Verify JWT's signature

Hi guys,
I am trying to follow this guide to verify a signature being sent from Wix.
So far I wasn’t able to figure out the verify signature part. I tried the crypto module with HASH or SIGN but it did not work with the Public key.

Does anyone have any clue?

Hi @AvivAizen, from what I remember I found it a bit tricky to fully understand what Wix exactly is doing, mostly because there are so many different options.

To help you, can you confirm which data exactly you’re receiving from Wix? Are you trying to create your own Wix app using webhooks or are you using webhooks created as part of a site-specific automation?

Hi, Thanks for getting back to me!
We’re creating an app. so we need to verify each webhook is coming from wix.

Thanks for confirming @AvivAizen, I’ve set up a new app, but am currently having trouble accessing the test page associated with it (and thus triggering any webhook through an app).

It appears Wix has not issued a valid SSL certificate for my hostname yet and also does not allow using custom hostnames for such pages. I’ll revisit this later and will get back to you once I had a chance to test this.

Great, thank you.
So far, i was able to parse the JWT and validate the expiration.
The crypto model is not working with the public key i got from Wix.
This is the format Wix are sending out the public key-

-----END PUBLIC KEY-----

Are you self-hosting n8n @AvivAizen and are you referring to the Node.js crypto module here? If so, you’d need to specifically allow the use of the crypto module inside the Code node using the NODE_FUNCTION_ALLOW_BUILTIN environment variable (for example by setting NODE_FUNCTION_ALLOW_BUILTIN=crypto or NODE_FUNCTION_ALLOW_BUILTIN=* to allow all built in modules).

I tried to use the crypto by itself, so I’m unsure if it’s inside the code node. But I will try to allow what you mentioned and see if that helps.
I thought the crypto node alone could do that.

@AvivAizen , going through the WIX document you pointed out to I can see that WIX talks about RSA-SHA256 , not just SHA256, which are not the same. Just mentioning it in case there is a confusion here.

Yes, I noticed it and tried to use this algorithm but still getting errors with the private key.
Has anyone done something like that and could share how to perform it? (signing with RSA-SHA256)

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.