Fix bypass bug for webhook

[elie222]

Gate webhook premium checks behind env.NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS and set validateWebhookAccount to return a stub premium tier when bypassing in validate-webhook-account.ts

Adds env import and updates validateWebhookAccount to first read env.NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS; when truthy, assigns a stub premium { tier: 'BUSINESS_PLUS_ANNUALLY' }, otherwise retains existing Lemon Squeezy/Stripe checks. Bumps version to v2.21.43 in version.txt.

📍Where to Start

Start with the validateWebhookAccount function in validate-webhook-account.ts.

---

Macroscope summarized 74905e2.

Summary by CodeRabbit

• Chores
  • Version bumped to v2.21.43
  • Enhanced webhook account validation to improve authentication handling in various deployment scenarios

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
inbox-zero	Ready	Preview	Dec 4, 2025 3:14pm

[coderabbitai]

Walkthrough

This pull request modifies the webhook account validation to introduce an environment-based bypass for premium checks. When NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS is enabled, a synthetic premium object with "BUSINESS_PLUS_ANNUALLY" tier is used; otherwise, existing premium logic applies. The version is also bumped from v2.21.42 to v2.21.43.

Changes

Cohort / File(s)	Summary
Premium check bypass in webhook validation apps/web/utils/webhook/validate-webhook-account.ts	Adds environment-based conditional logic to bypass premium validation when NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS is true, using a synthetic premium object; otherwise applies existing isPremium logic
Version bump version.txt	Updates version from v2.21.42 to v2.21.43

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• The bypass logic is straightforward conditional code (~5 lines)
• Moderate attention needed: this modifies security-sensitive authorization and premium validation behavior
• Version bump is trivial

Possibly related PRs

• Fix premium check for self-hosted #1052: Centralizes the same NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS bypass into getPremiumUserFilter for use across queries—directly related to this PR's premium-check bypass pattern.
• Hide premium/billing if disabled #1025: Uses the same NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS environment flag to conditionally hide premium and billing UI—coordinated with this PR's bypass mechanism.

Poem

🐰 A bypass for the premium crown so bright,
With BUSINESS_PLUS swiftly set in flight,
Version bumps by one, a gentle climb,
The rabbit hops through validation time! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix bypass bug for webhook' accurately describes the main change—fixing a bypass mechanism for webhook premium checks using an environment-based toggle.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/bypass-premium

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/web/utils/webhook/validate-webhook-account.ts (1)

2-2: Bypass logic fix is sound; consider centralizing tier constant

The new premium derivation behaves as intended:

• When env.NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS is true, you always get a synthetic premium object, so the !premium unwatch path is skipped and hasAiAccess receives a valid tier even if user.premium is null.
• When the bypass is off, behavior falls back to the existing isPremium(...) ? emailAccount.user.premium : undefined pattern, so non‑bypass semantics are preserved.

Two small maintainability suggestions:

• Tier constant: Instead of hard‑coding "BUSINESS_PLUS_ANNUALLY", consider reusing a central tier constant / Prisma enum value so any future tier name changes don’t silently desync this bypass path.
• Encapsulation: Long‑term, it may be cleaner to move this “effective premium with bypass (including tier)” logic into a helper in @/utils/premium so this file doesn’t need to know about the specific bypass flag and tier string.

Overall, the change looks correct for fixing the webhook bypass bug.

Based on learnings, this correctly uses the typed NEXT_PUBLIC_BYPASS_PREMIUM_CHECKS env via @/env.

Also applies to: 126-133

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 905d223 and 74905e2.

📒 Files selected for processing (2)

• apps/web/utils/webhook/validate-webhook-account.ts (2 hunks)
• version.txt (1 hunks)

🧰 Additional context used

📓 Path-based instructions (10)

apps/web/**/*.{ts,tsx}

📄 CodeRabbit inference engine (apps/web/CLAUDE.md)

apps/web/**/*.{ts,tsx}: Use TypeScript with strict null checks
Use @/ path aliases for imports from project root
Use proper error handling with try/catch blocks
Format code with Prettier
Follow consistent naming conventions using PascalCase for components
Centralize shared types in dedicated type files

Import specific lodash functions rather than entire lodash library to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/data-fetching.mdc)

**/*.{ts,tsx}: For API GET requests to server, use the swr package
Use result?.serverError with toastError from @/components/Toast for error handling in async operations

**/*.{ts,tsx}: Use wrapper functions for Gmail message operations (get, list, batch, etc.) from @/utils/gmail/message.ts instead of direct API calls
Use wrapper functions for Gmail thread operations from @/utils/gmail/thread.ts instead of direct API calls
Use wrapper functions for Gmail label operations from @/utils/gmail/label.ts instead of direct API calls

**/*.{ts,tsx}: For early access feature flags, create hooks using the naming convention use[FeatureName]Enabled that return a boolean from useFeatureFlagEnabled("flag-key")
For A/B test variant flags, create hooks using the naming convention use[FeatureName]Variant that define variant types, use useFeatureFlagVariantKey() with type casting, and provide a default "control" fallback
Use kebab-case for PostHog feature flag keys (e.g., inbox-cleaner, pricing-options-2)
Always define types for A/B test variant flags (e.g., type PricingVariant = "control" | "variant-a" | "variant-b") and provide type safety through type casting

**/*.{ts,tsx}: Don't use primitive type aliases or misleading types
Don't use empty type parameters in type aliases and interfaces
Don't use this and super in static contexts
Don't use any or unknown as type constraints
Don't use the TypeScript directive @ts-ignore
Don't use TypeScript enums
Don't export imported variables
Don't add type annotations to variables, parameters, and class properties that are initialized with literal expressions
Don't use TypeScript namespaces
Don't use non-null assertions with the ! postfix operator
Don't use parameter properties in class constructors
Don't use user-defined types
Use as const instead of literal types and type annotations
Use either T[] or Array<T> consistently
Initialize each enum member value explicitly
Use export type for types
Use `impo...

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

**/{server,api,actions,utils}/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/logging.mdc)

**/{server,api,actions,utils}/**/*.ts: Use createScopedLogger from "@/utils/logger" for logging in backend code
Add the createScopedLogger instantiation at the top of the file with an appropriate scope name
Use .with() method to attach context variables only within specific functions, not on global loggers
For large functions with reused variables, use createScopedLogger().with() to attach context once and reuse the logger without passing variables repeatedly

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/prisma-enum-imports.mdc)

Always import Prisma enums from @/generated/prisma/enums instead of @/generated/prisma/client to avoid Next.js bundling errors in client components

Import Prisma using the project's centralized utility: import prisma from '@/utils/prisma'

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/security.mdc)

**/*.ts: ALL database queries MUST be scoped to the authenticated user/account by including user/account filtering in WHERE clauses to prevent unauthorized data access
Always validate that resources belong to the authenticated user before performing operations, using ownership checks in WHERE clauses or relationships
Always validate all input parameters for type, format, and length before using them in database queries
Use SafeError for error responses to prevent information disclosure. Generic error messages should not reveal internal IDs, logic, or resource ownership details
Only return necessary fields in API responses using Prisma's select option. Never expose sensitive data such as password hashes, private keys, or system flags
Prevent Insecure Direct Object References (IDOR) by validating resource ownership before operations. All findUnique/findFirst calls MUST include ownership filters
Prevent mass assignment vulnerabilities by explicitly whitelisting allowed fields in update operations instead of accepting all user-provided data
Prevent privilege escalation by never allowing users to modify system fields, ownership fields, or admin-only attributes through user input
All findMany queries MUST be scoped to the user's data by including appropriate WHERE filters to prevent returning data from other users
Use Prisma relationships for access control by leveraging nested where clauses (e.g., emailAccount: { id: emailAccountId }) to validate ownership

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

**/*.{tsx,ts}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

**/*.{tsx,ts}: Use Shadcn UI and Tailwind for components and styling
Use next/image package for images
For API GET requests to server, use the swr package with hooks like useSWR to fetch data
For text inputs, use the Input component with registerProps for form integration and error handling

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

**/*.{tsx,ts,css}

📄 CodeRabbit inference engine (.cursor/rules/ui-components.mdc)

Implement responsive design with Tailwind CSS using a mobile-first approach

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

**/*.{js,jsx,ts,tsx}: Don't use accessKey attribute on any HTML element
Don't set aria-hidden="true" on focusable elements
Don't add ARIA roles, states, and properties to elements that don't support them
Don't use distracting elements like <marquee> or <blink>
Only use the scope prop on <th> elements
Don't assign non-interactive ARIA roles to interactive HTML elements
Make sure label elements have text content and are associated with an input
Don't assign interactive ARIA roles to non-interactive HTML elements
Don't assign tabIndex to non-interactive HTML elements
Don't use positive integers for tabIndex property
Don't include "image", "picture", or "photo" in img alt prop
Don't use explicit role property that's the same as the implicit/default role
Make static elements with click handlers use a valid role attribute
Always include a title element for SVG elements
Give all elements requiring alt text meaningful information for screen readers
Make sure anchors have content that's accessible to screen readers
Assign tabIndex to non-interactive HTML elements with aria-activedescendant
Include all required ARIA attributes for elements with ARIA roles
Make sure ARIA properties are valid for the element's supported roles
Always include a type attribute for button elements
Make elements with interactive roles and handlers focusable
Give heading elements content that's accessible to screen readers (not hidden with aria-hidden)
Always include a lang attribute on the html element
Always include a title attribute for iframe elements
Accompany onClick with at least one of: onKeyUp, onKeyDown, or onKeyPress
Accompany onMouseOver/onMouseOut with onFocus/onBlur
Include caption tracks for audio and video elements
Use semantic elements instead of role attributes in JSX
Make sure all anchors are valid and navigable
Ensure all ARIA properties (aria-*) are valid
Use valid, non-abstract ARIA roles for elements with ARIA roles
Use valid AR...

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

!(pages/_document).{jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/ultracite.mdc)

Don't use the next/head module in pages/_document.js on Next.js projects

Files:

• apps/web/utils/webhook/validate-webhook-account.ts
• version.txt

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts,jsx,tsx}: Use lodash utilities for common operations (arrays, objects, strings)
Import specific lodash functions to minimize bundle size (e.g., import groupBy from 'lodash/groupBy')

Files:

• apps/web/utils/webhook/validate-webhook-account.ts

🧠 Learnings (6)

📚 Learning: 2025-11-25T14:36:45.807Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to apps/web/env.ts : Add client-side environment variables to `apps/web/env.ts` under the `client` object with `NEXT_PUBLIC_` prefix and Zod schema validation

Applied to files:

• apps/web/utils/webhook/validate-webhook-account.ts

📚 Learning: 2025-11-25T14:36:43.454Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:43.454Z
Learning: Applies to apps/web/env.ts : For client-side environment variables in `apps/web/env.ts`, prefix them with `NEXT_PUBLIC_` and add them to both the `client` and `experimental__runtimeEnv` sections

Applied to files:

• apps/web/utils/webhook/validate-webhook-account.ts

📚 Learning: 2025-11-25T14:42:16.602Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:16.602Z
Learning: The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

• apps/web/utils/webhook/validate-webhook-account.ts

📚 Learning: 2025-11-25T14:42:11.919Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-25T14:42:11.919Z
Learning: Applies to utils/**/*.{js,ts,jsx,tsx} : The `utils` folder contains core app logic such as Next.js Server Actions and Gmail API requests

Applied to files:

• apps/web/utils/webhook/validate-webhook-account.ts

📚 Learning: 2025-11-25T14:36:45.807Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/environment-variables.mdc:0-0
Timestamp: 2025-11-25T14:36:45.807Z
Learning: Applies to {.env.example,apps/web/env.ts} : Client-side environment variables must be prefixed with `NEXT_PUBLIC_`

Applied to files:

• apps/web/utils/webhook/validate-webhook-account.ts

📚 Learning: 2025-11-25T14:37:22.660Z

Learnt from: CR
Repo: elie222/inbox-zero PR: 0
File: .cursor/rules/gmail-api.mdc:0-0
Timestamp: 2025-11-25T14:37:22.660Z
Learning: Design Gmail wrapper functions to be provider-agnostic to support future email providers like Outlook and ProtonMail

Applied to files:

• apps/web/utils/webhook/validate-webhook-account.ts

🧬 Code graph analysis (1)

apps/web/utils/webhook/validate-webhook-account.ts (2)

apps/web/env.ts (1)

• env (17-246)

apps/web/utils/premium/index.ts (1)

• isPremium (16-26)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Review for correctness
• GitHub Check: test

🔇 Additional comments (1)

version.txt (1)

1-1: Version bump aligned with PR scope

Version increment to v2.21.43 cleanly tracks the webhook bypass fix; no behavioral impact here.