You REALLY want to do data validation and permissions/authorization server side. Never trust the client! It's fine also to do client-side checking, but you must do server-side.
It's moderately easy with Firebase (haven't used Firestore).
I'm definitely interested to see if there's anything for AppSync beyond the checking that the GraphQL schema does (NOTE: I am not an expert in GraphQL schema, it may be a lot more powerful than I know), or if you have to write your own Lambda at that point. Does look like that's easy, though!
I've been using the serverless.com tools for quite a while now, and they're fantastic. Really glad to have this!
You can use a combination of multiple auth schemes for coarse grained authorization. But, you can also implement your own fine-grained checks at the resolver level. See the AppSync Security documentation at https://docs.aws.amazon.com/appsync/latest/devguide/security...
It's moderately easy with Firebase (haven't used Firestore).
I'm definitely interested to see if there's anything for AppSync beyond the checking that the GraphQL schema does (NOTE: I am not an expert in GraphQL schema, it may be a lot more powerful than I know), or if you have to write your own Lambda at that point. Does look like that's easy, though!
I've been using the serverless.com tools for quite a while now, and they're fantastic. Really glad to have this!