GOTCHA: Unsecured Public Endpoints Cannot Call External Endpoints


It took me the better part of a day to figure out this subtle security gotcha: Unsecured public Bubble workflows cannot call the REST APIs of external services. I came across this while trying to debug a small server-side action; whose only job was to fetch the status of a message from SendGrid, after receiving an event notification from SendGrid. Seems like it should work, right? Nope.


I wouldn’t even call the solution a workaround or hack, as it is actually closer to security best practices. The overall concept is to create a database type that acts as a demilitarized zone for data landed from unsecured public Bubble workflows:

  1. Design a database type that stores the, unsafe, un-sanitized, and un-validated, data from the request to the unsecured public Bubble workflow.
  2. In the unsecured public workflow do only one thing, create a new record of the type from the last step.
  3. Design a workflow that accepts a record of the type from the first step and then calls the external service to carry out the validation checks, retrieve data, etc… If the record cannot be validated, have it delete itself or flag itself as suspicous.
  4. Design a database trigger on the type from the first step that occurs when a new record has been created. This trigger calls the workflow you built in the third step.
1 Like

I don’t understand, how would the Sendgrid API know that the fetch came from a SS action inside a Bubble workflow?
Or is it Bubble itself that blocks all outgoing calls from Lambda functions that were triggered by unsecured workflows?
Or something else? I’m confused :yum:

1 Like

Oh sorry should have made it clearer. Bubble itself is preventing the execution of the NodeJS fetch in the server-side action. But, not when the server-side action is called from the app front-end. Absolutely bizarre.

1 Like

Is this something in the new API? I will have to test that. I never ran into that before, hopefully they didn’t introduce this “security” feature without saying anything :confused:

1 Like

I’m wondering if it is specific to Bubble intercepting calls in the SendGrid NodeJS SDK.