Hello, Everyone:
I am having some difficulties about using Neo4j in a web app project.
The scale of my project is as follows:
- Thousands of users, each with their own instance, and users cannot access other users' data.
- Each user performs one operation per second, and each user has two sessions: a regular session (modifying 1-10 nodes and querying 1-10 nodes per operation) and an rxSession for fulltext search.
- There are also thousands of users online at the same time, which means the Neo4j server needs to maintain several thousand to tens of thousands of sessions.
Currently, I am using the JavaScript driver, which runs in the browser. The main logic is in the frontend. I have two requirements now:
1. Hide the Cypher statements.
2. Prevent SQL injection attacks (user data is very important).
Currently, I have two ideas:
- Expose the Neo4j server directly to the public network and put the Cypher statements in the Neo4j server (similar to User-Defined Procedures and Functions).
- This way, the existing code almost does not need to be modified.
- The downside is that there is a risk of Neo4j being attacked.
- Use Node.js as an intermediary, and the Neo4j server is not visible to the external network. There are two ways to implement this:
- a. Use HTTP to communicate with users. Since HTTP is stateless, communication between Node.js and Neo4j also needs to be changed to HTTP. rxSession is not easy to handle.
- b. Use WebSocket to communicate with users. Serverless deployment may have issues.
I am a beginner in JavaScript development, and this is my first formal project. This is also my first time using Node.js. I don't know how big the risks and development efforts are for each solution, and if there are better ways to solve this problem.
I sincerely request your guidance and greatly appreciate it.