While the API request handler has more than enough security against SQL injection, there is no need for the API handler to have createdb permissions on the database as it does currently through the nestnz login.
Having two database login roles makes more sense: Having one to make database schema updates, i.e. for the db admin to use, and another which the API can use as this will never need higher permissions for CRUD operations.
This new non-admin user could be granted limited access via SQL on a per-table basis:
ALTER TABLE public.trap OWNER TO nestnz_admin;
GRANT INSERT, UPDATE, SELECT ON public.trap TO nestnz_user;
GRANT ALL PRIVILEGES ON public.trap_trap_id_seq TO nestnz_user;
While the API request handler has more than enough security against SQL injection, there is no need for the API handler to have createdb permissions on the database as it does currently through the nestnz login.
Having two database login roles makes more sense: Having one to make database schema updates, i.e. for the db admin to use, and another which the API can use as this will never need higher permissions for CRUD operations.
This new non-admin user could be granted limited access via SQL on a per-table basis: