How to receive raw data from the $_POST

Wappler General Need Help
,
1

Hi guys!

I reiceve webhooks from a service that i need to implement a security layer to it. In the Header of those webhooks comes a signature that is created with the raw data of the webhook itselft with my secret key as a salt to the hash, so in order to verify on my side the webhook it requires that the data comes raw so i can use my secret key with the raw data and then create the hash to validate the webhook, how can i get the raw data that came in from the $_POST? how can i disable any parse in that?

The project is made with Node.js and docker.

2

To verify the webhook using the raw request body in a Node.js (and Docker) environment—especially for validating signatures like Stripe, GitHub, or other services—you need to capture the raw body before it's parsed by middleware like body-parser or express.json().

3

Ok, but how do i do that?

4

I'm not entirely sure. Someone may need to check this, I used Ai for help. But it might get you started.

..in Wappler (Node.js + Docker)

  1. Create a new Server API action

Let’s call it: webhook_verify

You’ll find this under Server Connect > API > Add API Action
2. Edit the routing manually

Wappler by default uses express.json() which parses and loses the raw body. To get around this:
:point_right: In your Wappler project folder:

Open:

/dmxConnect/api/webhook_verify.js

Then override the default body parser for that route:

const express = require('express');
const router = express.Router();
const crypto = require('crypto');

// Use raw body parser for this specific route
router.use(express.raw({ type: '*/*' }));

router.post('/', (req, res) => {
  const secret = 'YOUR_SECRET_KEY';
  const rawBody = req.body; // Buffer
  const signatureHeader = req.headers['x-signature'] || '';

  // Generate HMAC
  const generatedSig = crypto
.createHmac('sha256', secret)
.update(rawBody)
.digest('hex');

  // Compare
  if (signatureHeader === generatedSig) {
    res.status(200).send('Verified');
  } else {
    res.status(400).send('Invalid signature');
  }
});

module.exports = router;

This will:

Skip Wappler’s default body-parser middleware

Use express.raw() so you get the raw webhook body

Let you verify signatures securely

Important Notes

Don't put Server Connect steps inside this file—it’s acting as a custom Express route.

You can’t use Wappler’s UI for steps in this case because the data needs to remain unparsed.

But you can call Server Connect APIs from inside this handler after verifying the webhook, if needed.

:test_tube: Optional: Test Locally

You can test with curl or a Postman webhook simulation like:

 curl -X POST http://localhost:3000/api/webhook_verify \
  -H "x-signature: your_expected_signature" \
  -H "Content-Type: application/json" \
  --data-binary @payload.json
5

I stopped reading here, overriding Wappler core files can bite you later :laughing:

But @jonathan92 might be in luck, this exists in the NodeJS Wappler server.js file:

app.use(express.json({
    verify: (req, res, buf) => {
        req.rawBody = buf.toString()
    }
}));

I'm not sure how to access that reqBody in a server action, these are the variables that are defined:

  this.set({
    $_ERROR: null,
    $_EXCEPTION: null,
    //$_SERVER: process.env,
    $_ENV: process.env,
    $_GET: req.query,
    $_POST: req.body,
    $_PARAM: req.params,
    $_HEADER: req.headers,
    $_COOKIE: req.cookies,
    $_SESSION: req.session,
  });

But you could create a custom route extension:

But then it's not a Server Action...

Or you could modify the Wappler core file to add that reqBody, but then you'd have to manually fix updates... Most people are best not touching core files unless they know what they're doing

6

Way out of my league here, but what about a route to an API.

image