Securing API endpoints

Don’t know if this helps, but just for context, I’m authenticating users via an API endpoint as well, as I’m trying to keep all user data outside of bubble as much as possible. So every time they login, I’m verifying their password in my system and returning a success response. There’s a workflow that creates a user account on bubble if needed, generates a temp password for them and logs them in.
From that point on, I’m sending their email address as a means of identifying the user on my backend.

I’m trying to work out if the way I’m setting up my APIs can be exploited to retrieve another user’s data or make some changes to their account.

The API is configured to use Private key in header authentication method.
From what I can see this value cannot be retrieved/changed from the website using the global app variable on the frontend.

The API calls I’m configuring are meant to be called from the server, but it uses information from the user (namely email) to retrieve a list of user data. The email address is a non-private parameter and I’m setting it for each call.
Can the end user somehow spoof their email address to access another user’s data?
Ideally I would like to be able to make the email parameter “private” but then I’ve no way of setting its value dynamically, at least I haven’t been able to work out how.

Is this something I have to use a custom plugin for?

What you describe should be part of a complete oAuth2 Integration instead of a private key in header. If you can change the API authentication scheme, it would be better to create a full oAuth2 authorization_code WF and configure it in Bubble API Connector and use Social login to authenticate the user. This way, you will be able to use privacy rules in a better way.

That’s what I started with but moved away from it because it doesn’t work for the scenario I’m trying to achieve.
I also found dealing with the logout flow to be weirdly difficult. Calling the ‘log the user out’ action in WF doesn’t really log them out, because when you initiate the login process again, it doesn’t ask you to login, but rather logs you in automatically.

If you are setting up the backend elsewhere, then don’t use the Bubble login/sign-up action. It will only confuse you…

If you want to keep the “key in header” for authentication, set up the backend such that only relevant info pass to your API,

I would suggest going with Oauth2- so even if the access token is exposed, only that user info will be exposed, not the others.

Ankur@ Nocodetalks
Looking for a Bubble Coach? Check out here