Create a public app with auth

hanrelan · February 24, 2021, 8:22pm

Hi!
I’d like to create a public app (going to be used by about 500 people) which also forces people to authenticate (with Google for example). I’d like to make sure that users are who they say they are.
Then I’d like to be able to run queries against a database resource using a validated identifier.

So for example, if a user auths as person@gmail.com, I could use the current_user.email and look up a table of permissions for person@gmail.com and only run with the appropriate permissions. And I don’t want to invite 500 users into our retool account.

Is this doable? And is it secure (or could the person just edit their current_user.email value in the console to get permissions they shouldn’t be able to).

Thanks!

aric · April 4, 2021, 6:27am

I see nobody responded to you so far, so here goes nothing.

Based on my preliminary research, what you’re trying to do is not currently possible in Retool. Basically the SSO is tied to Retool users. This means that if you’re on the “Pro” package, it will cost you $50/user/month which for 500 people is $25,000/month. This obviously makes no sense.

I have a similar situation with about 300 hourly employees. I didn’t want to buy 300 accounts in Retool, because it would be cheaper to hire software engineers to just build my apps in ReactJS… (which kinda defeats the purpose of Retool). So I thought about it some more and decided perhaps the right approach is to ask for some “light” authentication. You make a query to a table with users and PIN codes, and they are asked to “sign in” as the first step in the flow. If the PIN matches, they will be shown the tool you built.

In my case, I believe this would work just fine. It’s a factory, and there’s some degree of trust or else people wouldn’t be hired at all… It would also allow me to economize on Retool licenses.

grace · April 7, 2021, 8:06pm

Hi hanrelan and aric,

For the Pro plan, we support the public apps feature so that anyone with the URL can view the apps. This public URL does not support user-based authentication so users would need to have their own individual Retool accounts to securely access apps through the user mode link.

Please note that using third-party authentication to circumvent the authentication system on public apps also violates our terms of service related to fee structure.

Our sales team is happy to work with you to find a solution that fits your needs. Please let us know if you would like to be connected to them!

aric · April 17, 2021, 3:55pm

I don't think an employee ID + 4 digit PIN qualify as "authentication", it's more about identifying the person submitting the data, and that person certainly does not need to access Retool itself. If all you're doing is collecting data from people and all you're trying to do is identify them, why would you purchase a Retool license for them? especially if you have hundreds or even thousands of people? that makes no sense to me.