Display webhook secret in dashboard

[iuwqyir]

<!--

## title your PR with this format: "[Dashboard] Feature: Display and Mask Webhook Secret in Contracts Webhooks List"

If you did not copy the branch name from Linear, paste the issue tag here (format is TEAM-0000):
INFRA-1524

## Notes for the reviewer

This PR introduces a new column to the Contracts Webhooks table to display the `webhook_secret`.

Key points:
- The secret is masked for security, showing `**********` followed by the last 3 characters (e.g., `**********xyz`).
- The full secret can be copied to the clipboard using the adjacent copy button.
- No backend changes were required as the `webhook_secret` is already available in the `WebhookResponse`.

## How to test

1. Navigate to a project's webhooks page on the dashboard (`/dashboard/[team_slug]/[project_slug]/webhooks`).
2. Observe the new "Webhook Secret" column in the table.
3. Verify that the secrets are displayed in the masked format (`**********xyz`).
4. Click the copy icon next to a masked secret and confirm that the full secret is copied to your clipboard.

-->

---

Slack Thread

---

PR-Codex overview

This PR introduces a new function to mask webhook secrets in the WebhooksTable component, enhancing security by obscuring sensitive information while still allowing users to copy the original secret.

Detailed summary

• Added maskWebhookSecret function to mask webhook secrets.
• Integrated masked secret display in the WebhooksTable component.
• Updated the table to include a new column for "Webhook Secret" with masked values.
• Implemented a CopyTextButton for copying the original secret.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

Summary by CodeRabbit

• New Features
  • Added a new "Webhook Secret" column to the webhooks table, displaying masked webhook secrets for improved privacy.
  • Included a copy button to easily copy the full unmasked webhook secret to the clipboard.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 32add5f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
thirdweb-www	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 15, 2025 8:07pm

4 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
docs-v2	⬜️ Skipped (Inspect)			Jul 15, 2025 8:07pm
nebula	⬜️ Skipped (Inspect)			Jul 15, 2025 8:07pm
thirdweb_playground	⬜️ Skipped (Inspect)			Jul 15, 2025 8:07pm
wallet-ui	⬜️ Skipped (Inspect)			Jul 15, 2025 8:07pm

[coderabbitai]

"""

Walkthrough

A utility function to mask webhook secrets was introduced, and the ContractsWebhooksTable component was updated to display a new column showing masked webhook secrets with a copy-to-clipboard button for the full secret. The new column appears between the existing "Webhook URL" and "Created" columns. No other logic was changed.

Changes

File(s)	Change Summary
.../webhooks/components/WebhooksTable.tsx	Added maskWebhookSecret function; added new column to ContractsWebhooksTable to show masked secrets and copy button.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant ContractsWebhooksTable
    participant Clipboard

    User->>ContractsWebhooksTable: View webhooks table
    ContractsWebhooksTable->>ContractsWebhooksTable: Mask webhook secret using maskWebhookSecret
    ContractsWebhooksTable-->>User: Display masked secret and copy button
    User->>ContractsWebhooksTable: Click copy button
    ContractsWebhooksTable->>Clipboard: Copy full secret to clipboard

Loading

Assessment against linked issues

Objective	Addressed	Explanation
Configure secret for Contracts Webhook to prevent spoofing (INFRA-1524)	❌	Only the display and masking of the secret in the UI was implemented; there is no evidence of secret configuration or backend enforcement to prevent spoofing.

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Addition of UI masking and copy functionality for webhook secret (WebhooksTable.tsx)	This change is focused on UI/UX and does not address the backend or actual configuration of secrets, which is the core requirement of the linked issue.
"""

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• TEAM-0000: Entity not found: Issue - Could not find referenced Issue.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da3d336 and 32add5f.

📒 Files selected for processing (1)

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/components/WebhooksTable.tsx (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/components/WebhooksTable.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: E2E Tests (pnpm, vite)
• GitHub Check: Unit Tests
• GitHub Check: E2E Tests (pnpm, webpack)
• GitHub Check: Build Packages
• GitHub Check: Size
• GitHub Check: Lint Packages
• GitHub Check: Analyze (javascript)

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge-queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 56.42%. Comparing base (5f74b3c) to head (32add5f).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7610   +/-   ##
=======================================
  Coverage   56.42%   56.42%           
=======================================
  Files         906      906           
  Lines       58126    58126           
  Branches     4222     4222           
=======================================
  Hits        32795    32795           
  Misses      25223    25223           
  Partials      108      108           

Flag	Coverage Δ
packages	56.42% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/components/WebhooksTable.tsx (1)

33-40: Consider security implications of revealing the last 3 characters.

The masking function reveals the last 3 characters of the webhook secret, which could potentially aid in brute force attacks or social engineering if secrets follow predictable patterns. While this matches the PR requirements, consider if this level of revelation is necessary for user experience.

Additionally, consider extracting this utility function to a shared location if it might be used elsewhere:

+// Move to @/lib/utils.ts or similar
+export function maskWebhookSecret(secret: string): string {
+  if (!secret || secret.length <= 3) {
+    return secret;
+  }
+  const lastThreeChars = secret.slice(-3);
+  const maskedPart = "*".repeat(10);
+  return maskedPart + lastThreeChars;
+}

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f02f6e and da3d336.

📒 Files selected for processing (1)

• apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/components/WebhooksTable.tsx (2 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

**/*.{ts,tsx}

Instructions used from:

Sources:
📄 CodeRabbit Inference Engine

• CLAUDE.md

apps/{dashboard,playground-web}/**/*.{tsx,ts}

Instructions used from:

Sources:
📄 CodeRabbit Inference Engine

• CLAUDE.md

🧠 Learnings (1)

apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/components/WebhooksTable.tsx (10)

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-06-30T10:26:04.389Z
Learning: Applies to dashboard/**/hooks/**/*.{ts,tsx} : Prefer API routes or server actions to keep tokens secret; the browser only sees relative paths.

Learnt from: arcoraven
PR: thirdweb-dev/js#7505
File: apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/analytics/components/WebhookAnalyticsCharts.tsx:186-204
Timestamp: 2025-07-10T10:18:33.238Z
Learning: The ThirdwebBarChart component in apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/analytics/components/WebhookAnalyticsCharts.tsx does not accept standard accessibility props like `aria-label` and `role` in its TypeScript interface, causing compilation errors when added.

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-06-30T10:25:29.489Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{tsx,ts} : Client Side Data Fetching: Keep tokens secret via internal API routes or server actions

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-06-30T10:26:04.389Z
Learning: Applies to dashboard/**/api/**/*.{ts,tsx} : Accessing server-only environment variables or secrets.

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-06-30T10:25:29.489Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{tsx,ts} : Server Side Data Fetching: Use `Authorization: Bearer` header – never embed tokens in URLs

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-06-30T10:26:04.389Z
Learning: Applies to dashboard/**/components/*.client.tsx : Interactive UI that relies on hooks (`useState`, `useEffect`, React Query, wallet hooks).

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-06-30T10:26:04.389Z
Learning: Applies to dashboard/**/components/*.client.tsx : Anything that consumes hooks from `@tanstack/react-query` or thirdweb SDKs.

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-06-30T10:25:29.488Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{tsx,ts} : Use design system tokens (e.g., `bg-card`, `border-border`, `text-muted-foreground`)

Learnt from: CR
PR: thirdweb-dev/js#0
File: CLAUDE.md:0-0
Timestamp: 2025-06-30T10:25:29.489Z
Learning: Applies to apps/{dashboard,playground-web}/**/*.{tsx,ts} : Client Components: Handle interactive UI with React hooks (`useState`, `useEffect`, React Query, wallet hooks)

Learnt from: CR
PR: thirdweb-dev/js#0
File: .cursor/rules/dashboard.mdc:0-0
Timestamp: 2025-06-30T10:26:04.389Z
Learning: Applies to dashboard/**/hooks/**/*.{ts,tsx} : Keep `queryKey` stable and descriptive for cache hits.

🧬 Code Graph Analysis (1)

apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/components/WebhooksTable.tsx (1)

apps/dashboard/src/@/components/ui/CopyTextButton.tsx (1)

• CopyTextButton (9-68)

🔇 Additional comments (1)

apps/dashboard/src/app/(app)/team/[team_slug]/[project_slug]/(sidebar)/webhooks/components/WebhooksTable.tsx (1)

139-162: Well-implemented column with good UX patterns.

The webhook secret column implementation follows established patterns from the codebase:

• Consistent use of CopyTextButton component matching the webhook URL column
• Appropriate monospace font for the masked secret display
• Proper truncation and responsive design
• Clear tooltip labeling for the copy action

The implementation correctly separates the display value (masked) from the copy value (full secret), providing good security UX.

[github-actions]

size-limit report 📦

Path	Size	Loading time (3g)	Running time (snapdragon)	Total time
thirdweb (esm)	63.25 KB (0%)	1.3 s (0%)	260 ms (+121.41% 🔺)	1.6 s
thirdweb (cjs)	353.31 KB (0%)	7.1 s (0%)	943 ms (+1.41% 🔺)	8.1 s
thirdweb (minimal + tree-shaking)	5.7 KB (0%)	114 ms (0%)	100 ms (+1621.11% 🔺)	214 ms
thirdweb/chains (tree-shaking)	526 B (0%)	11 ms (0%)	35 ms (+1228.08% 🔺)	45 ms
thirdweb/react (minimal + tree-shaking)	19.59 KB (0%)	392 ms (0%)	93 ms (+392.79% 🔺)	485 ms

[iuwqyir]

Merge activity

• Jul 15, 7:58 PM UTC: The merge label 'merge-queue' was detected. This PR will be added to the Graphite merge queue once it meets the requirements.
• Jul 15, 7:58 PM UTC: iuwqyir added this pull request to the Graphite merge queue.
• Jul 15, 8:08 PM UTC: Merged by the Graphite merge queue.