What stops a user of your serverless app from fetching the secret used to connect with the database and using it for their own purposes?

databrecht · March 9, 2021, 5:33pm

The short answer is, nothing stops the user from doing that as long as that query is within the privileges that were defined in your roles, but you can stop the user by writing User Defined Functions (UDFs) and only allowing these to be called.

If you are concerned about the security aspect of having a token in the browser, there are long forum posts on that topic that could help you further.

How to implement a refresh (httpOnly cookies)/access (in memory) token flow with a partial backend for auth?
Do I need a backend API between FaunaDB and my app? What are the use cases of an API? - #6 by databrecht

Topic		Replies	Views
Calling a (Netlify) serverless function from a UDF safely Help fql , udfs	2	803	July 31, 2020
Serving secrets Help authentication , best-practices	2	356	June 3, 2021
Only Allow findByID query Help graphql , best-practices , indexes	1	291	March 22, 2022
How to implement a refresh (httpOnly cookies)/access (in memory) token flow with a partial backend for auth? Help authentication	7	10507	May 4, 2021
Limiting privileges for user tokens Help abac , security , secret , fsl	6	251	December 10, 2023

What stops a user of your serverless app from fetching the secret used to connect with the database and using it for their own purposes?

Related Topics