Embedding desktop web app in iframe : no more access restriction

Dear all,

I have a desktop web app, with few pages requiring users log in. I do need to embed one of the free access page in an iframe located in a website. No problem, it works very well.

BUT, I also tried to put in an iframe the url of one of the restricted page. And it worked also, without any login required… For me, it’s a security breach. Any user could be able to copy paste an url, and embed it in a iframe later for (unauthorized) access without any login.

Let’s imagine a business or company app. One of the admin is fired. The day after is will be able to cause damages to the app data. It can be dramatic, it’s a security breach, don’t you think?

I think Adalo should manage to identify log in protected page, and in case a protected url (page) is accessed from the outside or without any logged in user, it should unauthorized the access and get the iframe contents sent back to the welcome page. So, manage a restricted zone.

@Ben, @david, @jeremy : did I missed something doing that? Is there any protective mechanism that could (quite urgently) be put in place to avoid such dangerous situation?

Many thanks for your feedback!

Hey @ChristopheHK, couple of things here. First, as you pointed out, there are cases when the login status isn’t being checked currently we’re working to resolve this. Also, though, if your iframe is publicly accessible on the internet, then it will not be secure regardless of whether we restrict access. When you load an app on adalo, you receive all the URLs of external links (if they don’t include magic text) and so any malicious user could go there manually.

Hum, ok, thanks @jeremy

In any case, this should not happened. But anyway, if the login status can be checked, it will be good I guess.

@ChristopheHK I’ve used a workaround for some of my restricted pages - I don’t know if this will work for iframes, but you could test it out.

I’ve grouped all the items in a page into a ‘master group’ in every page, and added a visibility clause on it - the master group will only show if ‘username’ is not empty. My use case was that someone could save the URL of an important page, log out, and still access the URL with all the info in there. A bit cumbersome, but it works for my case at least. I’m using external database for my data here, and Adalo’s user data for login.

Very good idea and excellent workaround @AddyEdwin! I am sure that will work for embedded pages in iframes too, as the issue is similar. Thanks!

Thank to your post @AddyEdwin, I also think about another workaround that “should” work : for any screen restricted to logged in users, set a screen action link to welcome page, sometimes, when logged user email is empty. This way I think we should have an automatic redirection to the welcome page.

To be tested!

It works! https://testsmapp.carrd.co

The iframe embedded screen is displayed few milliseconds then iframe content is re-directed to the welcome screen.

@jeremy : this could probably be a default rule that could be managed by the Adalo system : if screen access restricted and logged in user is empty, back to the welcome page (or sign up / in page), don’t you think?

In fact, the addition of the 2 workarounds is great : don’t display anything if the “visitor” (or hacker ) is not logged in, and redirect asap to the (unrestricted) welcome page.

The redirect is an awesome idea @ChristopheHK! Will implement in my app too!

It’s Adalo which is an awesome tool to let us manage so many thinks with flexibility! I love Adalo!

BTW I have corrected the url of the test site, it’s finishing by carrd.co of course, not carrd.io!

Saw your app (up to the sign in screen haha), and the design looks really cool, gave me some ideas for my project too! Adalo is indeed awesome, it’s already so feature-rich and customizable!

This app is nothing but the “order” template, I just changed the logo and colours

But yes, it’s a good and nice start!