I am new to web development, and have seen posts such as these . If one is using AWS and is connecting to an AWS rds instance through Node, is that still considered a direct connection as opposed to a web service?
Asked
Active
Viewed 142 times
0
-
1"connecting to an AWS"? Do you mean connecting to a relational database hosted on AWS from a NodeJS server that is also hosted on AWS? – Tanbouz Oct 17 '17 at 15:42
-
Aws rds instance. The node js server is not in aws currently. – llJS Oct 17 '17 at 15:54
2 Answers
0
You're probably going to get a bunch of conflicting opinions on this. My personal opinion is a web service in front of your database makes sense in some scenarios. Multiple applications connecting to the web service instead of directly to the db gives several advantages, security, caching, etc.
That being said, if this is just a single app then most of those advantages disappear and in fact just make things more complex for you. You're going to have to setup your web service for the db as well as your actual code.
Rick Baker
- 873
- 11
- 22
0
If one is using AWS and is connecting to an AWS rds instance through Node, is that still considered a direct connection as opposed to a web service?
No, if Node.js is running on a server or in "serverless" containers (e.g. AWS Lambda) that is not a direct connection. That is a web service, and that's what you want.
A direct connection means the app connects to the database itself... but that requires embedding credentials in the app.
You do not want to embed anything in your app that you would not willingly hand over to an arbitrary user -- such as database credentials and API keys -- because you cannot trust that the app won't be reverse-engineered.
You should design the app in such a way that you would have no security concerns if the entire source code of the app were exposed, because knowing everything about the app's internals would give a malicious actor no valuable information. How? The code on the server side (e.g. in Node.js) should treat every request from the app as potentially suspicious, untrustworthy, etc., and validates every request to do anything.
This layer of separation is one of the strongest reasons why you never give the app direct access to the database. Code running in a trusted place -- your web server/API layer -- needs to vet every database interaction. This topology also decouples the app user from tying up resources on the database server when not actually interacting with the database, which is far less practical with a direct connection.
Michael - sqlbot
- 169,571
- 25
- 353
- 427
-
I am slightly confused. For example, if I am using mysql and the following node code is in /config/mysql, would that be a direct connection? My node server would be running in AWS Lambda, but at the same time, if someone had access to the code, they would be able to connect to the database. `var mysql = require('mysql'); var con = mysql.createConnection({ host: "localhost", user: "yourusername", password: "yourpassword" }); ` – llJS Oct 24 '17 at 18:29