Can clients create collections and objects at will? How to prevent spam?

I am reading the documentation and trying to grasp the concepts and I just read through the storage/collections part and it seems user can write objects to collections and create them in the process?

If not, how do you create a collection so users can only write objects in those collections? How do you prevent spam?

Is it the job of the registerBeforeReadStorageObjects hook to filter malicious spammy requests?

Sorry if this isn’t the place for asking this, as I said I am still trying to grasp the basics

edit: I did found this (Heroic Labs Documentation | Server Runtime Examples) example of an auth write and I get it, but for some things that are not meant to be auth written, the client should be able to write stuff… but then how do I limit what/where they can write

Hello @elementalcode,

As you correctly point out, you could use a registerBeforeWriteStorageObjects hook to enforce that the clients only writes to a specific set of collections or even inspect the payload for allowed values, do a schema check to disallow random data, etc. To prevent spam you’d use the same hook to do velocity checking on the requests.

You could also use said hook to guard the storage object write API and disable it to prevent writes from the client altogether, only writing to the storage engine in an authoritative way, and setting access control on those objects allowing only reads from the client.

Hope this answers your questions.