Hello,
I would like to explain my flow for authentication/authorization and ask you if in your opinion this is a good practice or if there is a security breach.
Basically I am using bubble as front-end only then I have a Rest API app built with .NET where I keep all my app data. On my backend, I have different tables like Order, Submission which are linked to user. My idea is that on Bubble I let the user Sign up with Google or Facebook then I get the email and I create a user entity on my back-end database too.
So in the future when I call one of my REST API endpoint :
/api/orders/me
with Header :
Authorization : Bearer email (encoded)
My API can decode the email and return only the order belonging to that email.
I reckon this is a good setup, but I was wondering how safe is it to rely on Current user's email of bubble. First of all can this parameter be change by the user somehow with some tricks ? Then how often does bubble check against Google or Facebook to authenticate the user ? I imagine they use a refresh token or something similar.
Thanks and let me know if you have any other flow which my be good for my case
I would use the users unique ID field as the connection between your backend and frontend. I know it’s less user friendly with your backend database, but a users email can change from time-to-time.
i.e. If I change my primary email with Facebook or I change my primary email with my Google Workplace account then that’ll get updated in Bubble and then all of a sudden as far as your backed is concerned you have a new user (and now a big mess to mop up)
Josh @ Support Dept
Helping no-code founders get unstuck fast save hours, & ship faster with an expert on-demand
Thank man very insightful and probably avoided me a lot of problems in future. But I was wondering How can I get the unique Id you are talking ? Is it something the OAuth provider gives us or is something I can get from Bubble db ?
Every record in your Bubble database will have a field called Unique ID like this. Once the record is created it cannot be changed. Whereas I can update my email address if I like.
So this is always going to be a better way of linking data together vs. something like an email which can be dynamic and therefore break that connection at some point.
Josh @ Support Dept
Helping no-code founders get unstuck fast save hours, & ship faster with an expert on-demand
Thanks @josh24,
However I think I am going for the following flow (which is basically the same thing):
Everytime a user login I check whether in the current user there is a field called platformId, if not i call my API and create a new user and I return the uniqueId that identify that user in my DB which then I save on bubble as platformId in the current user. So next time he login and find the platformId it does not call the API to create a new user. Then I use that platformId as encoded token in the Authorization header
I think this should work but tell me if there are cases where this might create problem otherwise I could switch to the uniqueId as you suggested.
save hours, & ship faster with an expert 
on-demand
save hours, & ship faster with an expert 
on-demand