I mean, if I was a client, this would not be a very reassuring conversation if I had to choose a visual programming plateform…
Is that AS EASY on other decoupled platforms like FF/toddle/weweb coupled with Xano/ Supabase to trigger internal workflows?
Because, let’s be honest, with that information in mind, if a user can create an account in a bubble app, there is 100% chances to have potential security breaches on existing applications (that probabalbly haven’t used George’s technique)…
Bubble has built in functionality for authenticating through api token.
When logging a user in from backend, bubble returns api token and an expires in value (seconds). This is stored to the user to identify when to run the action again. This way you can use privacy rules and conditions on current user in public workflows by unchecking “can be run without authentication” and including header Authorization: Bearer “users api token”. If token is expired or not valid bubble will not accept the authentication. This way your apps api token is never used since bubble identifies the user through its token. Or am I misunderstanding this part of the post?
If you have a public workflow (e.g delete user) that is generally authenticated using an admin token, then by definition it is ALSO possible to authenticate just as a logged in user.
Bubble doesn’t care who you’re authenticated as, except for privacy rules. As long as you’re authenticated by an API token or by being logged in, you’re good to run the workflow. You are incorrectly assuming that this workflow can only be run with an admin token - that is the false assumption that I’m trying to help people understand more
The issue I am highlighting is as follows:
Many people have public backend workflows
They assume that because it requires authentication, it will be safe and only possible to call when you want them to
That is incorrect - any public workflow, even if it requires authentication, can be called at any time by any user.
For example, if you have a public ‘send email’ workflow, that you normally authenticate using an admin API token, then it is still possible to call that workflow just by being logged in (as in this case you are authenticated) and send emails as you please.
I really appreciate the job you are doing for making people build more secure apps because this is hard to get information and it takes a long time with bubble usage to acquire this specific knowledge.
For me I am using api keys that are generated for each user by bubble to authenticate in public api calls, this way I can even for api connector or external calls know what user is making the request and set a condition on the run. For example only if current user permissions contain send emails. I use this for all bulk create and other calls that have to go through api connector because the specific user is authenticated and my admin api key is never involved.
So a user can when logged into the app, from their browser run an api call for that public backend workflow?
Is this implying that a user, who is not the user in the parameter of the backend workflow can run that backend workflow because they can ‘trick’ the system into running it via an API call from the browser, or is this a potential scenario because of developer oversight when it comes to how they implement the ‘schedule backend workflow’ action within their app?
Could this be resolved by not using parameters to send those values into the backend workflow and instead retrieve them from the database in the backend workflow itself on data types that have proper privacy rule configurations?
Is that the same as any logged in user?
I’m really curious how a logged in user could ‘call’ or rather run these backend workflows. I don’t know how to use Postman so I don’t test api calls through there, and instead just test from another Bubble app, but if the call is initiated from a different platform than the app itself, isn’t the user not logged in and they would need to send in an API token in the header?
Is this basically the same as using an API Token from the editor settings area, but just not using the tokens Bubble would generate and just creating your own?
The condition part is the part that is necessary to make this worthwhile. Keep in mind that these logged in users can still call the workflow whenever they want, so it’s important your conditions protect to ensure they can only run it when it makes sense to do so and they have permission to do so within the app.
The only value authenticating as a specific user has is:
Allowing you to use Current User in BE workflow
Restrict data access in BE workflow by privacy rules
It doesn’t change the problem I’m talking about in particular, which is that we don’t know if the request came from app logic, or direct manipulation.
Backend workflow that takes a username and password parameter and a single log the user in action that uses these parameters will return a login cookie
Just wanted to mention that for backend workflows using the “Detect request data” parameter definition, instead of adding extra text parameters like key, token, or authKey, one can enable the “Include headers in the detected data” option. This lets you access the Authorization header (e.g., “Bearer xxx”) directly. You can then validate it as a text as part of the initial “Terminate this workflow” step.
In the “Terminate this workflow” step, I’d also suggest embedding <your chosen key> within an Arbitrary text. This way, it’s only revealed after an additional click, rather than being displayed openly on the screen
Yes, both suggestions are correct and useful recommendations! That’s one way to verify the call came from an admin (or the Bubble app) rather than any user.
Would that be as simple as a condition on the action?
Could you provide an example of this?
Is this basically suggesting, we could create API Tokens in the editor for each backend workflow so that only one API Token is used for one backend workflow and each backend workflow as a different API Token?
In the example above I have the create load api token used only on the backend workflow that creates load, while the Old api token is used on a different backend workflow. Is that similar to your suggestion?
Amen to that. Privacy rules are a backup and not a first line of defense.
This is great addition to the conversation and really helps make the security measures even more robust. Thanks for sharing that.
You know that privacy rules really are the only thing protecting data access, right? If a privacy rule doesn’t restrict it, it is accessible no matter what other conditions or constraints you have anywhere.
Also, @zubairk20028 just posts ChatGPT nonsense so don’t waste your time.
An admin API token for each workflow makes no sense - if using a unique token parameter each workflow (which would be good), don’t use an admin token, just use any random string.
I don’t think that is true. In a test app I have a data type of User with a field of Company, data type of Company and data type of Team with field of Company. Search is simple constraint.
When the User is logged out, no results are shown and in network tab, a search is not even performed, and there is no data accessible. If the user is logged in and has a company field populated, correct results are shown and network tab only shows their company teams returned. If the user is logged in and company field is empty, no results are shown and in network tab doesn’t perform a search at all.
So I imagine that from that simple test, a simple constraint can make it so that even without privacy rules on any of the 3 data types, it is not accessible from the client device.
Also, if I do not enable the data api on those data types, the data is not accessible.
So, could you provide an example of how a user can access the data no matter what conditions or constraints there are, while there are no privacy rules and the data type is not exposed via data api? Obviously, I’m not advocating for people to not use Privacy Rules, I’m just stating they are not necessarily the first line of defense.