Webhook Signature Validation

Hello all! I’m working on a custom app to make our product 1shotapi.com available, which will allow you to automate onchain interactions (read and execute transactions!). I’ve already done IFTTT and n8n implementations, and now doing Make, which has some very nice qualities. I have my basic modules set up and working!

My next project is a webhook trigger. I created a Dedicated Webhook, and an Instant Trigger module. I am pretty sure I want a detached webhook, where make generates a URL that I can put into my system. What I’m really wondering about is how to do some validation. Our system provides an ED-25519 signature with each webhook, and each destination URL is assigned it’s own public/private keypair. On the client side (make), I need to validate the webhook data using the public key (which the user would enter as a parameter for the webhook trigger module). I have all the algorithms for doing this, in pure JS, so that’s not an issue. But I can’t figure out the actual flow I would use to do this? There’s “verification”, “response”, “iterate”, etc, but none of them seem to actually validate the call and reject it.

Can anybody sketch out what I need to do for this? Seems like I want an RPC call that can do the validation with a custom function, but I’m not sure how to hook that in.

Thanks in advance!

1 Like

I have been through the wringer with AI, the docs, and the web on this one. None of them agree, AI keeps trying to have me use a non-existent app development SDK and hooks, and none of this stuff exists on the web. It seems like the VS Code Apps Editor is identical to the Web app editor as far as capabilities go. Is there a way to leverage the verification section of the webhook communication section? This is not what it’s for as I understand the docs, it’s for webhook systems that validate the availability of the endpoint. What about the iterate.condition?

1 Like

I’m thinking of making a filter module type that you could chain, that would do the validation after the webhook trigger. It’s not clean and basically not doing it would be a security issue, but I think that would allow me to get the job done. Any opinions?

Welcome to the Make Community!

There is no “verification” section. However, it is possible to have different response based on conditions from the request. This way, you can handle the response to the caller service that requires a verification response.

For more information, see the Partner Training centre and Custom Apps documentation.

Hope this helps! Let me know if there are any further questions or issues.

@samliew

Thanks for the response! Unfortunately it doesn’t really get to the heart of my problem. I spoke incorrectly, “verification” is part of the webhook specification, not the Communication block.

What I need to do is, when a data is recieved on a webhook, either in the webhook or in the instant trigger, is to need to verify the signature on the received data. If the data is bad, the scenario should not trigger. Or, it needs to error out, but in any case, it should not process the scenario if bad data shows up.

Is there a way to run a custom function on the webhook and stop the flow? Thanks!

You can run custom functions as shown in the documentation,

"condition": "{{ if(body.code, true, false) }}",

Replace the “if” function with your custom function of choice.

Hope this helps! Let me know if there are any further questions or issues. P.S.: investing some effort into the tutorials in the Make Academy will save you lots of time and frustration using Make!

@samliew