Hey everyone, I just wrote an article that describes how to securely manage ownership relations in Softr. It’s a common issue that Softr users could face and I wanted to share my solution with the community.
The article goes in-depth on the method of using user masks and pivot tables to prevent potential security breaches.
If you’re interested in learning more, check out the article here Securely managing ownership relations in Softr.io | by Edouard Demotes | TRACTR | Feb, 2023 | Medium
Let me know what you think in the comments!
Interesting reading!
I have had the challenge to secure form submissions to avoid impersonation. And I always fear that relying on the current session users email, could be easily altered by inspecting the form’s hidden fields and enter whatever email we want to validate as ‘sender’.
I couldn’t find an expressway to prevent this situation. The main problem being that the current users session is sent to airtable via form submission and it can be easily edited upon submission.
I think that I will try to add a 4 digit ‘PIN’ field for sensitive form submission, that validates/void the new entry on airtable via, automation.
Thinking that the table you are naming ‘mask’ I will use it to store and validate users PIN.
Hi Jonathan,
Thank you for your feedback. The idea of using a “PIN” for sensitive form submissions is very interesting and worth exploring. I would be interested to hear how it works out for you.
Edouard
Yes, it would be very simple.
You would need to add a new table in airtable, lets call it ‘pin’.
That table will have two main fields ‘linked record’ and ‘pin number’
The pin number is a formula field to randomly generate 4 digits
Upon users sign up, then automation will add the record to the pin table and then pin number will assigned to the recent number. (or it might be done without automation)
This pin number will show on the ‘users’ table via ‘look up field’
Then the user will find his ‘secret pin’ when he/she visits softr native profile URL, Previously in softr studio you would need to add this pin field to the profile summary.
Next on airtable you have to make a basic logic to validate that the entered pin number corresponds to the user submitting the form.
@Edouard Seems kinda related to this: Security Issue: User Impersonation
Did you inspect the window.records
object in JavaScript to ensure that the relationship between users and masks is not available in there? Also the logged_in_user
object.
@dcoletta It is available in the window.records
object, but this is not an issue because a user can only see its own mask id ?
@Edouard thanks for the tutorial. Almost all new blocks now expose the fields that are used in the block (there are still 2-3 blocks to be updated in the next days) additionally we are rolling out form form tampering solution end of this week.
@Edouard @dcoletta @acjnas @rhinonix we have rolled out the changes.
@Edouard would like to hear your thoughts in case you have a time to re-run your experiment
@artur Great. I will test this this weekend.
Hi everybody, thanks for such an active community!
@artur, in case it’s connected to your fix, some hidden field functionality broke this morning. Details in this post
@EugeneG I reverted this particular change to fix the hidden field use case… It’s indeed connected…
The fix is working.
Although the front-end still sends the user’s recordId, the back-end overrides it with the correct value. I tested the API using cURL and attempted to modify or remove the user’s recordId, but the correct value was successfully inserted into Airtable.
Thank you for the great work.