I have a backend wf which I have exposed publicly and also checked this wf does not require authentication. I am validating it by generating a hmac of the raw body text using the secret from the provider and comparing it with signature passed in the header. This condition is added in the backend wf itself.
When i exported my bubble application I could see all the secrets which I am using to generate hmac for all the backend WFs.
Does this mean this secret can be exposed? Am I validating my backend WFs correctly or is there a better way to do this?
Exporting your app exports all of the app’s logic so you can create a duplicate of it, including the secret stuff like API keys, which is expected behavior.
Only collaborators on your app can export your app. So, if these secret values are only existing in your backend workflows, they are not exposed.
