I’d love your feedback on it because it will help me write an article and record a video on the topic for the soon to be released Weweb blog and Weweb academy
Is it helpful? Is anything unclear? Are you missing key information?
I loved how you used screenshots and showed how the front-end, chrome developer tools, and the configuration in the no-code tools was all related.
My one recommended addition to your article is perhaps including a sentence or two about how to go about testing/auditing the security of your application after you’ve built it. For example, what type of person could you hire or service could you buy to run an audit/test on your system to check for these vulnerabilities?
Additionally, What is the best way to get user’s roles in frontend?
For example, I want to show a link to admin’s page only if the user is admin using supabase auth.
How can I easily get and check user’s roles?
You can then use that variable to check if the user has the “Admin” role or not. By binding the result to the display property, we hide the link to “Your fleet” page when the user doesn’t have that role:
You still need to protect the “Your fleet” page by restricting its access to admins because the URL is still available in the current page’s source code
This formula is probably not the most elegant way of doing this because we’re counting on something to be undefined to make a decision but it works I’ll ask the devs on our team if they have a better solution!
By the way, Private access with user groups is only capable in Scale plan… I think these feature are quite basically in the test phase, so I should have created another workflow to check whether the user is Admin or not. (Already capped by access volume, so Starter plan should not to be restricted other points, for the developers and WeWeb growth, I assume)
Combined with Chris Coleman’s recent Xano tutorial about securing your APIs, I finally feel a sense of relief about applying security measures to my application.
I think a very basic thing that most people might miss out: Don’t use your private keys for an API call in the frontend (Like Stripe, Airtable, Slack, etc).
Instead, call your backend, and use that to call the 3rd party service. Otherwise, your private keys become exposed