5 replies

Best practices for writing DB queries/mutations

I am currently migrating my backend from trpc + prisma to Convex and trying to understand the best practices in terms of writing secure and scalable software with the platform.

My understanding is that every mutation/query/action/http endpoints that I write is exposed to the world, and it's my job to write the logic inside the handler to prevent actions from malicious users?

I currently have a mutation like so:

export const remove = mutation({
  args: {
    orgId: v.string(),
  },
  handler: async (ctx, args) => {
    await ctx.db.delete(resource._id);
    return null;
  },
});

export const remove = mutation({
  args: {
    orgId: v.string(),
  },
  handler: async (ctx, args) => {
    await ctx.db.delete(resource._id);
    return null;
  },
});

export const remove = mutation({
  args: {
    orgId: v.string(),
  },
  handler: async (ctx, args) => {
    await ctx.db.delete(resource._id);
    return null;
  },
});

export const remove = mutation({
  args: {
    orgId: v.string(),
  },
  handler: async (ctx, args) => {
    await ctx.db.delete(resource._id);
    return null;
  },
});

I want to use this mutation both inside an HTTP function that is triggered via webhooks from Clerk, and also inside the webapp for authenticated users.

What would be the best way to secure such mutations that are shared between webhooks and user sessions?

Best practices for writing DB queries/mutations

Similar Threads

Similar Threads

Similar Threads