Log in "as a user" - but be careful. Admin usage

So after having a play around and getting a little frustrated at some password and magic link tokens I finally figured out a reliable was as an admin to login as a user with one click.

The issue I was finding was the token generated by bubble couldn’t be used in the backend workflows, however, I found a way.

Now be careful with this and apply ALLL the security and provisions you need to ensure this is secure!

You can apply the same logic to both password resets and magic links to suit your needs IF you needed a way capture the token and then use this in another flow.

Setup - you need to rather underreported “Bubble App Connector” plugin to connect to your own application - this is used so you can retrieve the token reuse it via a “return data from api” step.

Navigate to backend workflows:

Create a new one, capture the user key, and set the response to json, and expose as a public api workflow (careful now), you’ll be securing it via a key.

.

Next select send magic link, enter the user email from the captured user data type and TICK just create link dont send email.

Next select “return data from api” and set it up like this, make sure you return the data as json safe or it wont work…

That bits done… easy.

now go to the app settings area and select “API”

Create yourself an API token.

Next go to the plugins area and find your newly installed “App Connector” or install it.

Configure what the plugin asks for - the app domain is your current bubble domain (or the custom domain, depending).

Add the API secret you created before.

and refresh the app meta data and select the newly created backend workflow, set them up to be action and with auth as API key

Now thats done you can use the actions in a workflow, so I created a grid of users and added a button with a workflow:
image

You can access your newly created “app workflows” by searching for ‘run’ they they will pop up next to your apps name.

One thig to remember when passing the user is they API endpoint only accepts unique IDs

Now what I am doing in the last step is to log on by opening an external website which is this site but with the URL for magic links that gets returned by the API.

Also note there is a find and replace for quotes around the url that is returned (due to the json part).

If you just need the token you will have to split the url up and extract that part using split by ? last part, i think from memory)

(if you use the password recovery token, it wont be a url, but just a token, i think…)

Last time, but please be careful with this… whilst a powerful method for accessing user accounts, you should only use it where you absolutely need to.

7 Likes

@georgecollier you helped me with this method indirectly when you showed us all the mystery app connector :slight_smile: plus a heap of other fun ways to pass data to your own api get a return value in the front end (or backend) and do more cools stuff. so thanks. Sharing is caring!

Was this in a specific post on the forum or a video hosted publicly?

1 Like

This is very helpful - I’ve never been able to work out a way to do this but your method makes sense!

2 Likes

Yea, a fair bit of trail and error but this is really handy - the app connector is a hidden gem…
so nice to have backend workflows responses easily accessible in the front end. When I read your post on this I knew it would solve the token issue. There are quite a few post on the forum about reset tokens etc, so this method should help those who find it.