I’m considering using Realm for a SAAS web application which also has a desktop application/client as well. But, is Realm really an appropriate choice for commercial software? The ability to use the Realm app object and then invoke queries, setup watches on backend data, etc is great and convenient. But, from a security perspective how is this a best practice to expose directly in my web applications where any casual View Source will reveal my backend app name, my backend document names and the exact field names as well?
Am I misinpreting the use case for Realm? Is it more designed for mobile apps where viewing source isn’t possible or for internal corporate apps that live behind a firewall, inside a private network?
I’m building a commercial app that will be run in a web browser (I’m using JS Realm SDK) and on desktop (I’m using electron and soon will replace that with a C++ based host but currently I’m using the Node JS SDK) and I’ve always, like everyone else, used an API for my app’s to keep backend details out of the client code/hard-coded string values for document queries, etc. I don’t feel comfortable exposing this much detail about my backend.
Obviously, I could put my own API in front of every query to Mongo or I could use Realm App Functions potentially as well and put all document names / fields in those Node functions. But, I’m just doing a quick sanity check on security architecture and expected use cases for Realm.
Anyone else have any concerns or public facing apps with Realm?