Hi,
I have set up certain API calls to QuickBooks via the Bubble API connector. The calls are not via backend workflows. All the calls have auth bearer token that goes into the header. Example of he call below -
Now the problem is - We got our app reviewed by third party, and they checked it through Burp Suite and found that critical info is exposed without any authentication.
Anyone can go to this link - mysite/api/1.1/init/data?location=[my dashboard's URL] and can see the details of the users including the tokens.
Am I doing something wrong?
EDIT - This is the data that you can access by going through the URL
I’m not 100% sure if I understand what is being exposed, but you can keep the Authorization field non-Private and just remove the Bearer token you used to initialize the call.
the calls are proxied with a server. if you mark parameters as private they stay in the server and are never exposed to the client. you can use the api connector in a client workflow or a backend workflow. in a backend workflow everything stay on the server. if you need the auth token to be dynamic but you don’t want to expose it to the client then you need to use it on a backend workflow only.
of course you need to consider where are you storing the token and what measures youhave in place to limit the access to the data
I’m sorry, but I’m no sure if I understood properly. Are you talking about the API resposnes? I have edited the post to add more info.
To me, it looks like that the API call between Bubble’s FE and BE is being exposed.
Like @dorilama said, the key is exposed because it’s no set to private, but if this is user related (current user key) it’s not a problem because this info is already know by the current user. And the call is made server side and not client side. But be sure to have privacy rules applied to this field so only current user can see it. If you want to totally protect key, the workaround from @dorilama is the way to go.
No the key will be visible to everyone.
Here a note from the documentation:
Note that even though by default, API calls are made from the server, a description of the call is sent to the browser and are thus visible to a savvy user. This means that any sensitive parts of the call, especially secrets / tokens, should be in fields marked “Private”.
But how can it be visible to everyone? During the API call, the key is picked from the current user’s data in the database. So only the current users can see that value.
Keys are always sent to network even if private. Https need to be used. Better to use it in header. This is done here. The best would be to use oAuth2… but it’s not always available.