Just as a word of warning, this is not secure if you follow the methodology of the original post exactly, as it will allow any logged in user to generate a login token for any other user provided they know the other user’s unique ID.
Explanation: To call this workflow from the backend, the workflow must be public. You may think that ‘this workflow can be run without authentication’ being unchecked would protect it. This is not the case. Any logged in user is ‘authenticated’. Therefore, any logged in user can call this backend workflow with a User’s ID and get a magic login link into their account.
Solution:
To implement this securely, you need to verify that the request came from a permitted user (a user that should be allowed to do this e.g an admin user) There are multiple ways to do this, but I’ll share a simple way below. Roughly speaking, we’ll generate a temporary permission token in the front-end for the Current User after checking they’re allowed to do this, and in the backend, we’ll check that the permission token is valid by searching to check if there is a user with this permission token (yes, you can also add another user parameter if you really want to check that both the permission token exists and it belongs to the User making the request but I’m keeping this example solution simple).
-
Add a permissionToken parameter to the backend workflow
-
Add a permissionToken text field to the User data type
-
Terminate the backend workflow when Do a search for Users with permissionToken = permissionToken (the one received by the backend workflow):first item is empty (i.e, there are no users with this permission token). I’ve also added the same condition on the other two actions (not shown in the screenshot) purely because I don’t trust Bubble obeying order of actions for an action like this!
-
In the place you want to trigger the run as action, have a condition on the workflow that checks the user is authorised to do this (e.g Current User’s isAdmin is yes):
-
Inside the workflow, generate a permission token using Calculate RandomString. It is not an issue that this is a client-side action as it doesn’t matter that the user can see this, as they’re already authorised to do this action.
-
Pass the permission token to the backend workflow.
-
Once the login link is returned from the backend workflow, set the Current User’s permissionToken to be empty again.
Again, this assumes you have privacy rules on your User data type to stop users finding other user’s permission tokens, but if you don’t have those set up then you definitely shouldn’t be playing around with this!