Convex CommunityCCConvex Community
Powered by
ChristianC
Convex Community•2y ago•
16 replies
Christian

How is mutation authentication supposed to work?

In this template https://www.convex.dev/templates/nextjs-app-router

in the posts.ts inside the convex folder there is this code
export const create = mutation({
  args: { authorId: v.id("users"), text: v.string() },
  handler: async (ctx, { text, authorId }) => {

    if (text.length <= 0 || text.length > CHARACTER_LIMIT) {
      throw new Error("Message is too damn long! (or empty)");
    }

    const numSentRecently = (
      await ctx.db
        .query("posts")
        .withIndex("byAuthorId", (q) =>
          q
            .eq("authorId", authorId)
            .gte("_creationTime", Date.now() - 1000 * 60)
        )
        .take(3)
    ).length;

    if (numSentRecently >= 3) {
      throw new Error("Too fast, slow down!");
    }

    await ctx.db.insert("posts", { authorId, text });
    // Instead of computing the number of tweets when a profile
    // is loaded, we "denormalize" the data and increment
    // a counter - this is safe thanks to Convex's ACID properties!
    const author = (await ctx.db.get(authorId))!;
    await ctx.db.patch(authorId, { numPosts: author.numPosts + 1 });
  },
});
export const create = mutation({
  args: { authorId: v.id("users"), text: v.string() },
  handler: async (ctx, { text, authorId }) => {

    if (text.length <= 0 || text.length > CHARACTER_LIMIT) {
      throw new Error("Message is too damn long! (or empty)");
    }

    const numSentRecently = (
      await ctx.db
        .query("posts")
        .withIndex("byAuthorId", (q) =>
          q
            .eq("authorId", authorId)
            .gte("_creationTime", Date.now() - 1000 * 60)
        )
        .take(3)
    ).length;

    if (numSentRecently >= 3) {
      throw new Error("Too fast, slow down!");
    }

    await ctx.db.insert("posts", { authorId, text });
    // Instead of computing the number of tweets when a profile
    // is loaded, we "denormalize" the data and increment
    // a counter - this is safe thanks to Convex's ACID properties!
    const author = (await ctx.db.get(authorId))!;
    await ctx.db.patch(authorId, { numPosts: author.numPosts + 1 });
  },
});

There is no check for what user is running this code and seemingly no safe guards against a bad actor trying to post as another user.

Am I missing something or is there more to add for a production ready app?
Templates
The backend application platform with everything you need to build your product.
Templates
Convex Community banner
Convex CommunityJoin
Join the Convex Discord! Explore Convex, the backend platform that keeps your app in sync.
15,010Members
Resources

Similar Threads

Was this page helpful?
Recent Announcements
Recent Announcements
james

Hi @everyone with everything going on today I forgot to post on discord about our EU launch! We have a region in Dublin now! You can start using it immediately, even for folks on the free plan. https://news.convex.dev/we-finally-got-our-eu-visa/ Stay tuned for more regions but also stay tuned for more infra improvements where we improve latency for teams no matter where their servers are located. Just at the tip of the iceberg re all the optimizations we have lined up.

james · this hour

Wayne

Hi @everyone happy Monday. Components Authoring [Challenge](https://www.convex.dev/components/challenge) updates! Meet the second batch of community-approved components **Firecrawl Scrape **- Scrape any URL and get clean markdown, HTML, screenshots, or structured JSON - with durable caching and reactive queries. https://www.convex.dev/components/firecrawl-scrape Built by: Gitmaxd **Durable Agents **- A Convex component for building durable AI agents with an async tool loop. https://www.convex.dev/components/durable-agents Built by: Siegfried **Convex Debouncer** - A server-side debouncing component for debouncing expensive operations like LLM calls, metrics computation, or any heavy processing that should only run after a period of inactivity. https://www.convex.dev/components/debouncer Built by: Ilya **DatabaseChat **- A Convex component for adding natural language database queries to your app. https://www.convex.dev/components/database-chat Built by: Nick **Transloadit** - A Convex component for creating Transloadit Assemblies, handling resumable uploads with status, and persisting status/results in Convex. https://www.convex.dev/components/transloadit Built by: Kvz **Loops** - A Convex component for integrating with Loops.so email marketing platform. https://www.convex.dev/components/loops Built by: Bobby The [challenge](https://www.convex.dev/components/challenge) is now ongoing, so keep building, and we'll keep rewarding. Thanks, everyone!

Wayne · 2w ago

Liz C

Hi everyone! Have you ever wanted to get your hands on some convex swag? Well you're in luck! We just launched our Convex swag store. Check it out here ---> https://store.convex.dev/

Liz C · 3w ago

Similar Threads

How to cancel a mutation when network is down
ZwyxZZwyx / support-community
14mo ago
how to call a function (mutation) from another function (mutation)?
ashuvssut (ashu)Aashuvssut (ashu) / support-community
3y ago
How to query data without authentication
SeaShine 🇻🇳SSeaShine 🇻🇳 / support-community
17mo ago
How to call setInterval from a mutation.
Amos MachoraAAmos Machora / support-community
3y ago