Looking for best practice to authorize a user for access to certain Airtable data.
My current approach is to store the Auth0 userID field in my users table in airtable - that user record is linked to all of her data in my backend.
For all Airtable calls throughout the app, I’m filtering in the backend by that auth0 userID so the user can only receive data that they’re linked to.
This is fine, but leaves a little vulnerability as it does not utilize the token generated by Auth0, but rather just the static userID. While it’s a pretty long and seemingly random string, it is indeed static.
I can imagine a more secure approach where I utilize the token by doing the following:
When a user authenticates, I make a call to update their users record in Airtable with their token. Then in WeWeb, instead of filtering against the static auth0 userID, I filter based on the dynamic token.
Make sense? What’s the best practice here? Thanks!
After speaking to a weweb team member on the phone, I learned that there’s actually no way to filter airtable data “on the backend” even though, imo, it’s portrayed this way via the editor. No matter what you do, all data is pulled to the frontend, and then filtered based on whatever filters you applied to the call. Meaning this is not a secure way to bring data to the frontend if youre needing to show user-specific data for instance.
For that reason, I changed my approach to route all calls through authenticated endpoints in Xano. So if you need to get data for a specific user and only that user back to the frontend, you need to:
Create authenticated xano api
that api function then makes an api call to airtable with your filter criteria
