Securing API endpoints

aleksei · July 20, 2022, 8:15am

Don’t know if this helps, but just for context, I’m authenticating users via an API endpoint as well, as I’m trying to keep all user data outside of bubble as much as possible. So every time they login, I’m verifying their password in my system and returning a success response. There’s a workflow that creates a user account on bubble if needed, generates a temp password for them and logs them in.
From that point on, I’m sending their email address as a means of identifying the user on my backend.

I’m trying to work out if the way I’m setting up my APIs can be exploited to retrieve another user’s data or make some changes to their account.

The API is configured to use Private key in header authentication method.
From what I can see this value cannot be retrieved/changed from the website using the global app variable on the frontend.

The API calls I’m configuring are meant to be called from the server, but it uses information from the user (namely email) to retrieve a list of user data. The email address is a non-private parameter and I’m setting it for each call.
Can the end user somehow spoof their email address to access another user’s data?
Ideally I would like to be able to make the email parameter “private” but then I’ve no way of setting its value dynamically, at least I haven’t been able to work out how.

Is this something I have to use a custom plugin for?

Jici · July 20, 2022, 1:11pm

What you describe should be part of a complete oAuth2 Integration instead of a private key in header. If you can change the API authentication scheme, it would be better to create a full oAuth2 authorization_code WF and configure it in Bubble API Connector and use Social login to authenticate the user. This way, you will be able to use privacy rules in a better way.

aleksei · July 21, 2022, 12:05am

That’s what I started with but moved away from it because it doesn’t work for the scenario I’m trying to achieve.
I also found dealing with the logout flow to be weirdly difficult. Calling the ‘log the user out’ action in WF doesn’t really log them out, because when you initiate the login process again, it doesn’t ask you to login, but rather logs you in automatically.

ankur1 · July 21, 2022, 2:55am

If you are setting up the backend elsewhere, then don’t use the Bubble login/sign-up action. It will only confuse you…

If you want to keep the “key in header” for authentication, set up the backend such that only relevant info pass to your API,

I would suggest going with Oauth2- so even if the access token is exposed, only that user info will be exposed, not the others.

Ankur@ Nocodetalks
Looking for a Bubble Coach? Check out here

Topic		Replies	Views
Setting up API endpoint APIs	1	359	May 14, 2023
Basic Question on API Auth APIs	4	977	January 31, 2022
How to change API authentication per user when connecting from Bubble to 3rd party APIs	3	371	January 13, 2023
Dynamic authentication with the API Connector -- possible? Need help	20	242	June 13, 2024
How To Setup API Authentication? Need help	2	9358	April 11, 2017

Securing API endpoints

Related topics