Thanks for the addition. As far as I know the Datomic REST API also
requires to be called from a trusted environment (like the Datomic peer
library). I like to call datomic.api/q via an API from an untrusted
environment (in my case a browser which runs a ClojureScript application).

There are some aspects of the query api that are hard to make use of via a
REST API (or similar) while keeping security, less than jailing a JVM
somehow. One is the quite common use-case to ask several datasource, either
dbs or plain data structures.

Another approach is to use similar principles as used in om.next - using
some kind of decorated pull expressions. We use a similar approach in a
somewhat complicated application (although with reagent/posh rather than
om.next) and for a lot of use cases an "encoded queries" approach works
quite well.

I guess a good approach to make more free-form queries would be to extend
the pull expressions in a structured way, for instance with encoded
implicit queries for getting a all items in a certain time-range. I guess
it's easier to "lock down" such a query engine than a real datalog one.

(Using datascript to query the fetched data would maybe make it possible to
make free form queries to some extent, as well, where the pull expression
gives the data subset, which needs some sixe constrains etc).

/Linus

I also considered to implement a more classic "middle-tier". I'm
implementing the client and the server anyways, so why should I bother with
realizing some fancy "demand-driven" client API (Om Next, GraphQL / Relay,
Falcor or whatever). I even have a RPC-style library, which only adds
minimal overhead for exposing Clojure functions to the client.

I've tried to use the "classic" approach for the current project and ended
up with some bloated API endpoints. You just keep reinventing the wheel,
trying to express your (datalog) query with some way less powerful API
call. This is an example directly from the ClojureScript client:

(rpc/call
:query/q
'[:find ?e ?label
:in $ [?type ...] ?label-attr ?substr
:where
[?e ?label-attr ?label]
[?e :type ?type]
[(clojure.string/lower-case ?label) ?lower-case-label]
[(clojure.string/includes?
?lower-case-label
?substr)]]
:current
type
label-attr
(str/lower-case substr))

It just searches entities with the given :type(s), which label-attr(ibute)
values contain a certain substring (for an autocomplete control). It is
perfectly fine to move such functions into the "middle-tier", but you have
to come up with some other specification to declare, what you like to have
from the server or rather database. The Datomic datalog query is also
"plain data" and it is already a very powerful specification, so why
inventing something new.

I agree with you that blacklisting is a dangerous approach. Therefore I
would prefer a good "parser" for the Datomic query grammar to exactly
define (whitelist), which parts of a Datalog query I like to allow in the
"demand-driven" API for the clients.

However I also like to emphasize that my initial question is really about
securing the execution of a foreign datalog query, not about how to define:
who is allowed to read what (authorization if you like). The latter can be
solved elegantly with the help of datomic.api/filter (like described in
this talk also
whitelist-based). Even if you build a more classic "middle-tier" it is
advisable to implement the "authorization" concerns with the help of
datomic.api/filter to keep your Datalog queries clean from all this
additional authorization logic.

As with everything there are different tradeoffs. I don't know if the
"demand-driven" API approach leads to better systems, but at least it feels
more powerful at the moment. I'm going to write about my experiences here,
especially if I had to switched back to classic "middle-tier".

Best regards

Max