fix: incoming webhooks not unwrapping JSON from x-www-form-urlencoded payload

[ricardogarim]

While reviewing incoming webhook integrations, we identified that application/x-www-form-urlencoded payloads with a payload field (Slack/GitHub-style webhooks) were not being properly parsed and passed to integrations.

We initially thought this scenario was covered since there was an existing test for it - and it was passing. However, upon investigation, we discovered the test itself had a bug: async assertions inside Supertest .expect() callback were never being awaited, causing the test to pass regardless of whether the assertions succeeded or failed.

Proposed changes (including videos or screenshots)

1. Fixed the test first: Corrected the async assertion pattern so the test properly validates the behavior. This revealed the actual bug in the integration code.
2. Fixed the payload parsing: Added proper type checking and error handling when unwrapping JSON from the payload field in x-www-form-urlencoded requests.

Issue(s)

• CORE-1741

Steps to test or reproduce

Further comments

When writing API tests with Supertest, be careful with async assertions:

Don't: Return promises inside .expect() callbacks

  await request
    .post('/hooks/...')
    .expect(200)
    .expect(async () => {
      // BAD: This promise is returned but NEVER awaited by supertest
      return request
        .get(api('channels.messages'))
        .expect(200)
        .expect((res) => {
          expect(res.body).to.have.property('success', true);
        });
    });

Why it fails silently: Supertest .expect() callback does not await returned promises. The inner request and its assertions may never complete or may fail, but the test passes anyway because the outer chain completed.

Do: Separate requests and await them explicitly

  await request
    .post('/hooks/...')
    .expect(200);

  const messagesResult = await request
    .get(api('channels.messages'))
    .expect(200);

  expect(messagesResult.body).to.have.property('success', true);
  expect(messagesResult.body).to.have.property('messages').and.to.be.an('array');

Why this works: each request is explicitly awaited, and assertions run synchronously on the resolved response. Any failure will properly fail the test.

Summary by CodeRabbit

• Bug Fixes

  • Incoming webhook integrations now safely detect and use JSON carried inside form-encoded payload fields, improving payload parsing and message/content accuracy.

• Tests

  • End-to-end tests updated to verify webhook behavior via explicit follow-up requests and clearer content-type assertions; payload field names standardized.

• Chores

  • Added a changeset recording patch-level package bumps.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 15eee70

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 40 packages

Name	Type
@rocket.chat/http-router	Patch
@rocket.chat/meteor	Patch
@rocket.chat/core-services	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/models	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Incoming webhook handling now attempts to parse JSON contained in a form-encoded payload field and stores the parsed object in request context; the API router prefers a bodyParams-override context value and falls back to parsing the request body only when the override is absent. Tests were refactored to verify created messages via explicit GET requests.

Changes

Cohort / File(s)	Summary
Changeset \.changeset/grumpy-suns-remember.md	Adds a changeset recording patch bumps for @rocket.chat/http-router and @rocket.chat/meteor and documents the webhook payload-unwrapping fix.
Webhook Payload Handling apps/meteor/app/integrations/server/api/api.ts	For form-urlencoded bodies with a payload field that is a string, try JSON.parse(payload) inside try/catch; set the parsed object (or original string on failure) into context as bodyParams-override. Adds explanatory comment.
Router Context Lookup apps/meteor/app/api/server/router.ts	Use c.get('bodyParams-override') ?? (await this.parseBodyParams({ request: req })) so an explicit context override (including an empty object) is honored and parsing is skipped when present.
Integration Tests apps/meteor/tests/end-to-end/api/incoming-integrations.ts	Replace nested assertion callbacks with sequential await request.get(...).expect(...).expect(...) calls to fetch channel messages; update payload property name from msg to text and set explicit Content-Type headers in relevant tests.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Client as Client (Webhook sender)
  participant Integrations as Integrations API\n(api.ts)
  participant Context as Request Context (c)
  participant Router as RocketChatAPIRouter\n(router.ts)
  participant Parser as parseBodyParams

  Client->>Integrations: POST /hooks/:id/:token (form-encoded or JSON)
  note right of Integrations: If form-encoded and body.payload is a string\ntry JSON.parse(body.payload)
  Integrations->>Context: set('bodyParams-override', parsedPayloadOrOriginal)
  Client->>Router: Request reaches router
  Router->>Context: c.get('bodyParams-override')
  alt override present
    Context-->>Router: return override (use as bodyParams)
  else override absent
    Router->>Parser: parseBodyParams({ request: req })
    Parser-->>Router: parsed bodyParams
  end
  Router->>App: forward request with resolved bodyParams

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• test: refactor integration tests to use before/after hooks #38255 — Modifies the same incoming-integrations.ts tests (related test refactor and payload handling).
• fix: prevent file content buffering in user uploads #38071 — Alters API router body-parameter handling (convertActionToHandler / parseBodyParams) similar to router.ts changes.

Suggested reviewers

• pierre-lehnen-rc
• KevLehman
• sampaiodiego

Poem

🐰 I sniffed a payload, curled and tight,
A string that hid a JSON light.
I parsed with care, set it free,
Now webhooks hop and messages see! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main bug fix: incoming webhooks now properly unwrap JSON from x-www-form-urlencoded payload fields, matching the core changeset across router, API, and test files.
Linked Issues check	✅ Passed	All code changes directly address CORE-1741: payload field parsing in x-www-form-urlencoded requests CORE-1741 is fixed with try/catch JSON.parse logic, and test assertions are corrected to properly validate the unwrapping behavior.
Out of Scope Changes check	✅ Passed	All changes are in-scope: router refactoring improves bodyParams handling, API integration adds payload parsing logic, and test refactoring fixes async assertion patterns to properly validate the fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/incoming-integrations-formurlencoded

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is targeting the wrong base branch. It should target 8.2.0, but it targets 8.1.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.87%. Comparing base (3a8520f) to head (15eee70).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38319      +/-   ##
===========================================
+ Coverage    70.84%   70.87%   +0.02%     
===========================================
  Files         3160     3160              
  Lines       109768   109765       -3     
  Branches     19702    19727      +25     
===========================================
+ Hits         77770    77795      +25     
+ Misses       29968    29945      -23     
+ Partials      2030     2025       -5     

Flag	Coverage Δ
e2e	60.34% <ø> (+0.06%)	⬆️
e2e-api	48.83% <ø> (+0.98%)	⬆️
unit	72.06% <100.00%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

📦 Docker Image Size Report

➡️ Changes

Service	Current	Baseline	Change	Percent
sum of all images	0B	0B	0B
account-service	0B	0B	0B
authorization-service	0B	0B	0B
ddp-streamer-service	0B	0B	0B
omnichannel-transcript-service	0B	0B	0B
presence-service	0B	0B	0B
queue-worker-service	0B	0B	0B
rocketchat	0B	0B	0B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 23:27", "12/20 21:03", "12/22 18:54", "12/23 16:16", "12/24 19:38", "12/25 17:51", "12/26 13:18", "12/29 19:01", "12/30 20:52", "01/28 17:57 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.00]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "queue-worker-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "rocketchat" [0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.00]

Loading

Statistics (last 30 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.4GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 0B

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-38319
• Baseline: develop
• Timestamp: 2026-01-28 17:57:22 UTC
• Historical data points: 30

---

Updated: Wed, 28 Jan 2026 17:57:23 GMT

[cubic-dev-ai]

No issues found across 4 files