Considerations in implementing mobile OTP and password authentication without a mail id in Bubble.io

Hi All,

I am looking to get your weigh in on ways to implement this following scenario from security perspective and get insights on core Bubble behavior.

This is a long post with some complicated question, i thank you for your patience and hope to get a better understand of Bubble’s inner working from this exercise. And hopefully 1 day, Bubble will just implement this natively and I will look back fondly at the past.

Requirement:

Its a B2B app, so all user accounts are created by admin using “create a account for someone else” using their phone number as key identifier, and using a combination of “phonenumber-accountid@domain.com” as their mail id. (This looks to be a common suggestion to sign up a user in bubble since bubble absolutely needs a mail id to create a user)

The catch is that we obviously dont want any mail id to be involved, and we want the user to be able to setup their password and login with their mobile number and password. The OTP is just used for initial verification when they sign in for the first time and if they forget their password.

Some background:

There are 2 flows in Bubble which allow a user to set their own password.

  1. send a magic login link to their mail, they browse that, get logged in and then we run a update credentials action.

  2. We send them a reset password link, on their mail id, they click it and are allowed to reset their password.

Since there is no way to setup the Bubble’s internal password field without a user’s mail id, we have had to create a password field in the user datatype, to save the chosen password by them.

Following is the steps in which a user sets their password for the first time.

  1. Admin creates account on their behalf “phonenumber-accountid@domain.com

  2. Admin assigns them a temp password and save it in the temp table.

  3. User enters their mobile number in login screen, and verifies the number with OTP.

  4. User is redirected to a create password screen following OTP verification .

  5. We save the password created by user in User datatype, manually created password field.

  6. We log the user in using their “phonenumber-accountid@domain.com” + temp password (which we access through temp table, saved in step 2)

  7. We run a update credentials right after they login to a set combination of a random string (again saved in our database), so the temp password is overwritten.

Questions:

  1. My first question is, do you see any other way i could have implemented this, within the parameters of the requirement? (no mailid, we definitely need mobile+password login, only admin can create the said account on behalf of user)

  2. This is how it was initially implemented.

  3. All of the do a search for(mobile=)'s password = “entered password value” were implemented on workflows. I have implemented privacy rules, yet, while the user is in the process of logging in, i need to validate their otp (compare against the otp saved in my table), validate their password (against the password saved in user table), so i need to keep some fields open to view for logged out user.

  4. I eventually moved all these comparisons to backend workflow, and would update a isVerified field in the database if the 2 items matched. Then at front end , the further action would go north or south based on the isVerified value. The obvious flaw being that i have no way to wait for the action to happen successfully in the backend workflow before checking the flag in frontend. In implementation i didnt face any issues, but logically, it could happen if there is delay in response from bubble’s db.

My question is that is there another way that this could be implemented in?

Is there a obvious winner in these 2 strategies?

Most importantly, how does one know which actions are positively running on bubble server side and which ones might be leaking data to front end.

This topic was automatically closed after 70 days. New replies are no longer allowed.