Exposed env vars? 🤔

[homerjam]

Hi!

This is interesting. Do you have any thoughts about including Turso env vars in the build and thus exposing the whole database?

I've come across this project https://github.com/digitalmio/turso-edge-pop which acts as a Turso proxy (it also uses embedded replicas).

I'm particularly interested in creating a per-user database setup.

My theory is to run the proxy in front of the main Turso endpoint and incorporate some sort of proprietary JWT based auth for per-user access.

Thanks!

[theorib]

Hi @homerjam, your theory is spot on.

In general, you would want to create a backend API proxy to secure the auth token and the database URL. That is, unless your generated token gives you only read access to the database, but even then, you would probably want to rate limit DB connections to prevent abuse.

If your idea is to create per-user databases, though, perhaps the better approach with Turso is to securely store the user's auth token for their DB directly in their device's OS Keychain/Keystore, which is designed for secure storage. This would not only save you a lot of setup and vulnerability paths (regarding your proxy server and trips between that server, Turso and your user) but would probably be more performant since you would only ever create a direct encrypted connection between app and the user's database.

Any databases that you want to share between users, though, you would want to create your proxy server.

There are many ways of doing this, depending on how your app works and how your backend is set up. As you say, JWT-based auth is the standard for mobile apps, but in some cases, database session tokens can also be used if you can work around storing session cookies safely and consistently in your users' devices.

If all you want is a database per user with no shared DB, your best bet may be to securely store each user's DB auth token in their own device. You may also want to consider token rotation and renewal to make it more robust but that obviously increases complexity.

p.s. converted this issue to a discussion so other people can readly see it :)

[homerjam]

Thanks so much for your thoughts! You're right - generating and storing the database auth token on the device at login is probably a more secure and performant approach.

[theorib]

@homerjam, if you have never implemented custom auth and want to better understand how it works and do it yourself (it's not hard), I find this resource to be quite useful. It's not centred on mobile apps, but all the concepts stay the same.