I’m currently running a Personal Service Plan on Bubble and cannot afford the higher plans. I am however building an app and clearly would need SSL integration to make the site as secure as possible.
Since I am not yet in a position to upgrade my plan, what does the community think about simply allow users sign up with Facebook or Google+ OAuth only? Does this at least provide some level of protection as they wouldnt be providing password information to my app?
I welcome your comments
that’s running with the assumption that bubbles storage isn’t secure. at least your not flicking auth tokens around, having another brand be the face of your sign up/in experience and essentially providing a way for you online customer to become reengaged with another service. Kind of cant get passed the logic though, if bubbles not secure enough for their passwords then where are you going to put their data? attackers don’t want passwords. Ive been with bubble for about 2 & a half years and haven’t had nor heard of a serious issue or breach yet. bugger SSO, keep your brand yours.
The issue you have not running through SSL isn’t so much the password (even though that is a big problem as well). Its more the fact that the users themselves are more susceptible to man in the middle attacks (MITM). So if you are pulling their name and email address etc etc from the Google auth, or even allowing them to enter in personal information to the app you’ve got to think about the external security. Not saying this would happen, its just what HTTPS / SSL is used for. Securing the information going from the website (or to the website) from the client browser to the server.
So it would app depend on the type of information your storing as to if https is important or not. Something also to bear in mind is that chrome has started classing pages as not secure that don’t run over https for the login forms https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn (this would be countered if you use the SSO I believe though as it would go straight to google or facebook etc). In the future google are looking to make chrome show not secure on all pages that are not https but you dont need to worry about that for the moment.
I don’t fully agree with jarrad on the “bugger SSO” statement (sorry @jarrad !), as I think SSO is a fantastic thing that removes an extra barrier to sign up and means that users don’t need to worry about having to setup another user name and password. And dont forget those users are sitll yours, as long as you capture their email etc you still have contact with them, your literally just bouncing them to google or facebook etc for the authentication (pretty standard practice). However the only issue with that being their only option is, what if they dont have a google account, or a facebook or twitter account. You would still want to provide some form of manual account that isn’t SSO.
Hope that helps and is a bit of food for thought.
HI Chris
Thanks for responding. I’m still pondering on the best approach though. The type of information that’s most important to us really is their email address, the rest is pretty much some basic information like Name, Telephone and Address (most is optional). I’ve also decided no to integrate a payment gateway because of this hindrance
Oh how I wish this feature was available on the personal service plan. I think I’d simply work with what I have until I can afford to upgrade my plan.
Question is there any chance one can add SSO via as a rd party plugin or something without having to go through a service plan?
Hi Jarrad, thanks for responding, Like Chris said, I was more concerned about MITM attacks as well, not Bubbles, platform.
Either way, I need to work on getting my app to be as secure as possible and will have to upgrade my plan as soon as I can afford it
Not a problem @tomi.adegbenro Well yeah you have two ways of looking at it either not worry about mitm attacks and switch on https as soon as you can afford it. Or just go with the sub domain bubble app so you get ssl for free and move to the custom domain as soon as you can afford it. Or a third one see if you can find someone with a dedi package on here that you could sub let off them until your ready to move on to your own server.
That latter of your options was what i had in mind. Atleast until you can afford to upgrade. (meaning using the sub domain from bubble)
