Security: Running a cloud Function
I made a cloud function that's get a user id and deletes that user in a case when the registration did not go well.
Is it safe to run that cloud function from the client, even without user login first? What is the best practice regarding security?
How would you know the user if the user isn't logged in?
You are right π - so if the user registering is already logged in?
the account.create is making the user logged in?
No, It won't be logged in But in that case you can create a function and make it triggered based on the user-creation event.
So
- User registering using
account.create - Your function is being triggered and run on the spot to check if the account is "okay"
- If not the user is being deleted/blocked
The advantage of that method is that Appwrite will call that function behind the scenes and no-one else can access it from the out-world.
Yes, I understand your point. Ok. I will try to implement that. Is there any articles / books / YT / Courses that you recommend about best practices in securing a web app?
From what aspect?
In this chapter of something I've written you can find out about self-hosted Appwrite security
Ok thank you very much for the valuable info
General rules of thumb regarding security when building a web app I'm using appwrite cloud
I can't think of a general like that right now
Ok - thanks
BTW, is it possible to listen to event when a user's session is expired? I tried to register that event without getting any inputs from the system. Should I write a cloud function for that?
You can see here the users.*.sessions.*.delete event
And yes in order to use this event you'll need either set a webhook or function.
Thank you very much!
@Binyamin One more question please: I need to add a username to a registering user (the username is entered by the user).
So, a cloud function will be triggered when an new user is registering by email/password or with google (for example). Is it possible to pass that cloud function which is (automatically got executed) the username it suppose to write to the DB?
The cloud function for now can be triggered only for email password creation method.
As for the user name. You'll need to create another function (or use the existing one with some route) and let that function to be executed only for logged in users And within that function you can write the username logic
@Binyamin So, to pass the username I need to execute "manually" the function and pass to it the username?
Correct
@Binyamin and when the support for OAuth registration events will be - do you have an estimation ?
I don't think in the near future, but will need core <:appwrite:1156975611466764298> member confirmation
@Binyamin Ok, thank you, again !
