←back to thread

Turso SQLite Offline Sync Public Beta

(turso.tech)
222 points charlieirish | 1 comments | 31 Mar 25 15:10 UTC | HN request time: 0.437s | source
Show context
billconan ◴[31 Mar 25 15:30 UTC] No.43536188[source]
This sounds great, but I have some questions regarding data integrity and security.

If I build an offline first app using Turso, will my client directly exchange data with the database, without a layer of backend APIs to guarantee data integrity and security? For example, certain db write is only permitted for certain users, but when the db API is exposed, will that cause problems? A concrete example would be a forum where only moderators can remove users and posts. Say if I build an offline first forum, can a hacker hack the database on the filesystem and utilize the syncing feature to propagate the hacked data to the server?

replies(9): >>43536366 #>>43536534 #>>43536576 #>>43536993 #>>43537308 #>>43537313 #>>43537393 #>>43539446 #>>43540237 #
1. ochiba ◴[31 Mar 25 20:19 UTC] No.43539446[source]
I am not sure about Turso but I've seen a few different approaches to this with other sync engine architectures:

1. At a database level: Using something like RLS in Postgres

2. At a backend level: The sync engine processes write operations via the backend API, where custom validation and authorization logic can be applied.

3. At a sync engine level: If the sync engine processes the write operations, there can be some kind of authorization layer similar to RLS enforced by the sync engine on the backend.