An appeal for baking security into the platform
Maybe this should have just been a message in #general, but I thought I'd drop it here since it sort of falls into the feature requests category.
I've been on board with keeping a lot of things out of core, but the further I go in my current backend refactor, whether using middleware or something else, I miss the certainty that I would get from true system level RLS and RBAC (and simple niceties like
To wit, my main concern is that any of the currently discussed approaches to authz require continual developer vigilance to work.
This is a problem. I can have RLS middleware, but if an engineer forgets to use it, and it manages to slip through the PR review, we're baked.
It would be amazing to have a formal implementation of configurable authz within convex, similar to how schemas work, fully enforced at the system level. I'm sure this kind of approach has been discussed internally, just wanted to make an appeal for it, and ask if you can share any more on whether it's in the realm of possibility, or else how the team is thinking about enforcement and developer confidence.
I've been on board with keeping a lot of things out of core, but the further I go in my current backend refactor, whether using middleware or something else, I miss the certainty that I would get from true system level RLS and RBAC (and simple niceties like
updatedAt timestamps).To wit, my main concern is that any of the currently discussed approaches to authz require continual developer vigilance to work.
This is a problem. I can have RLS middleware, but if an engineer forgets to use it, and it manages to slip through the PR review, we're baked.
It would be amazing to have a formal implementation of configurable authz within convex, similar to how schemas work, fully enforced at the system level. I'm sure this kind of approach has been discussed internally, just wanted to make an appeal for it, and ask if you can share any more on whether it's in the realm of possibility, or else how the team is thinking about enforcement and developer confidence.
