A minimalist go sql wrapper that makes it easy to expose the db readonly over http.

Exposing your database is always said to be a big no no - and I obviously agree with that for the general case.

In some cases, not giving write access to randoms is enough though. We're fine with our clients being tightly coupled to our schema and having the full power of sql available in the frontend is actually a huge plus (e.g. small mostly read-only SPA).

Well... sqlite allows us to register an [[https://www.sqlite.org/c3ref/c_alter_table.html][authorizer callback]] and makes it possible to expose a read only version of our db [fn:1]! There's more information on the sqlite [[https://sqlite.org/security.html][security page]] and there's more we could limit - I'm happy with just prohibiting write access for now though.

#+begin_src go func main() { db := &DB{DataSourceName: "./data.sqlite"} if err := db.Open(); err != nil { log.Fatal(err) } http.Handle("/api", http.HandlerFunc(db.Handler)) log.Fatal(http.ListenAndServe(":8000", nil)) } #+end_src

#+begin_src bash $ curl localhost:8000/api --silent --get --data-urlencode "query=SELECT * FROM sqlite_master LIMIT 1" | jq .

[

{

"name": "migrations",

"rootpage": 2,# "sql": "CREATE TABLE migrations (name STRING, timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP)",

"tbl_name": "migrations",

"type": "table"

}

]

#+end_src

Apart from just exposing the db as read only, gosql also tries to be clever about unmarshalling. I'm not sure where I'm going with that yet and just keep adding onto it whenever a side project needs it. So no documentation on that for now.

• footnotes [fn:1] Using the readonly mode of sqlite itself is not enough - that still allows for various things apart from selects like "attach database '...'". We really don't want