Skip to main content
All CollectionsSecurity & ComplianceFlusk
How do I fix the Temporary Password Vulnerability issue flagged by Flusk?
How do I fix the Temporary Password Vulnerability issue flagged by Flusk?
Updated over a month ago

Most actions with credentials are completely secured in Bubble - but this one can be an issue compromise depending on the context in which it is used. For example, some admin dashboards (that can be compromised with bad redirections) have buttons to define a temporary password for a specific user.

If you know that everything happening in the front-end can be seen by anyone, simply perform this action in the back-end side of your app. Let’s go step-by-step through this.

1 - Creating the API Workflow

We’ll go to the back-end section of the app, and create a new API Workflow that we will call “assign-temporary-password”.
It will take a parameter:

  • user-email of type ‘text’

Then, we’ll simply reproduce the exact same behavior than what our initial workflow was doing.

screenzy-1707410183436

2 - Modifying our initial workflow

Now, let’s go back to our previous workflow - the one on the page the issue was found on. Let’s delete all the actions inside of it, and make it just trigger our freshly created API workflow and fill in the associated parameter.

screenzy-1707410300767

And… there we go! ✅
The security issue is now fixed and we’re all set 🔐

🔗 Here is the link to the demo app if you’d like to know how to implement it.

🔐 But that’s not the safest way to work with passwords

As mentioned in Bubble’s official documentation, the most secure way to work with passwords is to use the “Reset Password” action.

Important: This workflow action is meant to be used in a situation where an admin is resetting the password for a user - the admin can see the new password.

We do not recommend building this into an end-user-facing flow on a page because it is not a secure way to work with passwords.

If you can implement this logic, that’s the best you can do. If you need to use the “Assign a temporary password” in your flow for your specific use-case, you now know how to do it in a secure way.

Did this answer your question?