I am building a native mobile app that will leverage Bubble as the server. I require users to authenticate via an API and then manage user permissions based on Privacy rules (which I can do successfully).
I have to key “concerns” about this recommended implementation:
It seems inappropriate to use an unrestricted API Token (Which effectively has full access to my app) to enable the user login? [UPDATE: I realise you can run login workflow without authentication]. I do still wonder how to have more granular API Tokens
It requires me to pass username and password into the API in order to run “login user” as an API workflow. Surely this is very insecure?
Have you seen the Bubble Docs about it? If you follow their directions, you should be good. If you have questions about the security of how they do things, you can send them a message at support@bubble.io if you want to double check. As long as you have Privacy rules set up properly, then you should be ok. You can always double check how secure your app is using Flusk too. I use it and recommend it for my clients to make sure my apps are secure.
As a bonus if you want to log the user out after a custom duration (before 1 year) you can schedule the log out workflow for another date right after logging in.
