Forum Academy Marketplace Showcase Pricing Features

Dynamic fields in workflows are secure?

Need help
#1

Hi,

Are data used in workflows (such as with a “Do search for” ) public or are they safe ?

For the reason I discussed in another forum thread (API connector OAuth2 different dev and prod env) I needed to manually handle the authorisation of external API calls. However I do this by saving the API token (a sensible data) in the database and retreiving it with a “Do search for” in the workflow. Can an malicious user have acces to this information ?

image

I’m not sure that I could use a privacy rule, because the workflow has to be able to get this data. Maybe, if it is not safe as is, I should move those actions to an API Workflow and set “Ignore privacy rules”.

The Ultimate Guide to Bubble Security is out - 300 pages of privacy and security content
#2

Hi @vicente1 :wave:
Unless privacy rules are setup properly your “MangopayAuthTokens” is not secured…

#3

Hi @vicente1
This is how i setup my Mangopay Authentication.
Which covers both Dev & Live environment.

Screenshot 2022-08-26 at 16.40.51
Screenshot 2022-08-26 at 16.40.51956×842 60.8 KB

#4

This is with a simple authentication, but I would very much prefer to use OAuth2 method. Bubble has a native support for OAuth2, but, as I said in my other thread, it does not allow for different dev and prod keys.

image
image962×512 19.9 KB

This does not allow for different parametres for dev and prod, but it turns out I also had a security problem in my appoach

So I’ve been managing the OAuth2 tokens manually.

1 Like
#5

Yeah, that’s what I thought.

The problem is that with my approach I cannot make this object really private cause I need to get it’s value.

But, as this “Do search for” is actually independent of the User or anything else, I can move it to a backend workflow. So, I think (not really sure) that the most secure way would be to pass this this to a backend workflow so I can just pass the other data as parameters and safely access MangopayAuthTokens” in the backend.

Of course, that raises another problem :upside_down_face:

I need to get the data back from this event and there’s no simple way to do this. (See Return Data from API - Can i capture the data natively in front end workflows?)

I don’t really know what is the best way here.

Or I use simple authentication, where bubbles support different dev and prod keys (so I don’t have to manage manually).

Or I make this call in the backend and return the data in some way (It’ll be slower and maybe use more database).

#6

This topic was automatically closed after 70 days. New replies are no longer allowed.