 * requestTimestampMaxDeltaMin) {
     throw new Error(
       `${verifyErrorPrefix}: x-slack-request-timestamp must differ from system time by no more than ${requestTimestampMaxDeltaMin} minutes or request is stale`,
     );
   }

apps/web/app/(ee)/api/paypal/callback/route.ts (2)

69-76: Don’t surface raw error messages to end users; map to a safe, whitelisted code.

Prevents leaking internal/provider errors via query string.

Apply:

-    if (e instanceof Error) {
-      error = e.message;
-    }
+    if (e instanceof Error) {
+      const allowed = new Set([
+        "partner_not_found",
+        "paypal_email_not_verified",
+        "invalid_state",
+      ]);
+      error = allowed.has(e.message) ? e.message : "oauth_error";
+    }

---

41-44: Explicitly assert required fields from userinfo.

Guard against schema drift (e.g., missing email_verified).

Apply:

-    if (!paypalUser.email_verified) {
+    if (!paypalUser?.email || paypalUser.email_verified !== true) {
       throw new Error("paypal_email_not_verified");
     }

apps/web/lib/integrations/slack/oauth.ts (1)

8-11: Simplify constructor - extends functionality is sufficient.

The constructor only calls super(provider) without any additional logic. Since the base OAuthProvider constructor handles all the configuration, this explicit constructor is unnecessary.

-class SlackOAuthProvider extends OAuthProvider<typeof slackAuthTokenSchema> {
-  constructor(provider: OAuthProviderConfig) {
-    super(provider);
-  }
+class SlackOAuthProvider extends OAuthProvider<typeof slackAuthTokenSchema> {

apps/web/app/api/integrations/uninstall/route.ts (2)

60-63: Avoid passing nulls into Promise.all.

Filter falsy entries for clarity.

Apply:

-      Promise.all([
+      Promise.all(
         ...(integrationId === SLACK_INTEGRATION_ID
           ? [slackOAuthProvider.uninstall(installation)]
           : []),
-
-        ...webhooks.map((webhook) =>
-          isLinkLevelWebhook(webhook) ? webhookCache.delete(webhook.id) : null,
-        ),
-      ]),
+        ...webhooks
+          .filter((w) => isLinkLevelWebhook(w))
+          .map((w) => webhookCache.delete(w.id)),
+      ),

---

14-21: Validate installationId input early.

Fail fast on missing/invalid installationId to reduce unnecessary DB calls.

   async ({ searchParams, session, workspace }) => {
-    const { installationId } = searchParams;
+    const { installationId } = searchParams;
+    if (!installationId || typeof installationId !== "string") {
+      throw new DubApiError({ code: "bad_request", message: "installationId is required." });
+    }

apps/web/lib/integrations/slack/commands.ts (2)

148-156: Use correct Slack Web API invocation for users.profile.get

This method is typically GET with Bearer token; sending POST with x-www-form-urlencoded but no body is brittle.

Apply:

-  const response = await fetch(
-    `https://slack.com/api/users.profile.get?user=${userId}`,
-    {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Authorization: `Bearer ${credentials.accessToken}`,
-      },
-    },
-  );
+  const response = await fetch(
+    `https://slack.com/api/users.profile.get?user=${userId}`,
+    {
+      headers: {
+        Authorization: `Bearer ${credentials.accessToken}`,
+      },
+    },
+  );

---

203-210: Time fields ignored by toLocaleDateString

toLocaleDateString drops hour/minute. Use toLocaleString to show time.

Apply:

-  const createdAtDate = new Date(createdAt).toLocaleDateString("en-us", {
+  const createdAtDate = new Date(createdAt).toLocaleString("en-US", {
     month: "short",
     day: "numeric",
     year: "numeric",
     hour: "numeric",
     minute: "numeric",
     hour12: true,
   });

apps/web/app/(ee)/api/hubspot/callback/route.ts (3)

114-115: Avoid possible null deref on workspace in redirect

workspace is typed as possibly null; redirect after the try can trip TS and risks future regressions.

Apply:

-  redirect(`/${workspace.slug}/settings/integrations/hubspot`);
+  // Move inside try{} after successful install:
+  // redirect(`/${workspace.slug}/settings/integrations/hubspot`);

And inside the try block right after the waitUntil block:

+    redirect(`/${workspace.slug}/settings/integrations/hubspot`);

---

55-56: Remove unused select field

defaultFolderId isn’t used; drop to reduce query cost and noise.

-            role: true,
-            defaultFolderId: true,
+            role: true,

---

86-90: Consider persisting token expiry

If token includes expires_in, store expires_at to enable proactive refresh.

Example:

 const credentials = {
   ...token,
   created_at: Date.now(),
+  // Optional if `token.expires_in` exists:
+  // expires_at: Date.now() + token.expires_in * 1000,
 };

apps/web/lib/paypal/oauth.ts (1)

18-21: Remove Content-Type on GET

GET requests don’t need x-www-form-urlencoded; some servers treat it suspiciously. Optionally set Accept: application/json.

-          Authorization: `Bearer ${token}`,
-          "Content-Type": "application/x-www-form-urlencoded",
+          Authorization: `Bearer ${token}`,
+          Accept: "application/json",

apps/web/lib/integrations/oauth-provider.ts (2)

6-18: Tie the generic parameter to the schema for proper type inference.

tokenSchema is typed as z.ZodSchema but the class is generic over T. As written, z.infer<T> isn’t guaranteed to match provider.tokenSchema. Make OAuthProviderConfig generic and use z.ZodTypeAny to preserve schema inference.

Apply this diff:

-import { z } from "zod";
+import { z } from "zod";
@@
-export interface OAuthProviderConfig {
+export interface OAuthProviderConfig<T extends z.ZodTypeAny> {
   name: string;
   clientId: string;
   clientSecret: string;
   authUrl: string;
   tokenUrl: string;
   redirectUri: string;
   scopes: string;
   redisStatePrefix: string;
-  tokenSchema: z.ZodSchema;
+  tokenSchema: T;
   bodyFormat: "form" | "json";
   authorizationMethod: "header" | "body";
 }
@@
-export class OAuthProvider<T extends z.ZodSchema> {
-  constructor(private provider: OAuthProviderConfig) {}
+export class OAuthProvider<T extends z.ZodTypeAny> {
+  constructor(private provider: OAuthProviderConfig<T>) {}

This ensures token is correctly inferred as z.infer<T> throughout.

Also applies to: 25-27

---

141-166: Make refresh flow honor provider auth method/body format; add timeout and safe logging.

Refresh currently hardcodes form + client creds in body. Align with authorizationMethod/bodyFormat, add a timeout, and sanitize logs.

Apply this diff:

   // Refresh the token
   async refreshToken(refreshToken: string): Promise<z.infer<T>> {
-    const response = await fetch(this.provider.tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-      },
-      body: new URLSearchParams({
-        grant_type: "refresh_token",
-        refresh_token: refreshToken,
-        client_id: this.provider.clientId,
-        client_secret: this.provider.clientSecret,
-      }),
-    });
-
-    const result = await response.json();
-
-    if (!response.ok) {
-      console.error(`[${this.provider.name}] refreshToken`, result);
-
-      throw new Error(
-        `[${this.provider.name}] Failed to refresh the access token. Please try again.`,
-      );
-    }
-
-    return this.provider.tokenSchema.parse(result);
+    let headers: Record<string, string> = {};
+    let body: BodyInit;
+
+    if (this.provider.authorizationMethod === "header") {
+      const credentials = Buffer.from(
+        `${this.provider.clientId}:${this.provider.clientSecret}`,
+        "utf8",
+      ).toString("base64");
+      headers["Authorization"] = `Basic ${credentials}`;
+    }
+
+    switch (this.provider.bodyFormat) {
+      case "json": {
+        headers["Content-Type"] = "application/json";
+        const payload: Record<string, string> = {
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+        };
+        if (this.provider.authorizationMethod === "body") {
+          payload.client_id = this.provider.clientId;
+          payload.client_secret = this.provider.clientSecret;
+        }
+        body = JSON.stringify(payload);
+        break;
+      }
+      case "form":
+      default: {
+        headers["Content-Type"] = "application/x-www-form-urlencoded";
+        const params = new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+        });
+        if (this.provider.authorizationMethod === "body") {
+          params.append("client_id", this.provider.clientId);
+          params.append("client_secret", this.provider.clientSecret);
+        }
+        body = params.toString();
+        break;
+      }
+    }
+
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 15000);
+    try {
+      const response = await fetch(this.provider.tokenUrl, {
+        method: "POST",
+        headers: { Accept: "application/json", ...headers },
+        body,
+        signal: controller.signal,
+      });
+      const result = await response.json().catch(() => ({}));
+      if (!response.ok) {
+        console.error(`[${this.provider.name}] refreshToken`, {
+          status: response.status,
+          error: result?.error,
+          error_description: result?.error_description,
+        });
+        throw new Error(
+          `[${this.provider.name}] Failed to refresh the access token. Please try again.`,
+        );
+      }
+      return this.provider.tokenSchema.parse(result);
+    } finally {
+      clearTimeout(timeout);
+    }
   }

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Learnt from: steven-tey
PR: dubinc/dub#0
File: :0-0
Timestamp: 2025-06-19T01:46:45.723Z
Learning: PayPal webhook verification in the Dub codebase is handled at the route level in `apps/web/app/(ee)/api/paypal/webhook/route.ts` using the `verifySignature` function. Individual webhook handlers like `payoutsItemFailed` don't need to re-verify signatures since they're only called after successful verification.