So after having a play around and getting a little frustrated at some password and magic link tokens I finally figured out a reliable was as an admin to login as a user with one click.
The issue I was finding was the token generated by bubble couldn’t be used in the backend workflows, however, I found a way.
Now be careful with this and apply ALLL the security and provisions you need to ensure this is secure!
You can apply the same logic to both password resets and magic links to suit your needs IF you needed a way capture the token and then use this in another flow.
Setup - you need to rather underreported “Bubble App Connector” plugin to connect to your own application - this is used so you can retrieve the token reuse it via a “return data from api” step.
Navigate to backend workflows:
Create a new one, capture the user key, and set the response to json, and expose as a public api workflow (careful now), you’ll be securing it via a key.
Next select send magic link, enter the user email from the captured user data type and TICK just create link dont send email.
Next select “return data from api” and set it up like this, make sure you return the data as json safe or it wont work…
That bits done… easy.
now go to the app settings area and select “API”
Create yourself an API token.
Next go to the plugins area and find your newly installed “App Connector” or install it.
Configure what the plugin asks for - the app domain is your current bubble domain (or the custom domain, depending).
Add the API secret you created before.
and refresh the app meta data and select the newly created backend workflow, set them up to be action and with auth as API key
Now thats done you can use the actions in a workflow, so I created a grid of users and added a button with a workflow:
You can access your newly created “app workflows” by searching for ‘run’ they they will pop up next to your apps name.
One thig to remember when passing the user is they API endpoint only accepts unique IDs
Now what I am doing in the last step is to log on by opening an external website which is this site but with the URL for magic links that gets returned by the API.
Also note there is a find and replace for quotes around the url that is returned (due to the json part).
If you just need the token you will have to split the url up and extract that part using split by ? last part, i think from memory)
(if you use the password recovery token, it wont be a url, but just a token, i think…)
Last time, but please be careful with this… whilst a powerful method for accessing user accounts, you should only use it where you absolutely need to.