Backend workflow run without authentication

Hi, can someone explain to me in layman terms what ‘This workflow can be run without authentication’ means please?

If a backend workflow is not linked to an external API can I have this unchecked?

Does it affect backend workflows from running if the person triggering it isn’t a user?

Thanks in advance

Screenshot 2024-04-22 at 16.10.48

ops, I replied with the wrong part of the manual :sweat_smile:

basically even if the workflow it’s not a public API it can still be triggered from your app where users can be authenticated or not.

Thanks @dorilama. So to understand correctly, if I untick any of these boxes that are ticked in my app, and the non-user triggers an action, the workflow will still run (assuming ignoring privacy rules is checked)?

no, they are not the same and have 2 different uses.

expose API → if enabled you can make a request to an url like https://appname.bubbleapps.io/api/1.1/wf/workflow_name, the request can be made by an authenticated user or not. if disabled there will be no url to make a request to, but it can be triggered by using the scheduling action in a workflow.

run without authentication → if enabled you can trigger the workflow even if you are not authenticated. if disabled only authenticated users can run the workflow. any way it doesn’t matter if you trigger it from outside the app as an API endpoint or from inside the bubble app with the action.

1 Like

Question, I don’t have users log in, and I’m thinking about how to add a private backend workflow search into a workflow that runs after a successful stripe checkout.

Is it secure for me to have a button click workflow that calls a backend workflow search for the first result of a list of codes (need to be pregenerated because they are custom physical gift cards) and sends one back to the user after a successful stripe checkout? Or would it be possible for someone to run my non-publicly exposed API without authentication outside of my workflow and see codes without a successful stripe checkout?

Since you don’t have users log in, “This workflow can be run without authentication” would have to be checked if you want to make the request client-side.

A better option (I’m assuming based on your provided details) would be to create a backend workflow that listens to a Stripe Webhook.

The question would be, how do you show this to your specific logged out user. There are solutions but it would be best for you to provide more details about your user flow before I make suggestions.

1 Like

Thanks for the reply. Yeah, I can definitely add a stripe webhook to this. That’s an easy solution here, because I’m immediately sending an automated email with the code and other information. I’m still curious though, I don’t fully understand the difference between a publicly exposed API.

Is a non-exposed API workflow that does not require authentication and ignores privacy rules inherently a vulnerability? I assume it is, but I don’t really understand this. Is there a way for someone to run it outside of the logic defined in my app? Or is there some level of obfuscation that makes this not likely?

Yes! There are a ton of posts on this topic such as Stripe Webhook in Bubble - big vulnerability to all apps that use them

1 Like

stripe webhooks in bubble are a vulnerability only if you trust the data received. If you check the request ip to be in the range of what stripe uses and then make a api request to get the data it is secure.
you basically use it only as a trigger instead of trusting the data. it is this way because bubble does not give the raw unchanged request in the workflow and we can’t verify the stripe signature.

2 Likes