Thatās precisely what I want to do. However, my experience is that API keys need to be saved in the database as plain text which means they are still viewable by me and anyone who gains unauthorized access to my editor or database. That doesnāt seem right
Also, and please correct me if I am wrong, there isnāt a way to actually add API keys stored in the Bubble db to an API call in a āsecretā or āprivateā wayā¦ meaning that these keys would have to be added in as parameters which, according to @mishav, can be seen by routers or other prying eyes:
So is it really okay to save other userās API keys in a bubble database? If so, then how do you do it so that the application creator canāt see them? And if thatās not possible, is the only other way to achieve this with storing OAuth2 session tokens?
Thanks in advance
Hi! Yeah, indeed would be cool to have a way to set secrets from users as environment variables, however thatās very tricky to do in a way that not even the app maker can see it due to how encryption works.
In short, at the very moment the user pastes the key in the browser you could grab it since you control the page.
So in the end you can have they key one way or the another and your users have to trust you.
Privacy through untrusted setup (which means your users do not trust you) like that can only be achieved by installed, open source and build verifiable apps. Unless thereās some innovation Iām unaware of.
It really depends on what type of key you are talking about.
If you are asking people to paste a key into your app, and then you are using that as a parameter on a URL ā¦ it had better be for something fairly safe.
However it looks like you are talking about Oauth2 which is a very different thing.
The keys are in the Header, not the URL.
And in this case you are usually given a time limited token, which can be refreshed. If you donāt have the right credentials ā¦ you canāt refresh. If the user revokes access - it canāt be refreshed.
So whilst you should be looking after the Token, they are, by design, limited in the damage they can do should they get into the wild.
Therefore, storing it in the database in text is probably no terrible thing. Particularly as you need other credentials as well.
The issue we have with Bubble is that we also have to store OUR creds in text.
I have asked several times that the āsecretā implemented in the Server Side Plugins should be available in the API connector.
The way I have got round this before is to use a third party to hold the tokens (in this case auth0) or use a small webtask to run the call. This means the credentials are not all in Bubble.
I see, so really the current āsecurestā way to integrate 3rd party services for multiple users via their API keys is to use Oauth2. Store the temporary token in plain text. Refresh it as they need it.
Assuming a bad actor obtains short lived access to my application
Zues forbid, if someone gained unauthorized control of my bubble application, then they could commandeer OAuth2 tokens saved in plain text. But, because the tokens need to be refreshed and are scoped to my application, a bad actor could at most use them only from my service. So they would have to not only have access, but for long enough to write custom code which would have to execute on my app in production. As a result, they would have to push an update, which would at least leave a trace. Assuming the breach is detected quickly and I still have access to my application, then I change my passwords / editor access permissions PLUS roll back the update. At this point, the breach has hopefully been fully contained. wait a minute thatās not true. Couldnāt someone potentially write malicious logic on the development version of my application. Then copy over OAuth2 tokens from the live database to development and execute their logic against those tokens? All without pushing anything into production?
Anyway, in general, if a bad actor locks me out of my bubble application, then Iām assuming I need to immediately notify Bubble of the breach for my application to be turned off / restarted from a pre-breach save point? Whatās the process look like (does Bubble do anything to confirm itās really me asking for a reset instead of a bad actor)?
Assuming a bad actor pushes an update that has done malicious things for a few hours or days
Correct me if I am wrongā¦ but the damage is done?.. if they took actions with OAuth2 tokens on my hypothetical customerās Plaid, Coinbase, insert other financial service, account, then thatās irreversible? Best I can do is remove the malicious workflows (plugins, whatever it may be)?
Standing back a bit
Am I crazy for asking these questions? Because Iām under the impression that these are table stakes considerations for building any SaaSā¦ not just one one bubble. When it comes to security, itās not a question of āIf a breachā will happen but āwhen a breach happensā and I want to be confident that my app is built in a way and I have protocol in place to limit those liabilities. ā¦ Please no one tell me that security should be an after thought one day when maybe my application has lots of users.
I think I see what youāre saying. I guess my concern isnāt about whether I can get my users to trust me. They trust me. And if it were that simple, it wouldnāt matter much that I have access to their Stripe accounts, Social Security Number, which ever sensitive thingā¦ because Iām a good guy and Iām not going to do anything dumb to loose their trust or ruin their lives.
No, my concern is how do I limit the damage that can result from someone not nice getting access to the sensitive things that my users have trusted me with.
ā¦ but it looks like the answer to that is OAuth2 tokens.
Ah I didnāt meant specifically you, shouldāve made it clear, ātrusted/untrusted setupā is a term from cryptography. Untrusted would be more or less the same of the ādouble blindā studies used in medicine out there. Not the actual trust between people.
Anyway, temporary tokens are good and as far as I know, Oauth refresh token isnāt (or shouldnāt be) exposed to the browser so it stays within Bubbleās servers. So thatās secure.
Depending on your use case, you may be able to get away with using Stripe Connect. But if you absolutely need individual userās Stripe API keys, then unfortunately I did not come up with a better solution than the one presented here Sorry!
We are working on a marketing automation platform that relies on Users being able to store api keys in Bubble.io along with a passcode so that we can ping their event system or CRM and move information back and forth. We also want to enable the User to send SMS/TXT to contacts or customers from the platform where we might connect to SendGrid and then they use DKIM, SPF, records via CNAME to allow us to send on behalf of their domain. Does not sound like Bubble is able to support that level of api connectivity, APIās that are used in the development of the application are simple enough, APIās that require USER ownership and inputs other than OAuth seems to be a different story.
Thatās, sadly, exactly right. And since bubble isnāt currently designed around this use case (in a single tenant app), API keys would have to be stored in the database as clear text (because there is no āprivateā database field that can be accessed as needed here).
yes - this requires PathFix to implement well and for users of the automation platform to know how to configure their tools instead of using one we provide. Kind of a problem. Still quite a bit of automation the platform can do but it is reliant on the Users other apps (MailChimp or SendGrid or SendinBlue) accounts to be fully functional.
Sorry!