Approaches to server side form validation - toddle x Supabase

  • Tom Ireland

    26 days ago

    Hey, folks. Has anyone got any tips/tricks on how best to handle form validation server side when using toddle x Supabase?

    Is the answer to use Supabase Edge functions or CloudFlare Workers for this?

    Table constraints and RLS policy checks will only get you so far and I'm conscious of ensuring forms are properly validated, while reducing as much repetition fron end and server-side as possible.
  • Lucas G

    26 days ago

    Forms are typically validated on frontend upon submission. What are you trying to check for on the backend?
  • Tom Ireland

    26 days ago

    Well, front end is for UX but need to ensure server-side is done as well. For example, I could make a post request from Postman and bypass the front end potentially introducing bad data, so need to handle potential situations where bad data might sneak through as front end validation is not solely reliable.
  • Lucas G

    26 days ago

    Ah are you looking to protect a sign-up form then
  • Tom Ireland

    26 days ago

    Aye, well that and profile stuff.
  • Plus thinking about future improvements.
  • Where other forms will be required.
  • Lucas G

    26 days ago

    Profile stuff shouldn't be an issue as that should already be an authenticated call
  • The only one you can't really authenticate as easily would be a sign-up form or rather public forms in general
  • Lucas G

    26 days ago

    In which case, yeah, you'd need something in between to validate them. Stuff like request origin validation, rate limiting, etc
  • Lucas G

    26 days ago

    There's no one thing, it's about stacking checks
  • Sometimes people also save those type of forms to a temporary DB from which they clean/validate then pass to the main DB
  • Tom Ireland

    26 days ago

    Aye. The use-case I have (and maybe it needs improved) is the profile. On signup, I create a record in the profile table with the user's auth id and email generated on signup. In order to create the record using a trigger function, other fields like first name, last name, etc., need to be null in order for the insert to work (there may be a way to improve that).

    The idea being fast signup without creating your profile completely immmediately. However, in order for your profile to be public, it needs to be complete. I can implement front end validation to ensure everything is checked before posting but that doesn't mean someone could get around it by hacking the developer tools or something.
  • Tom Ireland

    26 days ago

    Given there is no null constraint on the table, you could still potentially have an incomplete profile if you hack around it.
  • Or I implement something that allows it without noticing.
  • Lucas G

    26 days ago

    Can you put the profile entry behind the sign-up, after an account activation step
  • Tom Ireland

    26 days ago

    That's kinda what I'm doing but the insert from auth into profile needs other fields to either be present or accept a null value.
  • Tom Ireland

    26 days ago

    So I opted for null as not an immediate requirement for signup but should be complete for profile visibility. It's maybe a me problem. 😄
  • Lucas G

    26 days ago

    That's a common flow which I think people would be fine with
  • Lucas G

    26 days ago

    Sign-up (basic form) -> activate profile by clicking link in email -> land on 'activate' page which has the profile form
  • Tom Ireland

    26 days ago

    Yeah, this is exactly what I'm doing.
  • Tom Ireland

    26 days ago

    Front end validation will suffice but looking to up my game and approach this with a pro mindset with security and data integrity in mind.
  • It's unlikely someone would go around the houses for something so trivial but don't want to make it an option. 😄
  • Lucas G

    26 days ago

    Then you'll need something in the middle to do additional checks
  • Tom Ireland

    26 days ago

    Yeah, thinking Edge functions or CFWs might be the way. Got vscode setup locally and Supabase CLI with Docker but slightly out of my comfort zone. 🤢
  • Lucas G

    26 days ago

    I know the feeling
  • But it is how we grow as devs
  • Tom Ireland

    26 days ago

    Very true, sir.

Stop scrolling. Start building.

toddle is a visual web app builder that rivals custom code — but accessible to your entire team!

Try toddle — it's free!

© Copyright 2024 toddle. All rights reserved.