Node-appwrite

And what should i make with functions and what with sdk? Like an auth is safe with sdk?

TL;DR

Developers are discussing how to prevent users from adding custom attributes in Node-appwrite. They also question the best way to make an attribute unchangeable. It's explained that permissions are set at a document level, not attribute level, but custom validations can be implemented. The discussion covers using SDK vs functions, validating user actions, and managing APIs. Ensure permissions are set correctly for safety. Use appwrite SDK for secure client-side handling of functions. It's mentioned that Appwrite automatically handles adding user IDs to headers. Consider using JWT for validation purposes. It's recommended not to have large functions but rather many simpler ones. Documentation and examples

Also, functions validate the user that executes it and automatically adds the user id to the header so you don't need to do additional validations.

You don't need to do Auth. If you're using the SDK to execute the functions and inside them, Appwrite will handle it, and add a header automatically with the ID from the user that is executing it.

But i mean like on a normal website auth, not the functions

You use the appwrite SDK. No need functions or anything

The appwrite SDK and Auth has a built-in API that is safe to use client side

So functions are only for validation right? So everything is safe with sdk only the validation has to go on functions

What kind of validation do you want to perform?

Like when making a post the caption only should be maximum 60 characters etc

I think you don't even need functions for that. Maybe to make sure the user is not spoofing the creator ID, but you set that when creating an attribute in the console 😅

But i cant make validations only on the client side

If you need custom validations, apart from the size, then yes, you need it. For that, you make a function and pass a payload to it and path.

Okay thanks for your help, ill let you know if i have other questions

@D5, i have a question, if someone only has a read permission to its own documents, if i just make a function that lists the documets in a collection, will the user only see its own documents, or every document?

The function will return all documents by default as it needs an API key

Why not fetching the docs directly on the client side? That will respect permissions

okay, thanks

i tought that the node js / functions way is safer than only the sdk on the client, but thanks 😅

If you set permissions properly, it should be safe

Note that for now, you can do advanced things such as restricting an attribute

what do you mean by that?

If you set permissions, the will see the entire document they have permission to see. You can't restrict a part of the document

yeah, but i hope they bring that feature in

and what do you think, whats the best way to make an attribute ,,unchangeable", i mean i have an attribute that shouldnt be updated, but the user has update permission

and how can i prevent that someone adds things like user preferences etc, with a custom code

Reply to this thread by joining our Discord

Reply on Discord

Need support?

Join our Discord

Get community support by joining our Discord server.

Join Discord

Get premium support

Join Appwrite Pro and get email support from our team.

Learn more

Recommended threads

Need support?

Join our Discord

Get premium support