buildship security features
can some one provide an article or post about how buildship handles securities and how can i deploy this entire flow in AWS ?
can we scale each flow independently ? how about load balancing , private API , API gateways etc ...
is there any end to end application developed with frond and backend and DB
14 Replies
As of now, we don't allow exporting so you can't deploy to AWS. BuildShip scales infinitely. We deploy your code to Google Cloud.
We develop our own APIs using BuildShip.
ok that sounds good that you deploy it in google cloud , but can you provide some articles how to enable CORS or whitelisting or make it private api and building an end to end solution
You can write JS inside script nodes so there are a lot of possibilities. For making private APIs my recommendation would be to check for token in authorization header.
If you guys refer to private API you mean a Buildship endpoint that can only be accessed with a key? If so I am a bit concerned right now that I have to build custom code just to prevent other people from raising my buildship bill. I hope, I got this wrong (I am still a noob) and if so: is there a tutorial that shows me where to generate the key?
Yes, that's what I mean by private API. If your workflow is light, you can keep your API public it won't make much of a difference. We don't have a tutorial for this. You can ask AI to generate something.
Excuse me but it defeats the purpose of a low-code platform if very basic and security relevant features need to be implemented by everyone individually and it really doesn't matter if YOU judge whether it makes a difference or not. In fact, the whole world right now would be able to access my endpoints and drive my Buildship costs and the costs of the services I call within my workflow.
This is an absolute dealbreaker for me.
BuildShip has firebase nodes that you can use to create your own authentication layer. The type of authentication layer depends on how your API will be used. We will soon have support for more use cases. Does this provide you with confidence?
I guess I will be able to judge that in the future 😉
If I understand you correctly, I can implement an authentication layer right after the input node to keep unwanted execution time at an absolute minimum level. Sounds like a feasible way to mitigate the risk for knowledgable people.
Yes. Also, since everything is on Google Cloud. You have their protection too. They can detect and block if a lot of requests are coming from the same system. More info: https://cloud.google.com/run/docs/securing/security#requests-service
As I cannot guarantee security for my workflows as of now: how do I unpublish workflows? (can't find anything about this in the documentation)
Hi, @protoys, we'll add a functionality of unpublish soon. For now to ensure the security of your workflow and to ensure that it can only be accessed and triggered by the genuine user only, you can introduce a Firebase Authentication user check node right at the beginning of your workflow to ensure data safety in transit and allow only a specific authenticated user is able to trigger that API from your app and access data. This way you can secure the trigger API call which will provide data safety in transit. We will add some docs/video on this soon.
I am sorry, but my project is running on SupaBase. If there is a way for me to achieve security without me hosting a FireBase, I am in. That's why I wanted to unpublish for now. Honestly, I am kinda lost and frustrated here. Not only because of this. I had to do my first Buildship membership upgrade so I could thoroughly hunt the bugs that Buildship kept building into my workflows, also because the feature for testing whole workflows is not available -- however this feature was positioned as being live and usable according to your documentation last time I looked.
So, I guess, there is no way for me to get it secure currently.
My current solution is that I removed anything that could drive costs inside my workflow by removing the credentials to other services. Feel free to update here once there is a solution.
Sure, we'll update you. Also a good video to watch since you are running SubaBase https://www.youtube.com/watch?v=uhc8732Dpq4
The Digital Pro's NoCode Academy
YouTube
#BuildShip + #FlutterFlow - Create a secure #Supabase Workflow!
#BuildShip is a lowcode visual backend builder that lets you ship APIs, scheduled jobs, backend cloud functions instantly. Powered by AI, create your own workflow nodes, connect to any tool, database and create scalable backend for your apps.
In this video I walk you through creating a workflow which is based on a scenario presented within a #F...
nch