Using `crypto` in a mutation
is it possible to syncronously invoke an action from a mutation? I have a use case where I'm trying to do a jwt verify on a mutation, but it doesn't work because I need a node environment with the crypto package. I know you can use the scheduler to invoke an action from a mutation, but I really want the mutation to wait until the results are done of the jwt verify
13 Replies
Hey Cody, actions cannot run synchronously within mutations atm, because this would break the determinism required for transactionality.
Right now the best bets are:
A) call a mutation from an action instead (inverting the situation)
B) Make the dependency work in the Convex environment (by using a different implementation, a fork, etc.)
I’m not sure how far we are from supporting crypto directly, @Tom can chime in on that.
yeah I've tried using jose and jsonwebtoken, bother seem to fail in the mutation. What I'm looking for is a type of middleware function I could put in front of mutations where it will verify a jwt passed into the payload of the mutation and prevent access if the jwt is invalid
maybe I really just want to use actions for everything in my situtation?
We already support auth via JWT tokens, is there a reason it cannot be used?
https://docs.convex.dev/auth/custom-auth
Custom Auth Integration | Convex Developer Hub
Convex can be integrated with any identity provider supporting the
In general you don’t want to use actions if you really don’t need to (like to call a third-party api), because you lose the transactionality, automatic retries and “roll backs”. Especially if you’re calling these from our React client that ensures the transactionality end-to-end.
I read through that page, but it's a bit over my head at the moment... maybe because I'm trying to use next-auth in my setup and I don't get how I'd put a localhost address inside the providers array in the convex auth configuration
Gotcha, you want the backend to be the one verifying the token. I’d have to try and see later today whether the backend can talk to itself to verify a token (but it’s definitely convoluted so verifying the token directly in a query or mutation makes sense, and the crypto dependency seems to be the blocker here).
yeah, I do wonder if adding web crypto is an option for the non-node runners? I know vercel edge runners support it, but that is also over my head for how hard that would be to add in, or if crypto stuff is even deterministic to begin with
behind the scenes of convex authentication, does it just hit the /.well-known/jwks.json endpoint of the identify provider to verify jwt tokens?
for example, the domain put here:
export default {
providers: [
{
domain: "your.issuer.url.com",
applicationID: "your-application-id",
},
],
};
does it just hit your.issuer.url.com/.well-known/jwks.json to get the public key and then verify the jwt I send in via the ConvexProviderWithAuth provider?
Yes, that's what we do when we're verifying the token (which doesn't happen on every function call, only once per token per websocket connection).
@Web Dev Cody yeah, getting crypto support in our runtime is something we want to do soon
pretty common need
(Looking deeper, I think we first hit the
.well-known/openid-configuration endpoint to get the configuration - the domain needs to support the full OpenID protocol)do you happen to know when convex makes it's request to the openid identity provider? for example, I setup the following in my auth.config.js
providers: [
{
domain:
"https://9d12-2601-782-580-d6d0-254b-a39b-972e-5166.ngrok-free.app",
applicationID: "stuff",
},
],
and i'm using ngrok to host an express service on my laptop, but I'm never seeing that service get invoked from convex, ever after I invoke an action which calls auth.getUserIdentity()
you said once per token per websocket connection.. let me look into that. I've tried closing my browser to restart a ws connection but I'm still not getting requests to my express server
My mental model was that the JWT validation didn't require hitting the identity provider, which helps keep the mutations fast. So you may only see calls during the configuration stage. But I haven't looked at the code like Michal has, so he may have a more nuanced answer
ok, I think I was overthinking everything. I got a basic setup with google login, next app router, and next-auth here: https://github.com/webdevcody/next-auth-convex
GitHub
GitHub - webdevcody/next-auth-convex
Contribute to webdevcody/next-auth-convex development by creating an account on GitHub.