API login switches user account logged in

mebeingken · February 21, 2018, 2:37am

Hey Folks,

Could really use some help here. I am successfully retrieving data via various calls using the API Connector.

My problem specifically is with connecting to Paypal to import transactions. I do not have any desire to log the user in via Paypal, but it is my understanding that this is how I go about using oauth within Bubble.

I created a sample app that shows what I’m doing, but to describe here: I use a workflow to create a user, which naturally logs that user in. I then login with paypal. So far, so good. I get the authorization screen and return.

I then create a new user, and again connect to Paypal. I authorization a different paypal account, and return to find that my bubble user has now reverted to the first user. Some screen shots below to try and help:

Appreciate any help you all can provide!

–Ken

stevenrichardlevy · March 17, 2018, 8:05am

Hi Ken - did you work out this issue in the end, as I am struggling with the same thing

Thanks in advance

mebeingken · March 17, 2018, 2:00pm

Hey @stevenrichardlevy. I stopped using the Login w/social concept altogether, and handle the Oauth2 token dances manually, and I am very happy with the solution. Before starting you go the the vendor in question, login and create an application to get your app id, secret, etc. Each vendor implements their own flavor of the dance, but the basic flow is this:

–Using whatever trigger you’d like, direct the user to the vendor for authentication. This is where the user sees the allow this app type of screen.
–When the user approves, they will be redirected back to a url in bubble. I chose to have a page in bubble, with our basic header and an animated spinner, but no other content. The user gets this page and for a couple seconds, sees that something is being processed. What the page is doing in the background, is extracting information that was sent back from the vendor–usually this is a query parameter named "code’. You take that code and make a post back to the vendor in order to get an access token. Store that access token in your db, and redirect the user to whatever bubble page makes sense.
–You now have an access token that is added to every api call by adding a Header named “Authorization” and its value is "Bearer " plus the access token. These calls are setup in the API connector with formats specific to the vendor.

Anyhow, that’s the routine, and after you figure out the first one, you’ll be able to replicate with ease. It is completely bifurcated from bubble user credential login, so you have full control and can act on the users behalf as designed.

–Ken

stevenrichardlevy · March 18, 2018, 5:09am

Oh wow - thanks for such a detailed and helpful response - I will be trying this out now!

Would you say there are any particular security risks with this method?

mebeingken · March 18, 2018, 2:55pm

I don’t see any security issue with this, but would love for somebody more adept in that area to chime in!

Seems to me, that as long as you store the access token’s in the bubble db, and the bubble db has adequate privacy settings applied, and you always use secure protocols like https when using the tokens, all should be good. The code you receive is usually one and done, so while that is clearly exposed, it has limited use, and that’s why I throw an interim page in catching that, so it disappears after the user is redirected and the code has been exchanged for a token. It also has to be combined with other protected data in order to work.

–Ken

stevenrichardlevy · March 18, 2018, 3:22pm

Cool - thanks for that.

The data I am pulling is reasonably sensitive, so I wanted to double-check. I read a few pieces online that suggested if you were going to store the access token it should at least be encrypted and the database secured.

Regardless, for my purposes, I am just hacking something together to so I think your method is perfectly fine.

Thanks again!

vargasjcamilo · July 5, 2018, 3:34pm

Hi @mebeingken. I’d really appreciate your help here… I’m able to get the “code” from Github but when I use it in the POST call to get the token it returns the error “the code passed is incorrect or expired”. Here are pics of my API call settings:

If I uncheck the ‘Token is retuned as querystring’ in the API settings I get a popup error message in bubble that actually shows the token but I have no idea how to get it as text so I can store it in the database.

How can get it in text format? Thanks in advance =)

Juan

mick.bourgois · March 2, 2022, 2:01pm

Hi @mebeingken !
Can you explain how you do that please?
I have the “code” but I don’t know how make a post back to the vendor (it’s with the api call of endpoint token?)