Can i block rest api query retool response?

finn · February 9, 2023, 8:10am

I am using rest api query where the user is logging in via our authentication server.

If you intercept and check the retool response after request, the id and password are exposed to metadata.

like this

{
    "__retoolWrappedQuery__": true,
    "queryData": {
        "data": {
            "result": {
                -- our auth token data --
            },
            "session": {
                -- our auth session data --
            }
        },
        "metadata": {
            "request": {
                "url": -- our auth request url --,
                "method": "POST",
                "body": "{\"email\":\"-- here --\",\"password\":\"--- here---\"}",
                "headers": {
                    "Content-Type": "application/json",
                    "User-Agent": "Retool/2.0 (+https://docs.tryretool.com/docs/apis)",
                    "X-Retool-Forwarded-For": "183.100.246.91",
                    "x-datadog-trace-id": "8051596538550527141",
                    "x-datadog-parent-id": "5819506979922769498",
                    "x-datadog-sampling-priority": "0",
                    "ot-baggage-requestId": "undefined"
                }
            },
            "headers": {
                -- skip --
            },
            "status": 200,
            "statusText": "OK"
        }
    },
    "queryExecutionMetadata": {
        "estimatedResponseSizeBytes": 8062,
        "resourceTimeTakenMs": 284,
        "isPreview": false,
        "resourceType": "restapi",
        "lastReceivedFromResourceAt": 1675928651795
    }
}

There is a security issue and I do not want to receive a response from retool. Is there any way to block the response?

Kabirdas · February 14, 2023, 1:41am

Hey @finn!

Unfortunately, it isn't possible to hide the body of your request from the Retool response at the moment. Does your auth endpoint support any type of encryption?

You might also want to explore using one of Retool's built-in authentication methods to protect the data being sent. Curious to know more about how the login flow would interact with the rest of your apps and if you run into any particular issues with the auth methods linked in the docs.