Can somebody elaborate on the meaning of the quotes below.
If the code is actually run on the device well it doesn’t get send to place where the code is hosted - isn’t that correct?
Of course you should be aware of what is in the code so the code doesn’t copy your data to a malicious site - but if you are in control of the code then this shouldn’t be a problem, I expect.
Make Sure You Trust The Author If you’re using code written or hosted by someone else – make sure you trust the author. Experimental Code columns can access any data you pass to them so it’s important you are confident with where it’s going.
(in reality, the code runs on your device, but it’s useful to think of it this way )
So can you pass a secret key to e.g. Cloudinary exposed API in order to get hold on some data from your account there - without passing the secret key to the place where the code is hosted?
Or will the secret key be accessible on the device that runs the app - e.g. by inspecting the code?
The author of the Experimental Code column could, if they wanted to, add some code to send all information you send to it to some server they control, and do whatever they want with it, no matter where the code runs.
Suppose I make an Experimental Code column called “Validate Credit Card Number” and I share it here. While validating, that code column could make purchases with the credit card. It does not matter that the code is running on the device.
The best thing to do is copy and code columns that you want to use, so they are under your exclusive control. Then you can see for yourself exactly what the code does, and nobody can change it but you.
If this feature is popular, we will create some process to help you figure out which code columns are trusted by Glide, and which are not.
That’s right, Glide does not send data to where the code column is hosted. It theory, this should even allow code columns to work offline (I haven’t tested that). But, the code could then do whatever it wants.
@david is there any way where we can use external api which uses api keys/passwords- and not disclose the keys/passwords to the users (who might be inspecting the code). The api info is to be used by everybody of the app.
In my tests, I prefer to create my code using the Mark’s Yes-Code while it’s posible (it’s multi-use and reusable) instead of creating new code for each purpose/need.
If the API key is sent as parameter (part of code sent as string), isn’t it safer than write and show API Key in Function.js?
@mark ok. So no secure way to pass on a api key by use of experimental column. It would be so fantastic to be able to connect to an external api where you need to provide api key/secret. It would open up a lot of new possibilities. Hope you are considering how to do that.
@mark but Glide can (in the future) create an api column that is secure? Isn’t that correct?
Or we can at the moment use a webhook to e.g. integromat which does the retrieval of data from the 3rd party api - and then integromat could send the data back to glide (through google sheets at the moment). If Glide could retrieve data directly in Glide tables then we would have a fast and secure solution as well.
I think the problem is solved!.. until some of Glide’s top experts will hack my SAMPLE … LOL
PM me the API key if you can find it… and I will start working on a new solution.