Security in SurrealDB: Best Practices Discussion

Подписаться 4,7 тыс.

Просмотров 1,8 тыс.

50% 1

Join Tobie Morgan Hitchcock, Gerard Guillemas Martos and Salvador Gironès as they discuss database security and the developmental practices and permission system built into SurrealDB.
This is part of our SurrealDB social events series, filmed live in London, where we discuss the latest updates, releases and features of SurrealDB. For future events, see here: www.eventbrite...
SurrealDB:
🌍 SurrealDB Website: surrealdb.com/
👉 SurrealDB GitHub: github.com/sur...
🐦 SurrealDB Twitter: / surrealdb
👨‍💻 SurrealDB LinkedIn: / surrealdb
👉 SurrealDB Discord: / discord
📸 SurrealDB Instagram: / surrealdb
👚 Shop the merch: surrealdb.store/
What is SurrealDB?
SurrealDB is an end-to-end cloud-native database designed for modern applications, including web, mobile, serverless, Jamstack, backend, and traditional applications. With SurrealDB, you can simplify your database and API infrastructure, reduce development time, and build secure, performant apps quickly and cost-effectively.
👉 Get started with SurrealDB: sdb.li/getstarted
Key features of SurrealDB:
⭐ Reduces development time: SurrealDB simplifies your database and API stack by removing the need for most server-side components, allowing you to build secure, performant apps faster and cheaper.
⭐ Real-time collaborative API backend service: SurrealDB functions as both a database and an API backend service, enabling real-time collaboration.
⭐ Support for multiple querying languages: SurrealDB supports SQL querying from client devices, GraphQL, ACID transactions, WebSocket connections, structured and unstructured data, graph querying, full-text indexing, and geospatial querying.
⭐ Granular access control: SurrealDB provides row-level permissions-based access control, giving you the ability to manage data access with precision.

Опубликовано:

7 сен 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 3

@jayethompson3414 4 месяца назад

Liking SurrealDb. I’ve got some ideas for my industry, that are pretty exciting.

@martinomg 4 месяца назад

Idk if I'm completely getting it right so correct me if I'm wrong, but the token lasting 24h and not being able to be destroyed/revoked is a big deal for me as cybersecurity require my tokens to last 15 minutes or less and also if any user destroys it's token, it should reflect on anywhere where that token is being used. If this doesn't happen I could log out from a tab and then continue using the app as normal in another one, while a normal workflow would throw an error as the session represented by the token was finished. The browser client implies some kind of dynamic token, but what it does in reality is creating a 24h unrevokable static token. I wouldn't put the client on a browser but surely I would on an api because of the exposure of a static long lasting connection which is super unsafe. That only for me already kills the purpose of a browser client. The GTI claim is critical if you ask me. Rotating the secret or another hacky way is not acceptable if you want to strive for easy integration and security as now it forces to create another custom layer to compensate the security 😅

@SurrealDB 4 месяца назад

Hi @martinomg, thank you for sharing your feedback! We are working hard on improving the security capabilities of SurrealDB. Fortunately, it seems that most of your requirements may already be met by the features available today. Although tokens do last 24 hours by default, the exact duration of scope tokens can be set via "DEFINE SCOPE" to any duration, including 15 minutes or just a few seconds using the "SESSION" clause. Additionally, any sessions established with a scope token gracefully expire when the token does, forcing the user (or any client acting on their behalf) to reauthenticate with credentials or a newer token before being able to perform authenticated actions. Although the connection is long lasting, the authenticated session lasts only for as long as you want it to last when defining the scope. Please see more info here: surrealdb.com/docs/surrealdb/surrealql/statements/define/scope When using JWT, frequently refreshed short-lived tokens are preferred over revocation, as such tokens are designed to be stateless. Since these tokens are stateless, they are not stored anywhere othen that the client and can be permanently destroyed by the user without any intervention from the backend application. Although I am not sure what you mean by "static" and "dynamic" in this context, I would say JWT are as "dynamic" as tokens get for this very reason. Since JWT are stateless by design, SurrealDB does not offer native capabilities to manage them statefully in the form of token management features. However, the "jti" claim was indeed added to all tokens issued by SurrealDB after this video was recorded in version "1.3.1". This claim allows developers to statefully track tokens issued and implement any additional token management logic in SurrealQL by accessing the JWT ID value via the "$token" parameter. In this way, you can implement token revocation for scope users with a "PERMISSIONS" clause by using a token revocation table. Although we cannot yet share specific plans about it, we are aware that some users do require stateful tokens (e.g. designed to be long-lived, audited, revoked...) and have some plans to tackle this use case soon.