Verify JWT's signature

AvivAizen · December 3, 2023, 9:18am

Hi guys,
I am trying to follow this guide to verify a signature being sent from Wix.
So far I wasn’t able to figure out the verify signature part. I tried the crypto module with HASH or SIGN but it did not work with the Public key.

Does anyone have any clue?

MutedJam · December 5, 2023, 2:37pm

Hi @AvivAizen, from what I remember I found it a bit tricky to fully understand what Wix exactly is doing, mostly because there are so many different options.

To help you, can you confirm which data exactly you’re receiving from Wix? Are you trying to create your own Wix app using webhooks or are you using webhooks created as part of a site-specific automation?

AvivAizen · December 5, 2023, 3:04pm

Hi, Thanks for getting back to me!
We’re creating an app. so we need to verify each webhook is coming from wix.

MutedJam · December 6, 2023, 9:44am

Thanks for confirming @AvivAizen, I’ve set up a new app, but am currently having trouble accessing the test page associated with it (and thus triggering any webhook through an app).

It appears Wix has not issued a valid SSL certificate for my dev-site-....wixdev-sites.org hostname yet and also does not allow using custom hostnames for such pages. I’ll revisit this later and will get back to you once I had a chance to test this.

AvivAizen · December 6, 2023, 10:32am

Great, thank you.
So far, i was able to parse the JWT and validate the expiration.
The crypto model is not working with the public key i got from Wix.
This is the format Wix are sending out the public key-

-----BEGIN PUBLIC KEY-----
XXXXXX
-----END PUBLIC KEY-----

MutedJam · December 6, 2023, 12:01pm

Are you self-hosting n8n @AvivAizen and are you referring to the Node.js crypto module here? If so, you’d need to specifically allow the use of the crypto module inside the Code node using the NODE_FUNCTION_ALLOW_BUILTIN environment variable (for example by setting NODE_FUNCTION_ALLOW_BUILTIN=crypto or NODE_FUNCTION_ALLOW_BUILTIN=* to allow all built in modules).

AvivAizen · December 10, 2023, 7:47am

I tried to use the crypto by itself, so I’m unsure if it’s inside the code node. But I will try to allow what you mentioned and see if that helps.
I thought the crypto node alone could do that.

ihortom · December 10, 2023, 10:02pm

@AvivAizen , going through the WIX document you pointed out to I can see that WIX talks about RSA-SHA256 , not just SHA256, which are not the same. Just mentioning it in case there is a confusion here.

AvivAizen · December 11, 2023, 8:27am

Yes, I noticed it and tried to use this algorithm but still getting errors with the private key.
Has anyone done something like that and could share how to perform it? (signing with RSA-SHA256)

system · March 13, 2024, 2:56am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.