Read & Write data access security rules
Hi all. I am just checking out Convex for the first time, and something that is not clear to me from the docs is how read/write access works. In firebase we have security rules, is there a convex equivalent? My main concern is I would like to use a db api that is not a serverless function in order to write data from the client, using CORS as the main security. I don't want something like firebase where api keys are freely exposed, and anyone can write whatever data they like if the security rules allow it.
7 Replies
Hi @inorganik, welcome to Convex. This is a big feature that folks are excited about Convex for over Firebase: all access to data is mediated by Convex functions (aka server functions, aka database functions) where you can enforce arbitrary security rules.
I'm not quite sure I follow re using CORS as security, but frontend code can't access database table data directly, it can only call the functions that you push to the deployment
Thanks. A couple questions,
- do these functions have a cold start time?
- how do you securely call functions from the client? Like do I have to worry that anyone could use my api key and write data?
There's no cold start, these functions run in our own runtime instead of e.g. AWS Lambda and are already loaded and ready to run at any time.
it depends which API key are you talking about, there is no API key sent to users' browsers — browsers just get the URL. Currently, any site can call these functions: they use CORS headers to allow this. So yes, anyone can call these functions. If it's useful to you we can talk about disabling the CORS part of this, but CORS protections don't prevent non-browsers from calling endpoints, so it doesn't provide the kind of security we need.
But since anyone can call these functions (just like REST endpoints) you need to check authentication inside the Convex functions if you want to restrict the ability to call a certain function.
You don't have to use this authentication though, for example a hit counter endpoint that just adds one to a database row might not need to use authentication
I see. Is it just an auth header with a JWT token?
Convex is mostly used over websocket, not HTTP, but yeah the built-in auth support is a JWT identity token
oh cool, ok
thank you!
@inorganik we just published an article that discusses some of these auth requirements and how to approach them in Convex: https://discord.com/channels/1019350475847499849/1066114385543692338/1066114385543692338