I am politely asking for some help on app security, as a beginner.
The summarized question is:
How to remove the ability for a logged-in user to run an API call from their browser and view certain database fields relating to them, yet allow the app to still search these fields and display it in the app when the user is logged in.
Background:
I am still in a pre-launch stage of my app. I recently read the source code a bit more and saw a line:
If a user were so inclined, they could add ‘User’ at the end of the URL, and then have the ability to view every User database entry relating to their account.
I’ve tried to solve this on my own and been unsuccessful due to the following:
I can’t disable ‘Enable workflow API and backend workflows’ because the app has several backend workflows that run throughout the day when the user isn’t logged in.
I’ve looked into modifying the privacy settings, but removing the ability to view a database field for a logged in user means it not only is eliminated from the API URL response, but also cannot be viewed while they are logged into the app (when a database search is conducted for that specific user, as a dynamic text field).
I need a way to for the app to do a database search for a field owned by this user while they are logged in (for dynamic text fields) but prevent them from running the API call themselves from a browser.
Please excuse my very beginner security question. I very much appreciate anyone taking the time to help me with this.
Wouldn’t privacy rules still apply? So the user can find in search the records he’s allowed to see but you can still limit fields he can view in the privacy rules. Therefore, even if this is doable, the only fields the user can see are what he would see in the app anyway (just unformatted)?
Yes, the data visible in the URL is effectively unstructured data visible in the app. But it doesn’t seem to be the standard of web apps to display all data visible on an app webpage as an API call with the URL to that API call visible in the source code of the webpage.
Further, users that see this unstructured data by easily finding the API call URL in the source code might (reasonably) get the impression that the link could be viewed by anyone – namely, those not logged in to their account.
When I mean it doesn’t seem to be the standard to allow an unstructured view of your account data, take QuickBooks Online as an example (…or any major accounting, project management, CRM, etc).
In the case of QuickBooks, if I was a QuickBooks Online business user was viewing their Invoices page, there isn’t a link in the source code that would allow them to view the same data in an unstructured format as an API call.
In other words, the specific Invoices list (invoice no., customer name, etc.) is displayed solely on the webpage, and can’t be viewed as raw data by clicking a link in the source that executes an API call.
My question is how to prevent the logged-in user from being able to view their data in an unstructured format as an API call, while still maintaining the ability to view this data inside the Bubble App.
As a follow-up question and request for clarification, I’m unsure why there can’t be separation between (a) enabling backend workflows and (b) exposing the API call data to the user.
In other words, why does allowing processes to run in the background within Bubble automatically grant users the ability to run those same API calls when logged in via their browser?
I’d appreciate anyone’s help in trying to navigate this. Thank you in advance.
