I synced my Airtable base with WeWeb and thought allowing anyone who’s email is on my “Client” table would be easy, but the hard truth is that it’s not, and I wonder if it’s even doable.
I wish the various “Authentication plugins” would allow for something simple, like selecting in which collection our users are, and which field is the email, and allow login by sending an email with a code or link they can click on and get logged in. (no password needed)
Additionally, this plugin would allow to specify a rule where users can/cannot login. For instance, I only want my users who have “status=enabled” to login. But this can also be done by filtering the Airtable view being used to feed WeWeb. (although an additional filter at the WeWeb auth plugin level would be more powerful, because it would allow syncing those users, so that they may be used in the app while not necessarily allowing them to login)
None of the various Auth plugin available seem to match this level of simplicity, and none seem to allow to sync users from an external source. And maybe this unexpected limitation is gonna be a deal breaker for my project.
Still, I think it’s important to know that strictly relying on filtering on unique IDs stored in plain in the DB is really not a robust way of securing data. But I understand that not all data is sensitive, which leaves space for that kind of solution.
The most important point is that you should wait for backend filters to be available in weweb for Airtable collections if you want to gate content coming from Airtable based on authentication. See those for a bit more on the subject:
If you’re working with sensitive data, you really want to have authentication built-in the database directly, or the database to have a security model that allows for external security providers. Xano and Supabase both have authentication built in and are very well integrated in weweb.
WeWeb already allows back-end filters for Airtable, and I’ve configured my Agent table to fetch only a few fields. But that table cannot be used for authentication (no option to do so).
In my case, security is not hyper important, something that would typically send an email with a code/link to the email address stored in Airtable is good enough.
That is incorrect. We allow you to filter on a specific table or a specific view, but, unless you have a view specific for each user, you will not be able to do a backend filter per user. As @gbeaudoin mentioned, this could lead to a security or privacy issue.
We will soon be releasing an update to the Airtable plugin that allows you to add queries when you fetch your data. Still, that won’t resolve your issue of authentication.
There is no simple trick to allow a list of users in Airtable to authenticate in WeWeb. The secure approach would be to work with the Auth0 plugin (Auth0 offers a generous free plan) and add an Airtable / Auth0 automation to sync your Airtable table with users every time a new user signups.
Thanks for clarifying, my understanding of WeWeb internals is still incomplete. (I thought what I was manipulating was a Backend filter… )
It’s good to know it can be achieved with Auth0, I’ll try to take a look about how to keep Auth0 and Airtable users in sync.
This is for a kind of internal app so there is no “user signup”, everything is being managed by an administrator. But I don’t it changes anything, besides the fact Auth0 free plan is more than enough.
WeWeb (frontend) gets the data from an external database
If the filter is added after getting that data, the data from the external database is still visible in the user’s browser (whether you see it on the page or not)
The resources @gbeaudoin shared above explain that in more detail.
Ah ok, got it! Will the users change often? If not, then for an MVP I’d recommend importing the list in the WeWeb Auth plugin and using WeWeb auth to authenticate users. It will be easier than putting together an Auth0 + Airtable sync
Ah ok, got it! Will the users change often? If not, then for an MVP I’d recommend importing the list in the WeWeb Auth plugin and using WeWeb auth to authenticate users. It will be easier than putting together an Auth0 + Airtable sync
I don’t think they would change often, but the person in charge of administrating things wouldn’t typically want to have access to the “WeWeb builder” to change which accounts can do what, they’re not technical people.
Maybe I’ll take this as an opportunity to learn more about Auth0, or go the simpler, manual way.
Maybe you could build an admin page in WeWeb for them so they can change the role of the users, create new ones, or delete old users. Let me check with the team if that’s possible / how to do that and get back to you on that one
It looks like this might have changed? I just set up a user table in Airtable and then link any user specific data back to that user email. Using the filter by formula field from the weweb auth object’s email.
I assume this is relatively secure, since the data stays on the server and only user specific data is returned. THe email should not be exposed since the email lives in that auth object and not a global variable.
If you want something “secure”, you’ll have to drop Airtable as a backend.
Nothing is secure in the way WeWeb fetches Airtable, even your Airtable token can be found from the browser.
to weweb on that front
)
