Server-side check to prevent page downloading

Hey Fellow Bubblers,

I’ve got some pages Im trying to tie down and make sure only admins can see.

I’ve done the usual stuff:

  • Setup Data Privacy Rules
  • Stopped menu items from showing if you don’t have the right privilege

But someone might have had access or can guess a page title so I’ve always used “on page load” then done a check. The problem is the page actually loads and you can see content for a brief instance before it redirects back to the previous page. I thought it wasn’t doing this previously.

Its suggested by @petter 10 Easy Bubble Security Tips and in his book that you get a server-side action when you check something before a page loads but my experience differs (this may have been a change by Bubble?)

You can see I’ve had a few goes at this in various combinations (including checking at the workflow trigger and inside the workflow steps) none of thse stop the page loading

Any suggestions?
Cheers - Johnnyweb

How about you group all the elements in a group and set the group to be not visible on page load and add a condition where if current user’s user-privilege is admin = this element is visible

This way, although it would take 1-2 seconds to redirect a user, the elements would still be hidden on page load

2 Likes

Yep absolutely could do that but it would be more secure if it didn’t load at all to the client.

I’ll use that as a last resort @ntabs - thanks for that

I use a ‘When’ workflow that triggers the page switch if the user is not logged in, seems quicker than on page load.

With the new performance update the elements may not load until visible so they may not load in at all before the page switch… Unknown right now.

Yes that condition is faster but based on @johnnyweb’s use case, it’s only either user has admin role or not

I’m not sure I understand. If you have something that isn’t set up to be shown on page load, it won’t be. It will never be visible until a proper condition is met, and as such the associated searches and data won’t happen. Don’t have it visible then hide it… Start with it hidden, then show it. It won’t be more or less secure, there’s will be nothing to show.

Now, they will still be able to always see things like states, cookies, option sets, and the outer group name that’s invisible, but that’s it.

You can also make a very random page name too, with many random characters? Calling it Admin Panel probably isn’t hard to guess :wink:

Or did I miss something with your question?

1 Like

+1 on @troy.roberge 's inputs

1 Like

Hey @troy.roberge & @ntabs I should be able to prevent the entire page from loading so that the clients can’t even confirm it exists. Thats good security practice.

This is effectively a 301 redirect Redirects: How To Use, SEO Impact & Types (301 vs 302) - Moz (or 302 etc)

If Bubble can do this server side the client never sees the data and they don’t have to download anything from the page - they are sent to a redirected page or in my case back to where they were. Its also faster for the client.

I don’t have the pages setup to hide all content as suggested in the same way I don’t have all content hidden unless the user is logged in.

To ensure only logged in users hit my internal pages I use “when user is Logged out” which performs a 302. That’s the behaviour I want to replicate.

image

And Yes a nice random name would help but the redirect saves us from all of that :smiley:

So reading through your redirect example, those are hard coded commands on a page that is empty to go to a different page.

I would love someone to tell me otherwise, but I don’t see how you can perform a redirect prior to page load.

Anyhow, if you figure that out, cool, but I’m thinking my method is still the simplest and most used.

That being said, you can always but Peter’s book on security and see if it’s in there.

@philip2 Thanks for the suggestion. I tried it like this but that doesn’t work either (although it seems to be faster to load the page they should be viewing)

image

The page isn’t empty, its just that the redirect happens server side before anything is downloaded. As I mentioned, this works when the user is logged out - bubble sends a 302 - in effect telling the client what to load

I have got Petter’s book, and in the link at the top of my post (which he also wrote) it also discusses server side redirects. It’s supposed to work as I’ve configured it but doesn’t.

I’ve always operated under the assumption that with Bubble, there is no way to force a page to not load. You can use privacy rules to stop data from loading, but all the stuff on the page will load, even if it’s hidden.

Having elements hidden as a default, and redirecting the page will be fine for the non-technical user, but my understanding was that a sophisticated user could stop the redirect and see the hidden elements (which are loaded in the background).

So my approach with development pages was to do the above, use random strings in the URL, ensure that nothing on the existing pages linked to the development pages, and ensure the pages weren’t in the sitemap.xml file. This effectively hid the page.

There was discussion on this stuff in the forum in the past.

Caveat the my initial assumption may have been wrong, or Bubble may have made changes that fixed this issue.

Hello, I am a beginner and have read several posts and some of them are too big that I felt lost in the discussion. Same is here.

Somehow I have built my single page app. I applied below solutions and solved the problem.

I grouped all the main body elements in a single group.

I made it not visible on page load. So I did not have to use a on page load condition again.

I made conditions when user is logged out and not logged in redirect them to other page.

No problem at all. No data is showing up.

Important thing I noticed that I learned from another post is in debug mode page element may get showed up. But when trying without debugging mode enabled there is no problem.

Though that grouped element will not be exposed. Floating group element can show up if the element inside not having the same conditions. So I made all the elements in floating group in a single group and solved the problem.

I am not sure this is a permanent solution but it is solved.

To chip in here – yes, the safest in principle is to make sure you have a proper pre-load redirect, but all content on the page should also be unavailable to any user who does get access (by privacy rules, not hiding/showing elements. Of course you can still hide all elements for obfuscation, just don’t consider it secure).

Logic redirects are something that’s happening under the hood from Bubble’s end, which makes it hard to give a direct instruction for when it will happen. Generally a simple server-side check (i.e. Server’s admin = true) should lead to a server redirect, but Bubble may have reason to load the page or change the logic without letting us know.

I’m not sure if Go to previous page will ever lead to a server-side redirect, since this references the browser’s history and as such may force Bubble to load the page and trigger the “back” action through Javascript.

4 Likes

thanks Petter after changing the redirect to a specific page this worked and passed the redirect check at SEO Agency - Strategy, Consulting & Link Building - Sure Oak

My settings now look like this
image

Interesting side effect, bubble resolves logged in redirects first as the redirect checker showed 3 URL’s. 1st redirecting a logged in user without sufficient privileges, the second redirecting if not logged in (as this doesn’t have a check for privilege)
image

so lessons for me are

  • SS redirects are a must on all pages you want to protect in some way
  • think about (and test!) your rules to make sure no client actions are required to stop this working as bubble will have to expose the page and this will briefly allow people to see the content
  • use privacy rules everywhere
  • hiding things is great for client experience but not for protecting your site.

Thanks everyone!

3 Likes

Welcome to the bubble community!

summary of the post is that hiding data doesn’t protect you. You should at least check that a user is logged in to a page and redirect them to login screen if they aren’t validated.

Understanding data privacy is very important in making a secure solution - I highly recommend reading petter’s blogs linked on this thread (and buying the book :D)

Great post - thanks for doing this digging

This was a great help, thank you.

I have successfully redirected with 302 on several situations, like the status of a user (invited, revoked, suspended, not logged in, etc.) This works great if it is a simple check on the user’s Thing.

However, as soon as I try to do a search for somethign else - in this case using the page’s name to look up the required permissions (using a Thing), the server side code becomes client side code.

It’s hard to tell if it’s the page name access or the database look up.

It’s not great, but at least it let’s me control normal user states, and prevent not logged in users from ever seeing the app.

UPDATE: I figured out why sometimes it works and sometimes it doesn’t. If you have multiple steps - as steps do not happen sequentially - it seems that Bubble gives up on the server side redirect and sends the page. If you can keep all the checks in one step, then the checks happen on the server side, and the redirect comes from the server as a 302. This is very frustrating, needless to say. I managed to make it work, but my condition looks atrocious, with several requests for the same data (I hope Bubble can optimse it). Expression editing, even with the new editor, is a real PITA.

1 Like

I’m battling with the same issue. Especially on slower download speeds, the page shows for a second or 2 before redirect - enough time for a screenshot. One would wish for old-school PHP or .htaccess type proper server side redirect?
image

EDIT: Going though Bubble’s Security docs I noticed Current User is Logged In, and Current User is Logged Out start from server side. So in theory one could drop this in instead of Page is Loaded.

Alas, I’m not sure it helps when data is already being checked for a User Logged in…

image

Make the element you want to hide not visible on page load. Add a condition identical to the inverse of your redirect condition that makes it visible.

E.g if we want something to be visible only when Current User’s Subscription is Active,

  1. On page load, go to another page only when Current User’s Subscription <> Active
  2. Section you want to be hidden should be invisible on page load, and visible only when Current User’s Subscription = Active