Get text result from BW - API Call to front without DB 🤷🏻‍♂️

bestbubbledev · January 29, 2023, 6:17am

Guys I’m building a pitch generator. Using OpenAI, Davinci. For a free plan I trigger API call on a client-side, store result (text) in a custom state & have text element referring to this custom state.

Everything works just fine.

Now I’m about to push the app to paid plan and I need to move the API call to backend workflows. I can’t figure out how to return the text back to the same page…

After step 1 of initiating a call in Step 2 I’m using “Return Data from API”. But can’t process what should be the next move… Or how can I trigger a call on the front-end to get this data into a Custom State.
I’m trying to avoid storing results into the DB… wanna avoid additional delete workflows.

jared.gibb · January 29, 2023, 8:51am

You can call the backend wf via the api connector and return a result

bestbubbledev · January 29, 2023, 9:18am

What if the initial API is not done retrieving data from OpenAI? Oh hold on:

I could trigger the main API call.
At the same time trigger another API call from my own app to get the API results and store inside Custom State. Until custom state is empty I should keep triggering the second API.

Oh this is brilliant. HOWEVER:

The only reason I’m moving the initial API server-side is the security. I don’t want to expose OpenAI Keys on the client-side. Based on the structure I explained above, I’ll be exposing my app’s API Endpoint. I don’t feel comfortable doing this. @jared.gibb would you have any suggestions in this regard?

tylerboodman · January 29, 2023, 9:21am

If your api fields are set to private then the client doesn’t see them even when calling the API from the client

Even whend doing a call from the front end the server is still the middle man making the actual call and delivering the result to the front end

jared.gibb · January 29, 2023, 9:21am

What @tylerboodman said. Mark the field private and the connection occurs on the server and the result is sent to the client. No exposed api keys.

bestbubbledev · January 29, 2023, 9:38am

@tylerboodman @jared.gibb Obviously fields are marked Private. I thought it was enough but somebody said those still get exposed in inspect element. I was just checking but I’m not sure…

Any reference about this in Bubble Manual?

tylerboodman · January 29, 2023, 9:39am

No the client doesn’t get any private fields, that would collapse Bubble as we know it

tylerboodman · January 29, 2023, 9:45am

This is in their API Connector docs:

An API call’s URL is never sent to the user’s browser. Call headers and parameters are only sent to the user’s browser if you mark them as ‘client safe.’

Client safe meaning Private un checked

Another quote:

Note that even though by default, API calls are made from the server, a description of the call is sent to the browser and are thus visible to a savvy user. This means that any sensitive parts of the call, especially secrets / tokens, should be in fields marked “Private”.

bestbubbledev · January 29, 2023, 10:19am

What about the body?!

Right now I have a template prompt that I send to OpenAI. Some part of the prompt are dynamic, user fields. But most of the prompt it static.

I don’t want to expose my prompt to anybody, even users. I guess I’m safe right?

tylerboodman · January 29, 2023, 3:38pm

If the parameters in your body are also set to private then they don’t see it.