Looking for best practice on where to store my client keys for mobile development. I see the c# example which looks like a console app example but I believe you wouldn’t want me to put keys in each mobile app correct? Do I need to purchase a serverless function at Azure or AWS?
What you could store in your client app is:
- A key that gives your users access to ‘public’ data (e.g. all users could see this anyway)
- A key that gives your users access to the process to login (bootstrap key), for example a key that is linked to a role which only allows you to call a User Defined Function (UDF) to register or login (example here: https://css-tricks.com/rethinking-twitter-as-a-serverless-app/)
That Login process (the second bullet) results in a token that is linked to the Identity of a FaunaDB document (e.g. a user for example) so you can from then rely on roles with a membership and even write roles that use the Identity() function or call User Defined Functions that rely on the Identity() function. This token you retrieve from logging in should only be stored in memory, not permanently. That token should have access to your protected resources via the aforementioned roles. Storing in memory is of course not ideal, on refresh of an app you lose your session and/or you might want these tokens to be very short-lived. For serious applications, you might want something more advanced, I would suggest that you have two options:
To implement a partial backend for authorisation only, use a refresh token and access token (that logic you have to implement though, we don’t provide it out-of-the-box yet, but provide all the constructs to do it, example is on the way). The refresh token could be stored in httpOnly cookies (is that an option in your app?), the access token would be very short-lived (you could implement a silent refresh) and in memory. That way you do not have the loss of session problem, can make access tokens shorter lived and the refresh token that has more power is safe. The advantage of only a backend for auth is that afterwards you benefit from multi-region access without an extra hop and without requiring an also multi-region backend to benefit from it.
Put each call behind a serverless function, you could do this on Azure but I would suggest if you care about multi-region to investigate Cloudflare Workers/Fly.io, they should only add a few tens of milliseconds to the call and some of those (workers) charge per CPU usage instead of time that your function is running which is cool if all your app is doing is the waiting for an API call to return and passing on the results (more idle than actually doing something)
Thanks for the info and lots of work ahead … my ultimate goal is to have
1.) my read-only eleventy/11ty site on netlify using functions to connect to FaunaDB
2.) my admin/dashboard website which is asp.net mvc on azure to connect to FaunaDB
3.) my mobile apps (iOS & Android) to connect to FaunaDB
all share a single backend which means I can save $$$ by not having to run my “kinda expensive/maintenance needy/contstant attention/prone to go down” backend VM anymore
I will create a Xamarin Forms project on Github and see how to use your suggestions. I probably won’t be the only one who wants to know how to connect their Xamarin Forms app.
Awesome, let us know how it worked out and if that GitHub project will be public, we can add it to our awesome list https://github.com/n400/awesome-faunadb
I do not have any experience on Xamarin Forms whatsoever so I’m not sure whether my advice is applicable. If it’s not, feel free to correct me.