Xano Auth and another data source

Hi there.

This is probably a very stupid question, and I feel slightly ashamed to ask it as a heavy user of no-code tools for many years, but I’ve scoured the community and gone through the full Academy and Docs and can’t find the answer, so here goes…

I’m currently building a client portal so that clients can see and request tasks. I’m using SmartSuite as a ‘backend’ as we use this very effectively as a team project management tool. I have setup Xano Auth and have it all working. However, I only want clients to be able to see tasks linked to them in SmartSuite. Obviously this would involve some kind of setup where I use the native filter to only show SmartSuite tasks where the client’s Xano User ID matches some stored data in SmartSuite, but this is where I’m stuck. I’ve got the filter working to only show tasks where the user email is ‘x’ but that doesn’t seem secure. I also thought about storing a Xano User ID in SmartSuite, but again that would be static so doesn’t seem secure (as confirmed by a user in this post).

Can a variable be used to store an auth token or similar? If so, how do I match this to something in SmartSuite?

I’ve loved using WeWeb for many months, but am finding I’m only really able to build things with a single ‘backend’ (like Xano, for data and auth) or where data isn’t user specific and is gated. I’m yet to work out how to use one ‘backend’ for auth and another for data, and show user specific data securely.

Thanks in advance! :man_facepalming:t2:

Hey Mat! This is a classic problem. The easiest solution is to use Xano (in this case) as your “backend of record” for your app. So your app authenticates with Xano, and then makes calls to Xano endpoints which are responsible for getting smartsuite data that go with the user identified in that token. By wrapping this concern inside xano, you prevent the security holes you describe of using fields that a user could change from the front-end.

Using Xano as a pass-through for other backends - especially project management - is something we’ve worked on successfully in State Change Pro both in our forums and daily office hours.

2 Likes

Thanks so much @raydeck! That’s super helpful and very interesting.

Disappointing though that everything would need to be run through Xano like this. Feels like it very much limits the potential of pulling in different data sources if we can’t use one tool for auth and another as a data source with WeWeb.

In this case issue isn’t weweb or xano - its smartsuite. Smartsuite API uses an application-level key that if you put into weweb, everyone who ever looks at your site will have access to. They expect you to put a gate in front of that, for which you could use Xano -or something else!

As we all get more into composing tools and services over APIs, we will find that different services have limitations, and we are often governed by the most-limited service. Often that’s the one that drives the most value! Doing this homework will let you design a system that gives you maximum returns for the user with more moderate work for yourself.

3 Likes

Ahh ok that makes sense - I had no idea! Thanks for clarifying.

I would have gone ahead and created an app using this key as it’s not mentioned anywhere. Perhaps they should have mentioned this on the SmartSuite/WeWeb YouTube intro too (Build a CRM with SmartSuite and WeWeb - YouTube), because it’s not clear at all, anywhere, that we’re expected to add an additional layer between SmartSuite and WeWeb.

Thanks Raydeck!

In fact, our SmartSuite plugin uses a small backend to hide the API key from the end user. So you’re able to use SmartSuite securely.

But SmartSuite doesn’t handle user authentication, so you’ll still need a Xano backend to do this!

As @raydeck has mentioned, this is one of SmartSuite’s limitation not being a fully-fledged backend like Xano or Supabase. Nothing we can do about this on WeWeb-side :confused:

1 Like

Thanks Quentin.

No I totally understand that the SmartSuite plugin can’t handle authentication, that’s understandable. I have Xano Auth set up for this. What I’m a little disappointed by is that I seemingly can’t use Xano Auth and SmartSuite together - to only show Xano users SmartSuite content that relates to them. Well, it sounds like I can, but only if I run the SmartSuite data through Xano first?

I just need a secure way to link Xano users with certain content from SmartSuite. I thought I could store the Xano User ID in some SmartSuite records (the main use case would be task records), and then using WeWeb fetch the SmartSuite records with a native filter, so it only gets task records where the User ID matches the User ID of the currently logged in user, but that seems perhaps insecure?

Happy to jump on a quick call if you could clarify this.

Thank you!

You still can do it. But for UX/UI purpose (show only the relevant data, with performant filters), not security purpose (a malicious user can still send the user id he want instead of what you bound.

But in fact, it depends of your requirement and your business. The malicious user will still need to know another user id, if each user know only his own ID and never receive the list or information about other users it could be ok.

And it could be hard for a hacker to bruteforce another user id because of the smartsuite api rate limit.

1 Like

Isn’t this a common use-case for WeWeb? Using one plugin/source for auth, another for other data, and then showing relevant data to the respective user?

I mean, if I were using WeWeb Auth and Airtable it would be the same, no?

Surely there’s a way to do this securely.

No, the most common scenario is using Xano Auth with Xano, Supabase Auth with supabase or OpenID/Token based/Auth0 with custom backend using REST API.

Weweb is a no-code tool focusing on the front-end part of your web app. We could build a system to secure your Airtable data but it will require us to run a custom backend for it and its not what we want for our platform. Ideally we want your front end to communicate directly with your chosen backend without relaying on weweb infrastructure anymore once its deployed.

Sometimes we offer some light microservices allowing you to use an external service without having to build a fully fledged backend, to easily secure the API Key. For example Open AI and Airtable.

The Airtable case is a little bit special because this integration was built when we was more specialised on static website builder. So the idea behind the current implementation is you can build static page based on airtable collection set on static mode. Then you can secure the pages using any Auth plugin and role access.

As the data are static and already embed inside the page, if you can’t access the page you can’t access the data; no API call are made browser side so there is no variable you can change to get the data you shouldn’t have access to for example.

Today we could make another implementation to match what we have with Xano and Supabase but it would mean having an Airtable Auth plugin and use your Airtable users as your webapp users too (so buying an airtable seat for every users of your app), and this is not how our users want to use Airtable, from my personal understanding.

Protecting your data is the backend job, because he is holding the data, not the frontend one running in your browser. To fully protect your Airtable data using another Auth system, Airtable would have to implement third party auth system like Xano and Supabase did by allowing social login, you can sign in with google, linkedin, twitter and access your supabase data. You would have to be able to login in Xano and access your Airtable data, its a Xano<->Airtable thing, not weweb thing.

But like @raydeck mentioned it, what should be done in this case it using Xano as your main backend and build specific endpoints to retrieve your airtable data according to the requester (connected user by xano auth).

Note : Smartsuite is built the same way as AIrtable because their limitation and usage are very similar.

2 Likes