The documentation on authentication for API calls says this:
“– No authentication. In some cases, you may want to enable calls that aren’t authenticated, e.g., to let a user sign up or login to the app. To enable this, check the box ‘This workflow can be run without authentication’ at the workflow level. When a workflow is run under such circumstances, the privacy rules that apply are the one for ‘everyone.’”
Has anyone got an example of how to do this? I want to secure signups to my app by setting a signup code that is sent to not-yet-users to allow them to sign up. If you’ve got the code you can sign up if not you can’t (but you can request it). How this currently works is I’ve two normal workflows (not backend workflows) - one if you have the code, the other if you don’t. But for these to work the data field that contains the login code needs to be visible to people who aren’t signed in - which isn’t very secure.
I’m not sure how to construct the Backend Workflow - specifically because the user isn’t signed up - so I can’t see how to return to the result of the workflow to allow or not allow signup.
Any help appreciated.
The documentation on authentication for API calls says this:
just to get it right is the signup code unique for every new user? How do I get a sign up code?
What you could do (without having so many details about exact process).
- Let user create sign-up code. User gets an email only with that code. The code will be saved in the database together with the email.
- Condition for workflows (no matter if backend workflows or not) that user is only created with signup code equals the one you have sent them.
Why do you want to use backend workflows in general? Do you want to trigger it from an external application? I have made a tutorial exactly about this (how to sign up users from an external application via backend workflows).
I think more information would be helpful.
Not a unique code for each user - unique to a group of users and can change in time. Specific example - a group of people are signing up to their ‘club space’ on my app. The admins for the club distribute the code to their members who can then sign up individually. The app allows them signup as long as they have the current code for the club.
If the code is distributed to someone who shouldn’t have it, it’s easy to change it.
In the current sign up workflow you select the ‘club space’ from a list, input the code and sign up.
A workflow on the signup page checks the code and lets you in.
The issue is the code is a field in the ‘club space’ data type and the privacy is set to visible to everyone - which it needs to be for the the workflow to be able to access it when a user isn’t signed up. I understand that a savvy would be hacker could find the code easily, which defeats the purpose of having it in the first place - to prevent unauthorised signups.
I noted in the Bubble reference that this is better done as a backend workflow - I’m just unsure how to do it. All the API workflows I’ve created before save data. In this case I assume the API needs to return something to the login page to allow the sign up or not. If so how do I do this?
Hope that makes sense @Sarah_Biberei ?
Thanks for the reply
Got you know.
- Create a Backend workflow signing up the user
- Schedule the API workflow with your conditions of the unique code (must go in the only when statement) and check the checkbox “ignore privacy rules”
Make something (show Pop-up for example) only when the API Workflow was positive
In case it was not show something else.
Sorry for being a little fast (almost midnight in my town), if no one else was helping I can re-create your situation and make a video.
Instead of only using code that you are storing in your
club space you could instead use that code (effectively as a public key) plus the code that users would need to know (as a private key), encrypted together to create the actual secure key.
The user experience would be exactly the same, but when users enter the code for the space you would use something like AES256 to encrypt the user-provided code with the public key from your
club space and then you could check that value against a stored hash key of the two, also on the
club space thing. This is actually just a couple of extra steps in your workflows - hopefully I’ve not made it sound too complicated.
On your suggestion of moving to API workflows - it would definitely increase the ‘wall height’ a bit, though the data would still be public. Annoyingly when you
Schedule an API Workflow from Bubble’s front-end you can’t return data back to it as you normally would with a typical API call.
Alternatively though you can make a ‘normal’ API call to your own app’s endpoints via the API connector and, in this case, you can return values back to the front end. To do this you’ll just need to grant yourself a token from
Settings > API and use it as per the below inside the API connector:
Thanks @Sarah_Biberei that all makes sense - one question: How do I check the workflow was positive (by which I presume you mean that it ran)?
Sorry one more question - the way you suggest it the condition is satisfied in the frontend - so still visible to a potential hacker. If I put the condition in the API workflow - ie only sign the user up if the condition is met - that means the code is only accessed in the backend.
But again i need to know if the workflow was successful - that’s the bit I don’t know how to do.
Yikes @edwardbutcher - that’s above my paygrade! (the public key private key thing)
I’ll have a look at the normal API call as you suggest (haven’t done this before) and see if I can make sense of how to do it.
Another (simpler) way of getting info back from your backend would be via a condition that’s triggered based on the change made in your backend workflow.
E.g. If your backend workflow updated the
verified field on the Current User then you could use a condition per the below, either as a ‘When’ trigger for a workflow, or to show something:
Hi @edwardbutcher - I think I’m right in saying that this won’t work for a user that isn’t signed up. There isn’t a Current User data type until the user is signed up. So this would work to verify a login but not a sign up. Or have I misunderstood?
Go to settings > api.
Generate an API key/token for your app.
Go to where you call the API endpoint, add the parameter api_token=[your generated api token].
Generate magic link and send it.
Bob is or may be your uncle. Reference | Bubble Let me know if you need a video.
Another, potentially simpler solution is something like this:
- Club admin sends invites to who they would like to sign up to club (they input name and email)
- Email is sent to invitee who clicks on button to sign up
when club admin invites user
1.1 sign the user up and add a ‘club member’ field on the user type in which you put the particular club at this point
1.2 reset password (tick only create token, don’t send email)
1.3 send invite email with the link’s url as www.yourwebsite.com/reset_pw?reset='result of step 2’&state=new
When the user clicks on the link in the email they are then directed to set their password and as soon as they complete redirect to whatever page is appropriate.
Use ‘get data from page URL’ set up like the screenshot below for ‘only when’ conditionals on workflows to navigate to new page and also to change text from ‘reset password’ to ‘set password’ and other UI specifics you might want.
This way, no one needs to manage a code and there is no chance someone can get in to the club space without an invite.
You can use privacy rules and search constraints around ‘club member contains X club’ to only show the appropriate content to invited users.
Thanks everyone. Plenty of options to explore there. I’ll let you know how I get on.