I’m all about that passwordless UX Passwordless authentication - #7 by blueback09
When I started working with APIs I realized that Bubble also expects a username & password combination for the login action in an API workflow. However, this was pretty easy to work around.
First, you need to create an API key for each user.
This is a group with a button and an html element
The html element has some clever javascript that I stole from someone else on here
`<input type=“text” id=“APIkey” size=“10” value=Current User’s my_API_key>
copy API key `
Add a workflow to the “new API key” button. Tell it to “Make changes to user”, select “current user”, then stick a random string into the field where you store that user’s current API key (oh, make sure there’s a field to put the user’s API key).
Make sure you put this API-key-generating-group into a place the user can only get to when they’re logged in. Then the user can just get an API key when they need one, and even change it if they want. This API key is basically going to be their “password” when they try to authenticate through the API.
Okay, so now you need at least one API workflow that can be run without authentication. That will be the workflow that authenticates users so that they can then run any other workflow with authentication. The log in process works the same in the API as it does for the rest of Bubble and we’re going to “hack” around it in almost the same way.
The user will POST to the API endpoint, providing their email address (already registered in the app) and their API key (already copied after they logged in and got it). We’re going to run our own little check on those two pieces of information to run a search for users to see if any of them have that email and that API key. If someone matches we’ll record that they used their API key to log in.
Next we’ll assign a temporary password to the user who was turned up in step 1
And finally we’ll log in the user who was turned up in step 1, using the email from the POST and the password from step 2
When this runs successfully it will return a little JSON that will have a “user_id” parameter (the unique id of the user who was just logged in) and a “token” parameter.
What you want to do is put this into the header for your subsequent POSTs to API endpoints that can only be run with authentication. Replace ### with the token you were just given.
Content-Type: application/json Authorization: Bearer ###