Also, for the full application(s) behind the blog post, you can see the “skeleton” applications in the fauna-labs GitHub org.

• GitHub - fauna-labs/fauna-auth-skeleton-frontend
• GitHub - fauna-labs/fauna-auth-skeleton-backend
• GitHub - fauna-labs/faunadb-auth-skeleton-with-auth0

I’m not talking about the tokens here, that doesn’t change the pattern, I’m talking about skipping the FE and using an HTTP client like postman or any other HTTP client extension for the browser, so it doesn’t matter if you wrap your calls on a UDF, it won’t even be called unless there’s a way to disable the user from performing certain operations like Create and Update requiring them to use the UDFs?

The HTTP API requires a token. All of the drivers are built on top of the HTTP API. If you curl or Postman fauna, you have to include the token as an authorization header. What powers a caller has is defined by that token.

I know that, I’m talking about validations, not tokens.

So I login, I inspect what your app is doing, when I learned “Oh, they’re using faunadb and they send query directly rather than to a backend”, what I will ask myself next is “can I copy paste these tokens and then send these requests completely skipping the frontend?”, and yes you can, you can use an HTTP client to do that, so now that your frontend is completely skipped, how would you go on to validate requests like send a chat message to a complete stranger, or send a chat message to someone who have blocked you, or send a friend request to someone who have blocked you, those things require validations not just input validations but also “request” validations, essential answering the question “is this a valid request”.

unless there’s a way to disable the user from performing certain operations

There is, it’s called Attribute Based Access Control. In this pattern you would limit the users privileges to, say, only call USFs. They cannot bypass this.

While digging deeper into this today, I thought of some reasons to have a backend API endpoint

Emails

Register

When a user creates an account, we typically generate a confirmation code for the user to verify his email address – you probably don’t want to do this in the frontend.

Forgot password

The same with register, we generate a code and send it to the user’s email for the user to put into the form to verify that he is indeed the person he claims to be (which we implied by having access to the account’s email).

Web Sockets

When you want to send a websocket event, especially by batch – you would probably restrict access to the collection where you store user websocket ids (or maybe you put them on redis)

Push notifications

When you want to send push notifications, especially by batch or to a specific device – you would probably restrict access to the collection where you store device tokens

Here, I made a sample app that 100% frontend only with graphql GitHub - aprilmintacpineda/react-native-faunadb: A React-Native sample application that uses FaunaDB serverless architecture.

These are all business logic though, and you can have an API to do these things and still have the client access FaunaDB directly for requests that don’t need a backend. For example, in one project I use Cloudflare Workers for sign up/sign in, but still provide a Fauna Token to the client afterwards to access the DB directly.

As an aside, you can still restrict access to a collection down to a particular row if you have to using ABAC, so that’s not really a concern.