API authentication

Hey can anyone advise on a safe way of sending user email and password to my own external API. Some GET calls I am making require the user’s email and password to return some specific user data. Obviously it’s not safe to send them in the parameters each time I make the call so can someone suggest a better way to do this? Thanks guys :slight_smile:

You’re going to have to send something in the clear, or as good as in the clear (like base64 encoded), like the email address.

If you are totally in control of your own external API, then if this were my solution I’d probably…

Take the email and password
Hash it AES256

Pass the following headers
B64 of (email concat timestamp)
AES 256 hash of (B64 above concat password hash)

On arrival you

Check timestamp is under 20 minutes old
Decode B64 to get the email out
Repeat hashing and use hash matching function in your code to check the hashes match

Your password on your side is probably hashed and salted and rehashed so you need whatever salting is needed on the bubble side so that you can repeat the process with the inputted password that will be checked on your side, and still only pass hashed data.

The timestamp is important as if something gets intercepted they only have 20 minutes to brute force it which it not long enough.

First, you should not, in any way, have access to your users password. That’s rule number one. Don’t. Do. That.

If you own the api you most create another form of authentication with temporary revocable tokens. You could read this example here, am willing to share the plug-in I mention:

Thanks both for your help. I have no users and the site isn’t live so don’t worry I’m not actually sending sensitive data in the open.
I have no experience with API’s or security so struggling to wrap my head around all this.
I do own the external API which I have currently created with no authentication and it’s just flask restful, I made it quite quickly just to get started. My own API works as a middle man between bubble and a separate game API which returns user specific data to my own API which i manipulate and send to bubble. The idea is that I take the user’s email and password for the game on sign up and pass it on to my own API to use.
Does the way that you describe in that post support this idea? Can i encrypt data on bubble and decrypt it in my own API?

Glad to hear this haven’t been implemented yet :slight_smile:
Do your own api need to the users credentials to function? Or would it be sufficient that the security-layer was a token that authenticated the bubble-app as a whole, and then fetched the user by their unique id?
No matter what, its really bad practise to touch the users password in any way, so you should think of methods to authenticate with you api without extracting passwords.

If you use the built in api connector the requests are done server side. You could use a simple token in your header and use userId for each request. This would be a simple yet fairly secure model.

The jwt method in the post is a step up, but I would say wait a bit with this.

Yes it requires the user creds to function as the whole point is getting user specific data onto the bubble app.

I got the point. My point is that what it sounds like you need is simply a way to authorizer the whole bubble app with your api, instead of authorizing every single request.

For example: If you external api is your source of truth and holds all critical data, consider a user object:
{id, name, email, value, another_value, bubble_user_id}

Your request from bubble could be: domain.com/user?bubble_id={bubble_user_id}
and in the header you have a token to authorize bubbles app with your api. You dont need to send back and fort the users passwords to do this.