We could think this action is completely secured, - as actions with credentials usually are in Bubble - but this one can compromise depending on the context in which it is used.

For example, some admin dashboards (that can be compromised with bad redirections) have buttons to define a temporary password for a specific user.

Hopefully, it's quite easy to fix.

If you know that everything happening in the front-end can be seen by anyone…
Just perform this action in the back-end side of your app.

Let’s go step-by-step through this.

We’ll go to the back-end section of the app, and create a new API Workflow that we will call “assign-temporary-password”.
It will take a parameter:

Then, we’ll simply reproduce the exact same behavior than what our initial workflow was doing.

Now, let’s go back to our previous workflow - the one on the page the issue was found on.
Let’s delete all the actions inside of it, and make it just trigger our freshly created API workflow and fill in the associated parameter.

And… there we go! ✅
The security issue is now fixed and we’re all set 🔐

🔗 Here is the link to the demo app if you’d like to know how to implement it.

As mentioned in Bubble’s official documentation, the most secure way to work with passwords is to use the “Reset Password” action.

Important: This workflow action is meant to be used in a situation where an admin is resetting the password for a user - the admin can see the new password.

We do not recommend building this into an end-user-facing flow on a page because it is not a secure way to work with passwords.

If you can implement this logic, that’s the best you can do.
But if you need to use the “Assign a temporary password” in your flow for your specific use-case, you know how to do it in a secure way.