I’m following the manual’s authentication instructions (As a User - Bubble Docs), but I believe that it’s not secure or good practice to ask users to submit their passwords as strings to get a Bearer token.
Does anyone know if there’s a way to create some UI or front end to have users generate and access a Bearer token? Or is there perhaps a way to hash and salt the user’s password when they hit a generate-api-token route (instead of passing password as string, as instructed by bubble).
I believe that this is specific for creating tokens for third party apps, whereas I’m looking to use bubble’s native Bearer token for the bubble API. E.g. How to authenticate - Bubble Docs
you don’t use a user’s password in the sense you’re thinking of. and the code has to run in an api workflow (on the server) which is secure. For you to be able to retrieve the token. So, you’ll setup your sign the user up or log in workflow on a backend workflow, and then hit the endpoint with it setup in the api connector which is also on the server. so.
I’ve followed the manual (As a User - Bubble Docs), where yes there’s a backend API workflow (called “generate-api-token”), and it’s the user’s username and password that’s send (via GET request) to the server. The issue here is that sending passwords as a string is not secure. You wouldn’t put a password in an API call because then any dev can go into the server logs and read the user’s password.
The question here is, once the user authenticates securely and logs in to the front end, is there any way to use that authenticated login to show the user a token on the front end? This is how OpenAI does this, where you log in and then can generate a token by clicking a button as a logged-in user.
Yes there is. And it appears you’re just ill informed. You can set the backend workflow to be a POST (and you should) since any and ALL POST requests are always sent to server, and secure. https hosted sites secure data transmittals by encrypting them. So even if a password is exposed like let’s say, in the dom, it still wouldn’t be visible to an eavesdropper, unless they had direct access to the computer sending the info, which is highly unlikely. So again, create a backend workflow that logs a user in with a POST req, create an api call to it with the api connector to log the user in and get the bearer token on your front end code instead of the regular Sign a user up action.
