undefined | Better HN

0 pointssmallnamespace5y ago0 comments

Benjie, one of the PostGraphile creators, has a good talk [1] advocating for database-driven development.

OTOH, having dug into PostGraphile a bit, I personally wouldn't advocate for pushing so much backend logic into the DB.

Like, if you decide to do auth and TOTP in the DB, you'll end up implementing it in PL/pgSQL. Writing core security logic in a less-familiar language feels like it adds risk.

Also, for smaller projects your backend is often just a single server, so moving auth in into the DB doesn't save you from managing distributed state.

[1] https://www.youtube.com/watch?v=XDOrhTXd4pE

0 pointssmallnamespace5y ago0 comments

Benjie, one of the PostGraphile creators, has a good talk [1] advocating for database-driven development.

OTOH, having dug into PostGraphile a bit, I personally wouldn't advocate for pushing so much backend logic into the DB.

Like, if you decide to do auth and TOTP in the DB, you'll end up implementing it in PL/pgSQL. Writing core security logic in a less-familiar language feels like it adds risk.

Also, for smaller projects your backend is often just a single server, so moving auth in into the DB doesn't save you from managing distributed state.

[1] https://www.youtube.com/watch?v=XDOrhTXd4pE

0 comments

4 comments · 2 top-level

e12e5y ago· 2 in thread

> Like, if you decide to do auth and TOTP in the DB, you'll end up implementing it in PL/pgSQL.

Not really? Postgres (as well as other rdbms) support many other languages - I don't see many good reasons to insist on pl/pgSQL for uses like these?

Both python, perl and TCL are part of the standard distribution in addition to pl/pgSQL.

https://www.postgresql.org/docs/13/xplang.html

https://www.postgresql.org/docs/13/external-pl.html

smallnamespaceOP5y ago

Right, except if my backend is in JS, there's a cognitive cost to adding another language to the stack.

I could use plv8, but there's a more subtle preference here for JS to wrap SQL, rather than the reverse (plus tooling is less convenient, e.g. if you're writing Typescript).

My rule of thumb is: SQL great, PL not so much.

e12e5y ago

> except if my backend is in JS, there's a cognitive cost to adding another language to the stack.

Agreed.

However, I don't see why not use one of the other mature "real" extension languages other than pl/pgSQL.

As for typescript, maybe there's (distant) hope:

https://github.com/supabase/postgres-deno

pyramation5y ago

exactly! this is the ecosystem that I'm a part of that inspired me to build this :)

I do agree about making sure you have experience writing PL/pgSQL and would also add that you should make sure you have a good test-driven environment when writing code in the db.

j / k navigate · click thread line to collapse