> I'd be coupling my client code to the implementation details of my server side DB
[Supabase cofounder] Yes, although you can run this on the serverside too (we do). It's a rapid way to go "mostly ORMless" - you just focus on your database and we can do the repetitive stuff (CRUD)
Is there some kind of whitelisting for queries that come from the client as to avoid the hammering the DB with expensive queries / queries that make no sense?
The auth system we are building is targeting Postgres' Row Level Security which should cover these sort of problems. (more in my comments here: https://news.ycombinator.com/item?id=23320443)
You'll also be able to add rate-limiting and various other plugins (IP bans, blacklisting) to your API as well. We still have a lot to build - we didn't actually post this so it's a bit early but I guess you can't choose your timing
[Supabase cofounder] Yes, although you can run this on the serverside too (we do). It's a rapid way to go "mostly ORMless" - you just focus on your database and we can do the repetitive stuff (CRUD)