Hi,
part of our service is to download encrypted, confidential documents from an external system via REST API. Currently it works perfectly with the API Connector.
The main problem is this: “The file option does save to s3, returning a link to the uploaded file.”. So now every downloaded, confidential document is there in the S3 cloud, at an URL that is accessible to everyone.
How can we work around this security vulnerability?
Any help will be much appreciated. Thank you!
I’m not very clear about this. I hope someone else can solve this problem for you.
If you wanted an authentication layer over the top, then you would need to store those files some place else and reference them from within the app. i.e. you could secure them to your own AWS S3 bucket and set your own security settings.
However, the files on Bubble are more secure than you may expect. But of course you’ll need to decide what’s right for your use case, this is just my friendly advice from being a Bubbler for a while now, but also previously spending a lot of time working with AWS S3 - which is the service Bubble uses to store these files.
For example, when you upload a file to Bubble it’ll get stored in a Bubble S3 bucket and the URL will look something like this…
https://s3.amazonaws.com/appforest_uf/f1649118401923x579247943953079800/filename.xls
The 1649118401923x579247943953079800 is referring to an S3 bucket (or folder) and these are randomly assigned when a file is uploaded. So your files are spread across different buckets and there is no way to access the bucket itself unless you are Bubble.
So for someone to access your file they would not only need to know the exact filename, but also what bucket it is located in, and of course there is no linkage of bucket back to your app.
It’s quite honestly like finding a needle in a very, very large haystack if people were to just by chance discover those links. Like quite literally virtually impossible
The part where you may (or may not) have a problem is if people should have access to that file today, and then tomorrow you want to cut their access. Well, if they still have that link, even if you lock them out of your app they’ll still be able to access that file. It also doesn’t stop them sharing that link with people that shouldn’t have access. But of course this may not be an issue for your use case or it could be massive problem. But if they have access to your app and then by default have access to the file - they can always download it anyway and do what they like with it 
Josh @ Support Dept
Helping no-code founders get unstuck fast 
save hours, & ship faster with an expert 
on-demand
