App Connector Bug or Normal?

No matter WHAT condition I put on the App Connector, it runs regardless. It couldn’t care less what condition it is. If the debugger shows RED, it still runs. Only thing that stops it is by putting a condition on the button ITSELF before it triggers the workflow. Not even putting it into a custom event works.

Is this normal behaviour for the app connector? I’m half tempted to just use API connector instead, how ridiculous.

Also on another note… Why would anybody use front end workflows for creating things, making changes to things if front end isn’t secure and can be manipulated? If that’s true, surely EVERY thing should be backend unless it’s user specific like toggling their own settings.

You misunderstand how front-end workflows work.

Roughly speaking, any client-side values your front-end workflow requires (e.g inputs, group data, custom states) are provided to the server at the start of the workflow. Everything else runs on the server, and then the results are returned to the client.

You can try drilling into the specific condition in the debugger to work out where the issue is.

2 Likes

So are you saying a condition on a Make a change to Thing (Do a search:count) cannot be manipulated? If so I really need to stop listening to Chat GPT as it tells me to do backend via App connector as the front-end workflow is not secure and can be manipulated.

If a user inputs their email into a newsletter signup and clicks ‘subscribe’, if you used a Create a new thing (subscriber) ONLY WHEN Do a search of subscribers (contraint: email = this input):count is 0. It’s not secure as somebody allegedly can change that to 0 to fill your dB with duplicates.

So apparantly you’re supposed to use backend for that. So I have this:-



But the App connector does not respect Only when conditions @georgecollier. Is this normal behaviour for the app connector?

Just copied your message into Chat GPT, now it says you’re correct. It has spent the last 3 hours telling me front-end workflows can be manipulated by users. -.- Thanks @georgecollier.

ChatGPT tells you what you want to hear!

The search will run with whatever input the user has entered when they trigger the workflow.

Your issue is probably privacy rules. This search should, if your privacy rules are set up correctly, only ever be empty, because your privacy rules should restrict the email field such that it can’t be filtered on. If this field ever returns another subscriber (i.e count > 0) then it means that subscriber’s email is leaking…

1 Like

So would I be correct in saying that any search on the front-end work-flow that requires these types of constraints should be done on the backend @georgecollier (like my example above)?

You were correct my subscriber’s emails were leaking. :person_facepalming: I’ll have to do some research into Privacy settings as I haven’t touched them at all yet.

Flusk

NQU Secure

Both security tools to help you out.

No. Any search that has to bypass privacy rules (because you only want to verify the existence of something rather than permit access to it entirely) should be done on the backend and called from the front-end.

1 Like

Thank you for that @georgecollier that’ll help a lot.

That’s exactly what I was struggling with. You’ve cleared that up perfectly thank you.

My last question for you that takes up hours of my time:

[Only when this subscriber does not exist, create a new subscriber, send the email etc]

Is there any way to avoid doing a [Do a search for subscribers > constraint: email = email]:first item is empty / count is 0 on EACH step in the workflow? In the front end you can do Step 1 : save as a custom state, and use that throughout.

How do I do one search at the start of a backend workflow and use it throughout? How do people do it? What’s the correct way?

Thanks @georgecollier :slight_smile:

Absolutely… Most answer from chatGPT about Bubble are wrong

Nevermind @georgecollier I’ve grasped what you’ve said now. I’ve done an API purely to check if the email exists as a subscriber and called that from the front. Thanks for your time, you’re a star!

Tell me about it, I spend more time arguing back and forth. The amount of times it’s told me to do 6-10 nested only when conditions despite me telling it that’s not even a thing in native Bubble lol.

1 Like

If anybody else is trying to do the following:-

Check an email exists in a dataType without affecting privacy rules securely

I’ve added these screenshots to help.

remove the untick the This workflow can be run without authentication, I didn’t in the screenshot, please ignore that