I am using neo4j and am considering to query the db directly from the frontend, using the APIs via HTTP.
Usually, I had a different approach and kept the backend to connect to the neo4j driver, format the results and expose them to API endpoints, and the frontend to only fetch those results.
I wonder if I could skip the formatting part by querying directly the database from the client, like: https://neo4j.com/docs/javascript-manual/current/client-applications/#js-driver-configuration-examples or : How to query neo4j graph with jQuery or other users wondering about security aspects with javascript querying directly the db: https://github.com/neo4j-contrib/neovis.js/issues/245
Since my use case is an application for internal use, I am considering that APIs endpoints do not necessarily need to be exposed (there are not third parties querying those endpoints) and I could eventually factor them out (not sure if this is a good practice) and code the necessary queries in the javascript scripts of the frontend.
The neo4j example shows (in this case for nodejs):
const driver = neo4j.driver(uri, neo4j.auth.basic(user, password))
but the same applies to other web clients libraries for neo: https://github.com/neo4j-contrib/neovis.js/issues/245
My concern is sending the credentials for accessing to the db: I don't want to store it on the javascript file...
- Which is a preferred method to query directly the db from the client, but keeping the connection secure ?
- are there other issues, like CORS, I should take into account, compared to expose the api in endpoints as: /apis/ on the same domain ? As example, I am using python flask and wonder if I can avoid to serve the frontend files from it.
