All topics

Best way to secure API Keys

benjabievres

4 months ago

Hello!

I want to make calls to a Baserow Database, but it uses an API key (and not any session token). If I want to use this key and not disclose it in my public Toddle app source code, how would I do?

Since there is no login endpoint, I have no way to grab the key dynamically and keep it in a session cookie.

I imagined a way that would leverage Make: I create a login webhook scenario, which returns the Baserow API key after it checked credentials.

Another way I can imagine is to use KDF to generate a derived key that would be used at runtime to decrypt the API Key (and store it in the session cookie). Like this the key in the source can’t be used without a runtime password the user would type.
But I’m not sure we can create a function that leverages the crypto librairies in Toddle.

Do you have any other idea?

Thanks
Lucas G

4 months ago

Both of your ideas are doable
“Best” way totally depends on your setup
👍1
Lucas G

4 months ago

The main thing is that the call be made from a backend so the key won’t be exposed. I personally use Cloudflare workers
benjabievres

4 months ago

Thanks @Lucas G. it makes complete sense to call a backend to get the key. I didn’t know about Clouflare workers, I will take a look.
Anyway I think for my own use-case, it will be better to use Make.
And one extra question. Is it still fine to store a key in a session variable, if we make it last 3600 seconds or less?
benjabievres

4 months ago

I ask this because I need to store 2 keys, while Toddle only lets you keep on key/token on the server when calls are proxied
@benjabievres
Thanks @Lucas G. it makes complete sense to call a backend to get the key. I didn’t know about Clouflare workers, I will take a look.
Anyway I think for my own use-case, it will be better to use Make.
And one extra question. Is it still fine to store a key in a session variable, if we make it last 3600 seconds or less?
Lucas G

4 months ago

Is this key static or dynamic? I understood it was a static API key to your baserow account.
If it’s a static API key then you should not store it anywhere client side
Send a call to a Make webhook and retrieve the data that way instead
👍1
benjabievres

4 months ago

yes @Lucas G it might be better that I always call Make webhooks and implement my own Session Token mechanism. Make would then keep any third-party API Key secure. It means that I create a Login webhook scenario, from here I check credentials in a Baserow Users Table, and then I generate a session token and send it back to Toddle. This session token will then be passed by the Toddle Proxy through the HTTP-Only cookie, every time I call another Make Webhook Scenario. Does it make sense?
@benjabievres
yes @Lucas G it might be better that I always call Make webhooks and implement my own Session Token mechanism. Make would then keep any third-party API Key secure. It means that I create a Login webhook scenario, from here I check credentials in a Baserow Users Table, and then I generate a session token and send it back to Toddle. This session token will then be passed by the Toddle Proxy through the HTTP-Only cookie, every time I call another Make Webhook Scenario. Does it make sense?
Lucas G

4 months ago

It does 👍
Is baserow a database service?
Like Supabase or Xano?
benjabievres

4 months ago

Thanks a lot @Lucas G!
yes it’s a database. They are starting to offer capabilities to build a user interface, but it’s very far from what Toddle offers.
Lucas G

4 months ago

Any reason to use it over something like supabase with a built-in auth system?
Lucas G

4 months ago

I did also consider separating the two but not sure if I want to host a separate auth system right now 🤔
benjabievres

4 months ago

@Lucas G that’s an interesting question. For the moment I’m investigating multiple solutions; the end goal is to « teach » users to build a new web app that leverages a database and a middleware (the middleware being Make).
Normally, the web app won’t access the database directly but will use webhooks to get or update any backend data. I still wanted to test an hybrid mode where the front would mix calls to webhooks and to the database, but it’s not a good idea, all calls should go through webhooks in my case.
Now to answer your question ☺️: I also tested Supabase, but the way their API works makes it a little more complex for Make. If I want to call it, I need to first get the session token and then make the actual call, which means two calls each time I want to interact with the database. I could store the session token in the Make DataStore or as a global variable, but I would need to maintain it, which would be complex.
One other way to overcome it, is to build a Make Custom App, because in that case, we can benefit some automatic token refresh mechanisms. But we don’t plan to have users build their own Custom App.
And because Make has a Baserow native App, it’s a lot quicker and easier to send queries to it.
And personally I found Baserow less complex to learn than Supabase.
I hope I’m clear 😅
Lucas G

4 months ago

Ah if using Make is a requirement then never mind
The purpose of using something like supabase would be to not have to use Make
benjabievres

4 months ago

Yes @Lucas G, to justify the use of Make, we’ll also have complex logic, integration with a few other third-party applications, and some « offline » processes. 😎
Tod

4 months ago

Great energy @! Your continuous contribution to the toddle Community just made you advance to Community Level 5!
Lucas G

4 months ago

Nice
Sounds like a good series
👍1
Darren

4 months ago

@Lucas G So I have the same question, and I am using Supabase. Should I set up an edge function that returns the api key if the user is authenticated / has permission?
@Darren
@Lucas G So I have the same question, and I am using Supabase. Should I set up an edge function that returns the api key if the user is authenticated / has permission?
Lucas G

4 months ago

Returns what API key?
If it is a key that should not be used client-side then no
If you're going to use edge functions then simply make the call directly to the API with the edge function
There wouldn't be a need to return it to then make the call from client-side
Darren

4 months ago

Gotcha, I need to fetch some data from Monday.com that is shared between users and the API key is just my developer access token.
So I should just make the API call in the edge function where the Monday key will live.
And only let authenticated users access that edge function?
Lucas G

4 months ago

Correct.
The API key shouldn't be hard-coded into the function though
Use Supabase's Vault to store it
👍1
Just a heads up in case you aren't already doing so
Darren

4 months ago

I am not 😅 - Thanks

Best way to secure API Keys

benjabievres

Lucas G

Lucas G

benjabievres

benjabievres

Lucas G

benjabievres

Lucas G

benjabievres

Lucas G

Lucas G

benjabievres

Lucas G

benjabievres

Tod

Lucas G

Darren

Lucas G

Darren

Lucas G

Darren

Stop scrolling. Start building.

Chat with @team-toddle

Video call our CEO

Get in touch!

Product

Company

Resources

Community