Nice job of working it out. To understand why you need .then() , you’ll need to understand asynchronous programming and Promises . See the following for more information:
Your observation on using backend for security is spot-on! Here’s some more material you might be interested in:
-
Corvid: Security Considerations (especially the section on Code Visibility )
-
Corvid Web Modules: Calling Server-Side Code from the Front-End
Have fun and keep rockin’!