Making a database field "secret" or "password" like?

hello!

Is there a way to make a custom password or secret text type field in Adalo?

Context: I see that Adalo offers a ready to use login workflow that includes username, email and password fields. My use case is that I want to have users enter their username and password to an external service that I will use to authenticate and then pull data from the public API of this external service, on behalf of the user.

Thanks,
Anil

You can set the type of the text field to “password”. To send the password to your external service the custom action (and the external service) need it in normal text format so within the custom action you need to use the normal text entry mode where you can get the text out of the password text field

Thanks @mazze - does text entered in password fields get encrypted and saved in the Adalo DB?

No, only the automatically created password field in the user table is HASHed (not encrypted). There is no way using standard Adalo to make a secret field.

Depending on the use case, you might be talking about an OAuth flow, which is unsupported, but can be made using Xano or Integromat.

If you wanted to not use oauth but still have some extra protection there are 2 things you can do.

  1. Make this entirely client side. I assume that your API returns a token that you will use for API calls. Then what I would do is make a blank screen, not linked anywhere, and add a text input called “AuthToken” on it, then I would make a custom action to get the token using username and password, not saved in the database. Then on your external collection or whatever that you are using to get data using the client token you can set it up so the authorization uses magic text that comes from the “AuthToken” field on the blank screen.
  2. Use the Encryption Toolkit by PragmaFlow to save the data in the database encrypted using a Diffie-Hellman protocol for key exchange between the 3rd party backend server and the clients encrypted (not hashed) password stored in the Adalo database. This would look something like this in the database: Encrypting your data before storing it in the Adalo database - YouTube

I am sure there are other implementation solutions if more details were provided.

BUT, to answer your question there is no way to implement a secret in Adalo database without 3rd party tools, and the Encryption Toolkit I build is the only one I know of to exist.

Super helpful @TKOTC - and yes, this API’s auth is a little old school. You pass a username + pass and it returns a session_id and UUID that are then used in subsequent calls. There is no financial or PII data as such so I think I should be OK. Appreciate the super detailed reply for future reference though :slight_smile:

Option 1 would be the best method then. A custom action to get the session_id and UUID, then store them in some input fields that are on a screen not linked anywhere. Adalo persists all input field data in local storage so they will exist between application close and reopen.

There is one caution I will give, something to be aware of. Adalo external calls do not return status codes. If it is not a 200 response you will not know. So if your session_id has an expiration it might stop working without anyone knowing until reauthorized. A solution that might be interesting is to also save a timestamp when the session token was created. If the token is, let’s say, 7 days old maybe force the user to refresh the token even if it is not expired to try to prevent 401 errors that are hidden.

Excellent point about refreshing the session_id. Will look into doing that.

Also the input fields idea is interesting, Is this essentially the equivalent of storing something in memory (vs writing to disk)? And does the input have to be on some screen or can they be input fields in the current screen but not visible? If the former, then does Adalo maintain context of all variables of all screens when the app loads (regardless of which screen the user is on or has hit in the current session)?
I’m asking the latter because I’m trying to figure out if I can use it as a solution to How to loop "n" times request API value and sum the value?