Readme
Verify HTTP signatures coming from Discord.
- public_key should be the Ed25519 public key from Discord, as a hex string
- body should be the request body as a string. If you have a JSON object as the request body, use JSON.stringify.
- signature should be the X-Signature-Ed25519 header
- timestamp should be the X-Signature-Timestamp header You must return a 401 error and return early if this function returns false, otherwise you will pretty quickly get a big scary warning from Discord that your endpoint has been removed. Note that you'll only be able to add one once you've integrated this correctly.
As this function only deals with strings, it doesn't matter whether you use an Express or web endpoint.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
export let verify_discord_signature = async (
public_key: String,
body: any,
signature: String,
timestamp: any, // ugly hack to allow concatenation
) => {
const encoder = new TextEncoder();
const fromHexString = (hexString) => Uint8Array.from(hexString.match(/.{1,2}/g).map((byte) => parseInt(byte, 16)));
const nacl = await import("https://cdn.skypack.dev/tweetnacl@v1.0.3?dts");
// This used to use node.js buffers...
const result = nacl.sign.detached.verify(
new Uint8Array(encoder.encode(timestamp + body)),
fromHexString(signature),
fromHexString(public_key),
);
return result;
};
👆 This is a val. Vals are TypeScript snippets of code, written in the browser and run on our servers. Create scheduled functions, email yourself, and persist small pieces of data — all from the browser.