Critical API Workflow Bug- Not Passing Tokens Fetched

Yes, privacy rules are set up correctly and this is all at the user level thankfully. I will ask support but appreciate the comment and thoughts. Thanks

Don’t forget to clear any test data used in API connector that are not private. Anyone else could see theses values (but not if they are set to private). From what I remember, Flusk should give a warning about that too.

Did you mark the token as private but need it to not be private because you are passing it in the workflow?

Yes, i thought best security practice was to set any token in an api call to private based on what the flusk folks had been telling me since last year. The actual token is being passed via a current user value and those privacy rules are in place. The token is passed in the workflow as above.

But you can’t pass a dynamic token if it is marked as private. Is the token dynamic or static, just one token that doesn’t change?

Doesn’t look like a token is being passed in the workflow. It looks like the condition didn’t work. It looks like your search for premier profiles is coming up empty? Is that what you are seeing as the issue?

No, the token was not being passed when the api connector was set to private, unchecking that solves it.

Cool. Glad that helped. Just make sure to not have the api token still in the API connector. Only pass it in the workflow.

You should at least mark at the post by @Jici as a solution instead of marking your own post.

Same issue, I had workflows working fine with token in private. Now they are broken, and if I uncheck private it works.
So Bubble did change something !

I don’t think. If this was working, this is because you set a token in API connector that was working until now. In fact, if this was working before, this was an issue! You cannot pass dynamic data into a private parameters…

Sorry to say guys - We have the same issue here. All our workflows broke on 12/10 - We had spent hours troubleshooting and wasn’t informed at all.

Bubble did change something, at least how API Connector’s private value is handled with dynamic content. Ours worked with no problems for 2 years ( and we also manage to do this recently from time to time ) - and it just broke 2 days ago.

Although that was what we thought bubble intend for us to be able to do, since it was working fine , the idea is being able to set dynamic content and be able to “private” the value ( which was pretty useful tbh ) while Flusk also recommends keeping our URL endpoints private.

@fede.bubble can you investigate on that?

You should all submit bug reports at Contact | Bubble

I’m a bit confused - you can’t have private content with dynamic values. Do you mean that when you made the API calls, you added the dynamic content in the action, and then made it private?

Maybe it was a bug that was actually fixed? You can’t have a dynamic field also be private. Once you mark it as private, it should no longer be visible in the workflow. Maybe a glitch allowed it to work before but was actually a security flaw.

Yeah, it reads to me as follows:

1. These users set up an API call with dynamic data
2. They later made that parameter private
3. Because of how Bubble’s app JSON logic works, the non-private data the user provided in a dynamic expression would be invisible in the editor but still technically being passed to the API call (there’s lots of places in the editor stuff like this can happen).
4. The expected behaviour then should’ve been that the private value gets passed, not the dynamic value.
5. 4. must’ve been patched recently which is causing these users to experience issues

And all of this, because the warning that users get in Flusk…. Flusk need to explain more about when and how to use private key (or not)

The change clearly affected more than one user now, I notified support and they said they made no changes but I find that hard to believe. The fix is setting the token to not private and clearing the parameter value in the API connector but this needs to be done across multiple API calls depending on your setup so it can be a pain.

Update from Bubble Support: Our team investigated this further, and was able to determine that a recent change to API Connector functionality was unintentionally deployed that caused the behavior you reported. Prior to this deployment, if an API call’s parameter was marked as not Private, and a dynamic expression was used to set the value of this parameter in a workflow action, the API call would continue to reference this dynamic expression even after marking the parameter as Private – despite the dynamic expression becoming hidden in the editor.

While the change to eliminate this behavior aligns with our team’s intent moving forward, we understand that this change was disruptive in certain cases which relied on this behavior, such as yours. Our team has since reverted this change, and plans on rolling out this change in a less disruptive manner in the future to avoid breaking any existing functionality. In the meantime, you can safely resume using any API calls that relied on the prior behavior.

We greatly appreciate your understanding here, and for submitting this bug report to the team. Please let me know if you have any further questions at this point and I’ll gladly assist however possible!

My Thoughts: Great that they investigated and acknowledged. Not great that they continue to push things to production without an adequate understanding of how this works across their existing systems. The past couple of months have seen some nasty side effects of pushes and this doesn’t give me a ton of confidence that they have cleaned up their internal processes around that side of things.