Expose a REST API for site members to login - similar to a 3rd party authentication

I’d like to create endpoints for a login via a REST API for our site’s members. This way we can log users in from another device’s App (iOS, Android, etc.); allowing that user to access member specific pages without having to manually login.

Prefer a 2-legged approach with token validations, but open to see what is possible. There seems to already be (backend) functionality to generate a session token, but unfortunately it still requires inputs thereafter via UI (not possible via API) and not remotely. As an alternative to a REST-API, I have tried to inject javascript (from the App) to complete the log-in form and/or utilize a special function on such page, but pages on wix.com seem to prevent javascript injections.
I am able to successfully create the 1st part of the 2 legged approach, but the 2nd part (to actually login) fails due to prevention of using the ‘wix-users’ library from the “http-functions.js” file - and that file is the required file for exposing any APIs.

To clarify some more. I am able to create an endpoint (1st of 2) to get the sessionToken via ‘wix-users-backend’, but that ‘login()’ process requires to complete the login via client-side’s ‘applySessionToken()’. That is where to problem occurs, since it is Impossible to call that (‘applySessionToken()’), and therefore Impossible to create another endpoint utilizing ‘wix-users’ (or many other files/libraries too). Any attempt, for any connection (direct or indirect exposure) from the “http-functions.js” file (which is the file required (only file) to expose any endpoint), causes a Wix-Server Error (code = 500). I have tried many ways without success.

For those who want to see (working) code for the 1st leg, here you go:

// Sample URL Used (which works) https://www.mysite.com/_functions/apiForTokenForLogIn?userName=testUserName@mysite.com&password=anytestpassword
import wixUsers from 'wix-users-backend'; 
import { badRequest, forbidden, get, notFound, ok, response, use, serverError } from 'wix-http-functions';

export function get_apiForTokenForLogIn(request) {
 let userName = String(request.query.userName);
 let usersPassword = String(request.query.password);
 return wixUsers.login(userName, usersPassword)
  .then( (sessionToken) => {
 let successReturnValueObject = {
      headers: {
 "Content-Type": "application/json"
      body: {
 "sessionToken": sessionToken,
 // this is an estimated amount could be 120 secs
 "expiry": "90.0",
 return ok(successReturnValueObject);
  .catch( (error) => {
 let errorMessage = "could not access session token for user, since failed authentication.";
 let failedReturnValueObject = {
      headers: {
 "Content-Type": "application/json"
      body: {
 "errorMessage": errorMessage,
 "error": String(error),
 "userName": userName
 return badRequest(failedReturnValueObject);
 } // End of 'get_apiForTokenForLogIn' Function

… later I posted this for more Wix coding insights: https://www.wix.com/corvid/forum/community-discussion/member-s-login-session-token-help-better-wix-coding-from-lessons-learned


Once someone from Wix (or otherwise) can help me resolve getting to step 2, I can publish a set of explanatory docs to do this - if that is okay and wanted.

1 Like

removed a duplicated post

1 Like

Good luck with that.
Wix/Corvid won’t even provide 2FA for user accounts.
I guess it will remain relegated to hobbyist status.

You can’t run a business website in 2019 without proper 2FA options.
I wouldn’t dare unless the business and associated risk is about as complex as a lemonade stand …

1 Like

@brainstorrrm m From what I can see within Wix, it is possible adding in your own MFA type verification, while a user is signing in. That can be done for when a user is signing in themselves - aka not via API, a federated account, nor a 3rd-party SSO. You just need to add in a service or create one via Twillio. There are a bunch of services out there (some are free to start), you can even do a simple SMS verification from services (or build via Twilio too) like: 'https://www.plivo.com/ ', or 'https://www.nexmo.com/products/verify ', etc.

You would simply store the wix-site users mobile numbers and then use that info via external fetch-request. It may be better to create your own sign-in form (custom fields); therefore not messing with wix-supplied form’s code. That is not difficult to create.

There is technically a small nuance between SMS Verify and true (more proper) MFA, whereby MFA the device is registered - and that would be tougher to do especially if you want MDM control.

Like ‘Heath H-M’ said ( @zerotime ) it is something that will need more detail to complete the process, though there is plenty of documentation by those services.

I hope that helps ya …

Not to hijack your original post, which is a very interesting concept … but I have to respond to the lack of 2FA with Wix/Corvid.

Sure, it’s easy enough to implement.
I wrote a sample for Time-based One-time Password Algorithm (TOPT) here:

Requested 2FA from Wix before the Corvid name change:
Two Factor Authentication (2fa)

Shared how to easily send SMS via Twilio:
SMS via Twilio

You can do all that for your websites or any client’s sites.
However, it’s all for naught if my own Wix/Corvid account is not secured with 2FA.
Look at all the big corporations getting hacked every year - millions of accounts and related user information floating in the “interweb” and dark web.
It can happen to anyone.

Direct competitors like Zoho (I use their free “email for life” with Wix/Corvid domain names) not only encourage 2FA, they demand it - as they should.

Personally, anything important is protected by various forms of 2FA, including YubiKey.
I don’t understand how Wix/Covid can cater to small businesses without offering 2FA.

While I’m on a rant:

  • No database tools like bulk delete etc.

  • You can code your own and they are horribly slow.

  • Importing data is limited to 10,000 records at a time - painful, and good enough for … well, something like a lemonade stand or personal movie collection, or some other hobbyist type stuff.

To be fair, the price is hard to beat for what you’re getting, which is why I play here and learn JS.
But a business site does not sound reasonable or realistic.

Ah I see your point - you meant for your own login as contributor/admin to your own site. My apologies as I assumed it had to do with a site-member’s login, since we’re all on this post. I’d suggest to create a call ticket with Wix’s tech support and make a feature request. As from what I’ve learned (and IMHO) in that last 10 days (while trying to resolve my issue), your suggestion should be a Wix feature request not so much Corvid.

Anyhow, I completely agree that Wix should offer a 2FA as a security measure for its customers, and at the very least to the site’s Admins. 2FA is helpful in preventing login-based vulnerabilities - a worthy front-line measure. I will definitely make sure to make that request to help build up momentum. Thanks.

@yoav-wix @yisrael-wix @home8723 @brett-haralson

Hey there all!

I am trying really hard to get someone to help me out here. I have poured over the Wix docs and scoured the web, but there is no solution for my issue. I have spent hours on the phone with tech support, even today itself spent 3 hours with different supervisors seeing how we can get a message across to the Corvid Team (in lieu of forum), or at the least try to bypass this direct communication “hermetic-seal” :wink: created. I am a developer myself therefore I had first tried to solve this without reaching out for help. I’d like to apologize if you’ve seen my comments elsewhere trying to get your attention.

Personally, I am fan of the platform that Wix is building especially with Corvid; even after my experience for the last 10 days.

My situation is something that should be possible by Wix/Corvid. I feel the easiest solution is to open up (allow) the ‘wix-users’ library to be available from the file (backend) that allows us to expose APIs – the “http-functions.js” file. Unless there is another way, please share - I am all ears!

1 Like

@reveel , You wrote… “I feel the easiest solution is to open up (allow) the ‘wix-users’ library to be available from the file (backend)”

The wix-users-backend API is available (as the name of the API implies) from the backend.

@yisrael-wix Hi!! Thanks for reaching out. Yes I do agree with that observation. Although, how do you suggest that I complete the login process via REST API Endpoint? I can get the session token, but can’t apply it.

@reveel The example code snippet for the generateSessionToken() API function shows a scenario that sounds very similar to what you are accomplishing. Generate the token in the backend and then pass up to the client-side (which is where the session actually exists).

@yisrael-wix That is where the problem is, since the client side doesn’t allow to be executed via Endpoint. Since the “http-functions.js” is the only place we can expose/create an API Endpoint from. I have even tried to have the app use some javascript injection (in lieu of API Endpoint), but fails too.

@yisrael-wix I hope I am able to get my point across. I can provide some more info here.

The example in the API Reference docs shows the process starting from a login page or some sort of user execution - which means a manual log-in, and not a API based login.

Unless I am missing something please do let me know … Thank you

First off, you wrote, “I have even created 2 post.” Please realize that multiple posts does not help - it only adds noise to the forum. In other words - spam.

I do believe that 2FA will eventually be possible through the API - but I really don’t know when this might be. I’ll try to find out from the wix-users team.

Using the current API might be possible, but I don’t have an answer for you now. I’ll try to find if there’s a way - maybe some here at Wix has tried this.

RE: 2 posts , it was the suggestion from WIx Supervisor to do so. Since I felt the same as you stated, is reason why I made sure to be upfront and clear about it in all my communications. I had no intention of spam.

RE: 2FA , That is not my post nor issue, but I do agree with him that Wix should offer (at least to) Site Admins a 2FA Log-in. Altho that is a completely separate issue than my need.

RE: “Using the current API might be possible” - You are referencing my issue via my post, correct? - the issue to login a user via REST API Endpoints, without user manually executing.

I do want to thank you for connecting with me. When can I expect an answer back on my issue?

@yisrael-wix Since no one has posted/commented on the new post, is it okay for me to delete that one? - since all communication is here now

I did some checking and 2FA is being worked on, but no ETA yet. This feature will be available in the regular wix-user API login.

However, this won’t necessarily provide a solution for remote access login (via http-functions). Basically what you’re looking for is a way to implement OAuth to allow access to your site’s backed from a remote client. I am trying to find out if anyone here at Wix has done this.

@reveel That’s fine. Meanwhile I’m trying to find out more about your issue.

Oh, and sorry about my spam comment. It’s just that from time to time some members will add comments in [many] multiple posts asking the same question. We’re cool.

1 Like

RE: 2FA - Got it, thanks. I am assuming that new API functionality (i.,e. Corvid coding) will allow us to apply 2FA for our wix-site’s members (aka ‘wix-users’ library), and not for our own login, into wix.com as the site’s admin or contributor. I only made that assumption since that (later) login would be touching to Wix’s Corporate side (affecting our site access upon bad code), but If I am incorrect lmk.

RE: My Issue - Yes, your description is correct on my need. It only seems logical (IMHO), that if we can generate session tokens, then we should be able to complete the login process via endpoints. Side Note: I do not need a full OAuth 2.0 flow, as I can handle otherwise with the 2nd leg. Again I appreciate you working on this, so that we can get this resolved!


I removed the other (newer) post and references to it too.

Thanks for addressing the spam mention :slight_smile: !

1 Like