I’m building a plugin that navigates to a page in the user’s Bubble app via a headless browser (which I’m running on AWS Lambda).
Access to the data in the underlying Bubble app will be managed via privacy rules.
Therefore, I want to effectively ‘run as the current user’ each time the headless browser is triggered and allow it to access the data that is appropriate for the user that triggered the action.
I was planning to:
- Log the underlying users via an API Workflow and generate a Bearer token
- Pass this token through to my AWS Lambda function via the plugin
- Add a header with the Bearer token when making the request to navigate to the page in the underlying Bubble app
This is not working for me. The headless browser does not have access to data it should, even when I include the Bearer token in the header.
My questions:
- Is it possible to allow an AWS Lambda function to ‘run as an authenticated user’?
- If so, is the approach I outlined above the best way to do this, or is there a better alternative?
Any guidance would be much appreciated! 
1 Like
Did you know you can authenticate users inside your API workflows? You can generate a token for a user everytime they login by sending over the username and password to your backend API workflow (this returns a token and an expiry date).
Once you have this token (you must save it in the user) you can authenticate server side workflows by checking the box “This workflow cannot be run without authentication” on the backend API workflow. This forces the workflow to only run if the Authorization: Bearer <YOUR TOKEN HERE> header exists. This lets you use “Current User” and its associated privacy rules.
Once you have this system in place, you can authenticate backend workflows which then can call whatever function you have on AWS (or elsewhere) by passing over that token which is required for these kinds of workflows.
Yes it’s kind of complicated, but it’s probably the only way 
2 Likes
It can work, but not with the way you’re trying to do it.
You need to create an API workflow that creates a temporary token that you store in your user’s database. You then give that token to Lamda function.
1 Like
Thanks @jonah.deleseleuc and @senecadatabase!
That is useful advice and, thankfully, not that different to the approach I was looking into.
I can get the token from the API Workflow, save it down to my database and pass it through to my Lambda function.
BUT, it’s the very last step I just can’t seem to figure out:
I’m using Puppeteer to navigate to the relevant page in the underlying Bubble app. I’m adding the token to the header of my request:
// create a new page
const page = await browser.newPage();
// add in extra header with bearer token
await page.setExtraHTTPHeaders({
'Authorization': 'Bearer <TOKEN>',
});
// navigate to the relevant page of the Bubble app
await page.goto('https://mybubbleapp.com/test-page');
…but it still doesn’t seem to be running ‘as the authenticated user’.
Certain data is only loaded into a repeating group on the ‘test-page’ if the ‘current user’s role is Admin’.
The token I’m generated is for a user who is indeed an Admin, so I would expect Puppeteer to be able to load the repeating group data.
But that is sadly not the case.
Any idea whether I’m doing something silly or missing something obvious in this last part?
Thanks again to both of you - I appreciate it’s quite a niche query.
If you’re using Puppeteer, you could turn off your privacy rules and see if it works. It could also be that you need to pass the cookies bubble stores to puppeteer.
But, I’m wondering what your reason for using Puppeteer is?
1 Like
I’m using Puppeteer to generate PDFs
It does indeed work without privacy rules, but I need it to work with privacy rules. Will have to do some digging on this.
Ah interesting! This could be the hidden piece of the puzzle.
1 Like
Ok, I understand about the PDF part.
You may also need to bypass certain privacy rules at dedicated endpoints.
Wish you the best in building your plugin.
1 Like
