"Internal" authentication
Can someone give me advice on how I might set up some level of "internal" authentication so that I can call convex from a backend service but prevent convex from getting called on the client?
This service wouldn't have traditional access to our "user" auth but I'd still like to call updates to documents from the service
13 Replies
Maybe I can just simply set an API key as the auth and check for that?
I’m assuming you aren’t calling from an action to a mutation or such, where you can use internalMutation. Yes somewhat simple way is to pass an api key as a parameter that corresponds to some document in an api key table. If you need to make a new key, make a new document. To revoke access, change the document
Yeah not calling from an action, it's a lambda on AWS
Using setAuth with something other than an OpenID token corresponding to an auth provider you configured won’t work, but a parameter would
If it’s calling an httpAction, you could pass it as a header
You can look at the “withSession” wrapper in convex-helpers for a way to not have to see the parameter on the function, by wrapping your function
Will that work with the new functions?
Like handler/args
Yup!
Will I need to add the apiKey to all my args?
And correspondingly useServerSession for passing the key transparently, though you’ll have to decide where to pass the key from. I’d probably do an ENV variable in lambda that the client would read
There’s a Stack post on sessions that might be helpful for more context too
Okay cool this will definitely get me by for the time being. Thanks. If you guys weren't so helpful in discord I'd be dead in the water
Glad to help, and good to know where the gaps are, so thank you for asking
Yeah it'd be nice if maybe I could set some sort of "metadata" on the convex requests similar to
setAuth I imagine the api's might be similar.
I'm sure that's not top priority but would be helpfuli was able to do this for my own app by generating a random secret, giving it to the convex app and the external service as environment variables, and passing it in as a function argument. then you can compare
if (inputKey !== process.env.secretKey) { throw new Error(); } in your convex function. (similar to @ian 's idea but uses an env variable instead of a document)I'm doing exactly this as well; works great