I am trying to use Pocketbase alongside a node.js server with express.js using the Javascript SDK. It seems that I could just use the admin authentication to give the server full access to the database and just let the server itself regulate the queries.
Here is the code that is found in the docs:
const authData = pb.admins.authWithPassword(process.env.DB_USERNAME, process.env.DB_PASSWORD)
This solution seems to be risky though because if the node.js server ever got compromised the data would be at risk. Would the authentication have to be run regularly if the database connection ever disconnected?
Should the server have admin authentication? If so how would it be taken into account if it ever disconnects?
If the server is not supposed to have full access, I understand the authentication as a user but how can certain collections be accessed by the server so certain routes can be done even without a logged in user.
You should utilize collection-level authentication (see JS SDK Usage):
// authenticate as auth collection record
const userData = await pb.collection('users').authWithPassword('[email protected]', '123456');
In admin panel, define collection-specific API rules to restrict access or leave the inputs blank for unauthorized access.