Discussions

Expand all | Collapse all

Hide apptoken on formula rich text button using ?a=API_EditRecord

  • 1.  Hide apptoken on formula rich text button using ?a=API_EditRecord

    Posted 08-31-2018 10:57
    Hi,
    When using an app token and a button (e.g. ?a=API_EditRecord), how do you stop the app token displaying when someone views the source code on chrome?
    Thanks


  • 2.  RE: Hide apptoken on formula rich text button using ?a=API_EditRecord

    Posted 08-31-2018 11:03
    Theres no reason to worry about anyone seeing it, the app token only allows a user to view/edit what they have permission too :)
    But if you truely worry avoid an API call for no reason, take Dan Diebolt's example linked belo for using FormData

    https://haversineconsulting.quickbase.com/db/bgcwm2m4g?a=dr&rid=594&_ga=2.46583205.30083185.1535698739-556233741.1535475745




  • 3.  RE: Hide apptoken on formula rich text button using ?a=API_EditRecord

    Top
    Contributor
    Posted 08-31-2018 11:23
    I might add that you can't hide anything from a user who examines the source code. All HTML, CSS and JavaScript is visible. You can make it more difficult for a casual user to see portions of the source code but the best you can do is obfuscate things.


  • 4.  RE: Hide apptoken on formula rich text button using ?a=API_EditRecord

    Posted 08-31-2018 11:32
    My advice in what Dans just pointed out is the only way to avoid a user seeing what you dont want them to see is to use a proxy. below is a link to a simple Node.js server you can setup to route/proxy the api calls. You can put your apptoken on the proxy server and whitelist only your realm on quickbase. you can also stop the webfacing site so when someone goes to the url they see nothing. :D

    https://github.com/Rob--W/cors-anywhere



  • 5.  RE: Hide apptoken on formula rich text button using ?a=API_EditRecord

    Posted 09-01-2018 00:08
    Thanks for the advice.