Is it normal to have 40 workflows for credentials

I have the login page, register page, the “email sent enter code” page, the “you’ve confirmed your email page” I’ve got the “enter your PIN” page and then it transfers to the users home. I also have a magic link page that a person transfers to once they’ve tried to log in with magic link. That entire process is over 40 workflows. I also have 6 “when condition is Get page URL contains login/register/emailconfirmed/pin code so that’s like 6 workflows just on those. I also have 3 workflows on page loads.

When a person does the wrong password it needs to log the attempts to freeze attempts at 3, lock out their system at 3 to avoid spam attempts on logins and WU. The same on email confirmation and the same on PIN code.

Is it normal to have such high workloads over what’s basically 6 pages.

Is that normal and about right? I’d love to hear from users that have done similar. Just to let people know I’m building a mobile browser version of the app, so I’m keeping to a few pages rather than all on one page or page each. I find it easier that way. All the above pages are on one page though.

I would use reusables and do it on one page but if those 6 pages were over 40 workflows I dread to imagine how much my entire app would be. I’m not even 1% done.

Sounds like too much

2 Likes

narrowed it down to 34.

6 workflows for error messages
2 workflows for (email taken or email available)
1 workflow for page loads
3 workflows for 3 password input hide/show
3 workflows for dynamic page name changes based on state from page URL
3 workflows for PIN entry and new codes
3 workflows for email code entry and new codes
6 workflows for navigations and page redirects
5 workflows for other buttons

It doesn’t really sound much to me. Majority of it is client-side. Would you say it is @boston85719 ?

Don’t really have an answer to your question as I can’t see the workflows but it does seem a bit overkill however maybe not depending on your setup and login methods.

However this…

If you’re doing this then I’d put money on the fact your DB is leakable and not protected by privacy rules. Bubble has built in “email already in use” function that doesn’t expose data. If you’re using workflows (searching for emails?) then the user base is not secure.

1 Like

Hi @chris.williamson1996 thanks for the contribution and I appreciate any efforts or talks to make my app secure.

I was under the impression I couldn’t access the “USED_EMAIL” feature in Bubble as it’s specific to errors. I want to action the change after the Input changes, not on button press. And instantly show the words “Email available/Taken”

I currently do a search on the conditions of a text element below it based on the Do a search for Users (constraint: Email = this input’s email):count but I did have to change privacy settings to enable that. I have noted it in my notes to check the security of that so really appreciate your input.

Is there a way of doing it securely?

Would I be correct in saying I need to do a backend API call for the count as backend workflows are server-side and can’t be manipulated by the user?

Bubble has “already in use errors” without security issues.

I’d just use bubbles build in “already in use” and use the “an unknown error has occurred” only when error message is email in use error message (from language settings)

If you were to leave it as a db search like you currently do then your db is leaking user emails.

Do a search for Users (constraint: Email = this input’s email):count

The issue with this is if privacy rules are setup correctly it should always return 0. If not correct you can go to your network tab after the search happens and see it pulling not just a count but raw text of all the users emails.

Hi @chris.williamson1996,

I’ve checked the Networks tab and it doesn’t expose or leak any data to my knowledge? By the looks, the _source field is where the raw data is stored. In this response, the authentication field is empty, which I assume means no sensitive data like emails, names, or passwords is exposed.