Even though it looks like a great product initially, it has a lot or errors and bugs when you are trying to actually build something more robust than a toy app.
Local development is a massive pain with random bugs.
The response time of the database also varies all over the place.
But the most important problem that we faced, was having so much of application logic in the database.
Row level security is their "foundational piece", but there is a reason why we moved away from database functions and application logic in database over a decade ago: that stuff in unmaintainable.
There is also really poor support and at the end of the day, the whole platform felt like a hack.
I think now, for most apps with up to 500_000 users (with 10_000 concurrent realtime connections) PocketBase is the best PaaS out there having tested a bunch of them.
A single deployable binary which PocketBase provides is a breath of fresh air.
Anything more than that, just directly being on top of bare metal or AWS / GCP is much better.
> Row level security is their "foundational piece", but there is a reason why we moved away from database functions and application logic in database over a decade ago: that stuff in unmaintainable.
Funny. In my experience, application-level authorization checks are very error-prone, easy to accidentally omit, and difficult to audit for correctness."Unmaintainable", I suppose.
Whereas RLS gives you an understandable authorization policy with a baseline assurance that you're not accidentally leaking records you shouldn't be.
RLS is great, but it's not that hard to shoot yourself in the foot or miss stuff. E.g.:
ALTER TABLE bookmarks ENABLE ROW LEVEL SECURITY;
CREATE POLICY bookmarks_owner ON bookmarks USING (owner_id = auth.uid());
CREATE VIEW recent_bookmarks AS SELECT * FROM bookmarks ORDER BY created_at DESC LIMIT 5;
The above may look fine at first glance, but recent_bookmarks actually bypasses RLS.
Indeed - one of the great changes in v15. (for any folks on previous versions, you need to change the view owner to a non-superuser role without the bypassrls attribute).
Thanks for all your work on PostgREST, Steve! Do you think we'll see relational inserts in the near future, or is that still a bit down the road?
I agree. I would love to see more articles on pocketbase. It's phenomenal and ganigeorgiev is an animal about responding to bugs and discussions. He's got to be a hybrid human and ChatGPT robot.
What's also really cool is that you can also just use PocketBase as a Go library and just build your app around it like any normal web framework, while still having a great UI for quick prototyping. And when you need more custom behaviour instead of database functions, you just write some Go code while still compiling everything down to a single binary that you can copy over.
You don't have to use the xml format if you don't want to. Not sure why you wouldn't want to, since the xsd enables autocompletion in your IDE which makes it the most practical format of all.
Even though it looks like a great product initially, it has a lot or errors and bugs when you are trying to actually build something more robust than a toy app.
Local development is a massive pain with random bugs.
The response time of the database also varies all over the place.
But the most important problem that we faced, was having so much of application logic in the database.
Row level security is their "foundational piece", but there is a reason why we moved away from database functions and application logic in database over a decade ago: that stuff in unmaintainable.
There is also really poor support and at the end of the day, the whole platform felt like a hack.
I think now, for most apps with up to 500_000 users (with 10_000 concurrent realtime connections) PocketBase is the best PaaS out there having tested a bunch of them.
A single deployable binary which PocketBase provides is a breath of fresh air.
Anything more than that, just directly being on top of bare metal or AWS / GCP is much better.