AAAND further, @JustinC, “oh shit that works!” Here’s an example:
Let’s say you want to make one of your POST endpoints (“workflow endpoints” as Bubble calls them) available, but only via a username and password. Further, let’s say you’re OK with allowing the user to put their credentials in the querystring.
Let’s create an endpoint that will return the user’s first name. Create your endpoint like this:
Querystring params email and pass are the user’s email address and password, right? (Duh, I know.)
Here’s our workflow:
Call your endpoint. As you know, this endpoint in dev mode will be:
https://your-app-base-url.com/version-test/api/1.1/wf/return-my-first-name?email=useremail@example.com&pass=userpassword
Let’s call it from Postman with a email and password pair that are valid: In this case, the user’s first name is “Lodgable”… We see:
Now let’s call it without any arguments:
OK, that’s cool. (Though I suppose I could do without Bubble telling you OH HAI, THIS MUST BE SOME LOGINABLE SHIT RIGHT HERE, PUT IN AN EMAIL!!!)
And so now we try it with an invalid email and pass:
Well, we don’t run the workflow. So that’s cool. But GEEZUS Bubble, could you make it any easier to invite a brute-force attack? (I dunno… is this what REST APIs are supposed to do? This one seems a little overly friendly if you ask me.)
And so now we try with a known email, but give the wrong pass:
Well, thanks again, Bubble. But hey, at least our workflow does not run.
Obviously, it’s better to have these things in the POST body and not expose them as querystrings. But that’s how you can make that work, @JustinC.
NOW, I know what you’re saying about the above example. You are saying:
“Well, that looks a lot more like a GET request than a POST. How can I do this as a GET?”
The answer is that you can’t without some shenanigans. The GET side of the Bubble API is reserved for the dorky built-in DATA API. (Frankly, I think this sucks.)
However, if you DID want to expose this POST and make it accessible as a GET, you can put Amazon API Gateway in front of your API. It can do little tricks like turn a GET into a POST. I’ve shown how to do that elsewhere in the Forums. To find a screenshot of that, you could search @keith AAPIG and it should turn up.