API Security on User Sources / Login Form / Application Builder

star26bsd · October 17, 2024, 8:45am

Hello there …

Somewhere in the documentation and/or in the board here, or in a video tutorial, I have learned about a current technical limitation, that exposes protected login forms (based on user sources / local baserow integration) directly via API, so that data (views) that would be protected behind the authentication login, are actually readable by anyone.

I apologize for not being able to link the references, I have searched intensively but can no longer find them

My question: Is that above statement still technically true and if so, what is the roadmap to tacle that? For our NPO, that is currently a major limitation that would render Baserow only half as useful as it would be without, unfortunately.

For a little background: We are planning to have paid Baserow Accounts for the developers only (likely the Advanced plan) and have all members of our NPO (~200 users) authenticate against our own members database. This possibility is a big USP of Baserow for us, since we could not afford any product that forces us to pay a fee on a per-user basis.

A rough estimate on your plans here would help enourmously, since we can than plan our migration to Baserow accordingly, e.g. by moving the non-sensitive projects first.

Thanks for a clarification on this topic!
Stephan

olgatrykush · October 17, 2024, 1:23pm

Hey @star26bsd, in Baserow 1.29 we’re going to release the backend security for the Application Builder. You can read more about the feature here: Implement backend security for application builder (#2063) · Issues · Baserow / baserow · GitLab

Is this what you’re looking for?

star26bsd · October 17, 2024, 7:33pm

Hi Olga

First of all, thanks for the quick reply. I really appreciate the responsiveness of all the Baserow people I have been able to talk to so far.

The answer is probably yes and no . I have read the ticket multiple times now and it seems as if this is what we need. However, I am uncertain what is really meant by ‘end users’ (paid Baserow accounts or not?) and secondly, the ticket doesn’t mention API security explicitely - though “Dispatch Data” is mentioned (Step 2, Point 3), that could likely be the part responsible for making data available also by API.

I understand that 1.29 is planned for Nov 13th, so I am happy to wait and test myself then. I currently refrain from reading the code, though I am happy that I could.

Kind regards
Stephan

star26bsd · October 18, 2024, 8:49am

I finally found the documentation I wasn’t able to reference before:

So I hope #2063 will improve on that.

Thanks
Stephan

olgatrykush · October 18, 2024, 12:01pm

Hey @star26bsd, yes, this issue is to resolve the security gap you’re referring to.