I’m planning to implement an SMS login system in Bubble, by having the user entering in their phone number, then sending a text with a code via Twilio. I’m planning to have Bubble generate the code, store the code in the User’s thing. Then when the user enters the code, verify that code is correct by checking with the database.
Is there any security risk with this approach? I think I have a decent understanding of Privacy Rules, but I’m just checking to see if this would cause an issue – possibly exposing the passcode somehow by Bubble generating the passcode and updating that User’s thing without the user being logged in. Thanks for any advice!
Well, as I started implementing this, of course I had to expose the passcode field to “everyone” so that it could verify. But, obviously the passcode showed up in devtools leaving a huge security flaw. Hmmm… maybe I need to use backend workflows to generate a passcode and verify it?
Look at this:
Just make link, not send. Text them that link through your backend wf/plugin/api connector through Twilio. They must be signed up, you can “create an account for someone else” the first time you see that particular phone number. Hope this helps.
We should never expose pw field or send pw as plain text.