> Access control on modern databases is too course. You want to whitelist which queries a user is allowed to make and you want fine-grained permissions around updates
Only allow direct access to stored procs, not queries. Or restrict access to specific views and use rules (https://www.postgresql.org/docs/current/static/sql-createrul...) but intuitively that seems more dangerous (with CTE, I believe SQL is turing-complete) and completely unnecessary.
> Databases only talk custom binary TCP protocols, not HTTP. Not REST. Not websockets. So you need something to translate between how the server works and how the browser works.
Only allow direct access to stored procs, not queries. Or restrict access to specific views and use rules (https://www.postgresql.org/docs/current/static/sql-createrul...) but intuitively that seems more dangerous (with CTE, I believe SQL is turing-complete) and completely unnecessary.
> Databases only talk custom binary TCP protocols, not HTTP. Not REST. Not websockets. So you need something to translate between how the server works and how the browser works.
https://postgrest.com/
> You want to write complex logic for user actions
https://www.postgresql.org/docs/current/static/plpgsql-struc...
> with custom on-save triggers
https://www.postgresql.org/docs/current/static/plpgsql-trigg...
> and data validation logic.
https://www.postgresql.org/docs/current/static/ddl-constrain...