Hide apptoken on formula rich text button using ?a=API_EditRecord

  • 1
  • 2
  • Question
  • Updated 3 months ago
  • In Progress
Hi,
When using an app token and a button (e.g. ?a=API_EditRecord), how do you stop the app token displaying when someone views the source code on chrome?
Thanks
Photo of Gary Boyd

Gary Boyd

  • 820 Points 500 badge 2x thumb

Posted 3 months ago

  • 1
  • 2
Photo of Joshua Tate

Joshua Tate

  • 1,016 Points 1k badge 2x thumb
Theres no reason to worry about anyone seeing it, the app token only allows a user to view/edit what they have permission too :)
But if you truely worry avoid an API call for no reason, take Dan Diebolt's example linked belo for using FormData

https://haversineconsulting.quickbase.com/db/bgcwm2m4g?a=dr&rid=594&_ga=2.46583205.30083185.1535698739-556233741.1535475745


Photo of Ⲇanom the ultimate (Dan Diebolt)

Ⲇanom the ultimate (Dan Diebolt), Champion

  • 27,694 Points 20k badge 2x thumb
I might add that you can't hide anything from a user who examines the source code. All HTML, CSS and JavaScript is visible. You can make it more difficult for a casual user to see portions of the source code but the best you can do is obfuscate things.
Photo of Joshua Tate

Joshua Tate

  • 1,016 Points 1k badge 2x thumb
My advice in what Dans just pointed out is the only way to avoid a user seeing what you dont want them to see is to use a proxy. below is a link to a simple Node.js server you can setup to route/proxy the api calls. You can put your apptoken on the proxy server and whitelist only your realm on quickbase. you can also stop the webfacing site so when someone goes to the url they see nothing. :D

https://github.com/Rob--W/cors-anywhere

Photo of Gary Boyd

Gary Boyd

  • 820 Points 500 badge 2x thumb
Thanks for the advice.