I’m struggling looking for a way to encrypt & decrypt sensible API data for using it on API calls.
Scenario description: I’m setting API calls to integrate different services using API Connector Plugin with “none/self-handled” method, setting the client_id/secret as private values and then storing tokens/refresh for each user (with privacy rules applied).
My main concern is the possibility of a hacker / malicious user logging in the editor and having both user tokens (in db) and api’s id & secret (in api connector) as strings, they could gather the information. So i would need to encypt or: a) user’s tokens b) client id/secret c) both
I found some possible approaches but with some weak points:
- Encrypting and decrypting the data client-side using a plugin: The encryption key is visible on the editor, so if a user logs, can get the data decrypted
- Using Bubbles Server Side functions/plugin to encrypt/decrypt data (and using Node’s crypto for example): Same as previous step,if a user manage to log in, he can go to the custom plugin and get the encryption key to decode the string.
- Using an external microservice (for example AWS Lambda or Google Secret Manager): Seems to be the best approach, i prefer GCloud ecosystem.
The main problem i’m finding with the this approach is that a malicious user could still request the data if managing to see the request to this services.
- problem scenario: app requests a key from a microservice through a server side function, wouldn’t a user with editor access be able to enter to the API request (like step 2) and get the access data for that call? (google’s cloud functions/secrets works with service accounts)
- Is there anyway to store “secret/hashed” values into bubble’s database/plugin builder? (There is a request for this already in the forum)
- Is encrypting/decrypting the API secret dynamically an option? > If the client secret is dynamic (for changing it on each request) it wouldn’t be private on API connector, so it can be seen as a request header pretty easily.
If you reach this point, thank you for your patience!