Dynamic fields in workflows are secure?

Hi,

Are data used in workflows (such as with a “Do search for” ) public or are they safe ?

For the reason I discussed in another forum thread (API connector OAuth2 different dev and prod env) I needed to manually handle the authorisation of external API calls. However I do this by saving the API token (a sensible data) in the database and retreiving it with a “Do search for” in the workflow. Can an malicious user have acces to this information ?

image

I’m not sure that I could use a privacy rule, because the workflow has to be able to get this data. Maybe, if it is not safe as is, I should move those actions to an API Workflow and set “Ignore privacy rules”.

Hi @vicente1 :wave:
Unless privacy rules are setup properly your “MangopayAuthTokens” is not secured…

Hi @vicente1
This is how i setup my Mangopay Authentication.
Which covers both Dev & Live environment.

This is with a simple authentication, but I would very much prefer to use OAuth2 method. Bubble has a native support for OAuth2, but, as I said in my other thread, it does not allow for different dev and prod keys.


This does not allow for different parametres for dev and prod, but it turns out I also had a security problem in my appoach

So I’ve been managing the OAuth2 tokens manually.

1 Like

Yeah, that’s what I thought.

The problem is that with my approach I cannot make this object really private cause I need to get it’s value.

But, as this “Do search for” is actually independent of the User or anything else, I can move it to a backend workflow. So, I think (not really sure) that the most secure way would be to pass this this to a backend workflow so I can just pass the other data as parameters and safely access MangopayAuthTokens” in the backend.

Of course, that raises another problem :upside_down_face:

I need to get the data back from this event and there’s no simple way to do this. (See Return Data from API - Can i capture the data natively in front end workflows?)

I don’t really know what is the best way here.

Or I use simple authentication, where bubbles support different dev and prod keys (so I don’t have to manage manually).

Or I make this call in the backend and return the data in some way (It’ll be slower and maybe use more database).

This topic was automatically closed after 70 days. New replies are no longer allowed.