Skip to main content
All CollectionsGeneralFixing issues
Temporary password vulnerability issue
Temporary password vulnerability issue

Why is this considered an issue, and how can you solve it?

Updated over 9 months ago

We could think this action is completely secured, - as actions with credentials usually are in Bubble - but this one can compromise depending on the context in which it is used.

For example, some admin dashboards (that can be compromised with bad redirections) have buttons to define a temporary password for a specific user.

Hopefully, it's quite easy to fix.

If you know that everything happening in the front-end can be seen by anyone…
Just perform this action in the back-end side of your app.

Let’s go step-by-step through this.

1 - Creating the API Workflow

We’ll go to the back-end section of the app, and create a new API Workflow that we will call “assign-temporary-password”.
It will take a parameter:

  • user-email of type ‘text’

Then, we’ll simply reproduce the exact same behavior than what our initial workflow was doing.

screenzy-1707410183436

2 - Modifying our initial workflow

Now, let’s go back to our previous workflow - the one on the page the issue was found on.
Let’s delete all the actions inside of it, and make it just trigger our freshly created API workflow and fill in the associated parameter.

screenzy-1707410300767

And… there we go! ✅
The security issue is now fixed and we’re all set 🔐

🔗 Here is the link to the demo app if you’d like to know how to implement it.

🔐 But that’s not the safest way to work with passwords

As mentioned in Bubble’s official documentation, the most secure way to work with passwords is to use the “Reset Password” action.

Important: This workflow action is meant to be used in a situation where an admin is resetting the password for a user - the admin can see the new password.

We do not recommend building this into an end-user-facing flow on a page because it is not a secure way to work with passwords.

If you can implement this logic, that’s the best you can do.
But if you need to use the “Assign a temporary password” in your flow for your specific use-case, you know how to do it in a secure way.

Did this answer your question?