Field validations

Yes. It is very easy to hack the front end. It is not on the backend.

I am not sure what you mean here, but it is definitely not just for the purposes of typo checking.

Not necessarily. You may have a field that needs to be checked, isUserValidated, that could easily be check that way.

Lambdas solve all these problems, but are a pain and way slower than say boolean checks.

Not really out of scope at all. I don’t want a user to be able to add 100,000 points, instead of 10 points, just by a simple javascript hack. Again, I imagine there are way faster ways to than lambdas to secure this.

Agreed. However, there are great security, and there are poor security practices.

Data validation is not just about data consistency. I do not want my app to get hacked. If people pay for features, they should not be able to hack them. This is just one example. I would also argue that data consistency could be a security risk in and of itself.

https://betterprogramming.pub/back-end-data-validations-73ea9004c6d7

@MichelDiz I think this is something that is a necessity for any commercial products, but not in all cases. There is an argument about this:

https://stackoverflow.com/questions/17039934/is-it-practical-to-have-back-end-database-side-validation-for-everything

I definitely don’t think you need to validate everything on the back end, but it is a must for certain things. Again, I have direct experience with this.

Sure, lambdas can handle this, but why not make it easy and faster. Lambdas are a pain. Simple boolean checks would be wonderful. Here is an example of a firestore rule:

let isValidLength = username.size() >= 3 && username.size() <= 15;

All I would have to do is use Chrome dev tools to hack a form. If my page is based on a username, I could permanantly have my site indexed with a username like so:

https://mysite.com/someusernamethatiswaytoolongandthatshouldnotworkatallandkeepsgoingandgoign/post/id

I do not want this to even be an option.

I am pro this post: http://discuss.dgraph.io/t/moving-graphql-authorization-to-admin-api/13304

Fauna DB (as new as Slash DGraph) currently does not have a solution to this either, and uses something similar to a pre-hook: https://forums.fauna.com/t/data-validation-in-fql-with-abac/329/2

I think a pre-hook may be an option I could be okay with. The problem with lambdas is that I have to basically disable my mutation and create a new one. This is the majority of the painstaking process.

#add-prehook

It would be interesting to hear from other people on this.

Thanks,
J

3 Likes