Log in "as a user" - but be careful. Admin usage

So after having a play around and getting a little frustrated at some password and magic link tokens I finally figured out a reliable was as an admin to login as a user with one click.

The issue I was finding was the token generated by bubble couldn’t be used in the backend workflows, however, I found a way.

Now be careful with this and apply ALLL the security and provisions you need to ensure this is secure!

You can apply the same logic to both password resets and magic links to suit your needs IF you needed a way capture the token and then use this in another flow.

Setup - you need to rather underreported “Bubble App Connector” plugin to connect to your own application - this is used so you can retrieve the token reuse it via a “return data from api” step.

Navigate to backend workflows:

Create a new one, capture the user key, and set the response to json, and expose as a public api workflow (careful now), you’ll be securing it via a key.

.

Next select send magic link, enter the user email from the captured user data type and TICK just create link dont send email.

Next select “return data from api” and set it up like this, make sure you return the data as json safe or it wont work…

That bits done… easy.

now go to the app settings area and select “API”

Create yourself an API token.

Next go to the plugins area and find your newly installed “App Connector” or install it.

Configure what the plugin asks for - the app domain is your current bubble domain (or the custom domain, depending).

Add the API secret you created before.

and refresh the app meta data and select the newly created backend workflow, set them up to be action and with auth as API key

Now thats done you can use the actions in a workflow, so I created a grid of users and added a button with a workflow:
image

You can access your newly created “app workflows” by searching for ‘run’ they they will pop up next to your apps name.

One thig to remember when passing the user is they API endpoint only accepts unique IDs

Now what I am doing in the last step is to log on by opening an external website which is this site but with the URL for magic links that gets returned by the API.

Also note there is a find and replace for quotes around the url that is returned (due to the json part).

If you just need the token you will have to split the url up and extract that part using split by ? last part, i think from memory)

(if you use the password recovery token, it wont be a url, but just a token, i think…)

Last time, but please be careful with this… whilst a powerful method for accessing user accounts, you should only use it where you absolutely need to.

7 Likes

@georgecollier you helped me with this method indirectly when you showed us all the mystery app connector :slight_smile: plus a heap of other fun ways to pass data to your own api get a return value in the front end (or backend) and do more cools stuff. so thanks. Sharing is caring!

Was this in a specific post on the forum or a video hosted publicly?

1 Like

This is very helpful - I’ve never been able to work out a way to do this but your method makes sense!

2 Likes

Yea, a fair bit of trail and error but this is really handy - the app connector is a hidden gem…
so nice to have backend workflows responses easily accessible in the front end. When I read your post on this I knew it would solve the token issue. There are quite a few post on the forum about reset tokens etc, so this method should help those who find it.

Just as a word of warning, this is not secure if you follow the methodology of the original post exactly, as it will allow any logged in user to generate a login token for any other user provided they know the other user’s unique ID.

Explanation: To call this workflow from the backend, the workflow must be public. You may think that ‘this workflow can be run without authentication’ being unchecked would protect it. This is not the case. Any logged in user is ‘authenticated’. Therefore, any logged in user can call this backend workflow with a User’s ID and get a magic login link into their account.

Solution:

To implement this securely, you need to verify that the request came from a permitted user (a user that should be allowed to do this e.g an admin user) There are multiple ways to do this, but I’ll share a simple way below. Roughly speaking, we’ll generate a temporary permission token in the front-end for the Current User after checking they’re allowed to do this, and in the backend, we’ll check that the permission token is valid by searching to check if there is a user with this permission token (yes, you can also add another user parameter if you really want to check that both the permission token exists and it belongs to the User making the request but I’m keeping this example solution simple).

  1. Add a permissionToken parameter to the backend workflow

  2. Add a permissionToken text field to the User data type

  3. Terminate the backend workflow when Do a search for Users with permissionToken = permissionToken (the one received by the backend workflow):first item is empty (i.e, there are no users with this permission token). I’ve also added the same condition on the other two actions (not shown in the screenshot) purely because I don’t trust Bubble obeying order of actions for an action like this!

  4. In the place you want to trigger the run as action, have a condition on the workflow that checks the user is authorised to do this (e.g Current User’s isAdmin is yes):

  5. Inside the workflow, generate a permission token using Calculate RandomString. It is not an issue that this is a client-side action as it doesn’t matter that the user can see this, as they’re already authorised to do this action.

  6. Pass the permission token to the backend workflow.

  7. Once the login link is returned from the backend workflow, set the Current User’s permissionToken to be empty again.

Again, this assumes you have privacy rules on your User data type to stop users finding other user’s permission tokens, but if you don’t have those set up then you definitely shouldn’t be playing around with this!

2 Likes

Thanks for the added security details @georgecollier , I actually had reservations posting this in the first place to be honest. In my case I don’t let anyone run this who isn’t me (the dev). appreciate your input.

Of course - just wanted to make sure you knew that your set up in the original post would allow anyone to run it.

1 Like

you are a gentleman and a scholar @georgecollier

2 Likes