Hi everyone,
i'm facing actually an issue that i'm not sure how to solve it properly. IMHO, there's no solution, the only thing being to minimise the risk.
The tech context is the following: frontend Bubble, using API Connector (not Eli's plugin) - backend: Xano (obvious ๐ )
All the data is stored on Xano. BUT, i'm using a two login layer (On bubble AND on Xano) that allows me to stored on a per user basis, some data that is going to be used mainly for display purpose or conditionals to call endpoints properly.
The Xano security layer that gets a token from Xano, stores it in Bubble (in the user datatype), that is used for each endpoint call. The Xano token TTL is dynamic and, actually, is set to 7200 seconds.
A scheduled backend workflow is triggered that refreshes the xano access token, based on a refresh token.
But the main thing is that the access token - the one stored in the user datatype - is very often used on the frontend for the api call. And even when using the API Connector with a dynamic authorization header, this can be intercepted in the network tab within the browser. Hence, by getting the token, you can then play with it and the xano endpoints, quite easily, in postman - and even circumvene the CORS layer.
I thought that Bubble's API Connector calls were protected against such cases, but they're not.
Which leads to my following questions:
Has someone ever solved this authorization token issue with the combo Bubble/Xano? if so, how?
If i intercept any xano token and have knowledge about the instance/workspace endpoints, can i then hack all the endpoints?
Michael Udinski Chris Coleman Louis Machado Sean Montgomery Cameron Booth Lachlan Ray Deck
(PS: from my experience, the best solution is not in token but in app rights management design and hoping that users with highest rights don't get hacked)