Considering we can have fine-grained access control, is it a good idea to connect Fauna directly to the front-end? (versus the “traditional” approach of having a middleman API in the backend to protect the key)
My app would only need to perform a get by reference: Theoretically I can create a Function on Fauna that only does get by ref and create a role that only grants access to said function. That way, I don’t have to spend on running a backend/middleman API (say, Cloudflare Workers), instead just calling this Fauna function directly.
I could imagine that a potential risk though would be someone spamming requests using the key scraped from my frontend and thus me having to pick up the tab in TROs and TCOs — are there protections against this? Or would it remain a good idea to put the Fauna API behind a back-end like Cloudflare Workers?
Depends on whether you want IP-based rate-limiting in which case I would add something like Cloudflare workers to the mix. If you want Identity-based rate-limiting you can implement that straight from FQL. That approach will incur reads but will reduce the amount of reads and discourage the user since they won’t receive data but will be blocked. If you only perform a get by reference then your reads are of course === 1 and then this approach would actually add reads. So if you are concerned about that I would add CF in the mix. All depends on whether you trust your users or not and can make them accountable for their actions.
These articles also talk about similar things:
Finally, an approach that I did not explore myself already but could work theoretically.
If you use third-party auth (of course, that’s a higher tier), I know for example that Auth0 has the capability to add geolocation (or IP?) to the token. You could opt to add that to the token and write a security role that blocks access after a few calls. Anything you do of course requires you to keep track of the amount of requests which requires some kind of write and read. So in your situation it’s probably not going to help. Single gets are already super cheap
I’m not sure how that works in Cloudflare, whether you would still pay a small fraction when users do a ddos attack which Cloudflare successfully blocks. Some process has to run so I assume there is always some kind of cost (but maybe Cloudflare takes that cost for them).