pipsai
pipsai10mo ago

Storing Firebase uid in Convex db

if i use firebase as auth what are the risks of just storing the uid into a users table in convex?
9 Replies
erquhart
erquhart10mo ago
I haven't used Firebase auth in a while, but speaking generally, storing the external auth provider uid in Convex is a recommended practice. Any specific concerns?
pipsai
pipsaiOP10mo ago
nothing so far, everyone is using my app (I only have 28 users atm) with no issues but I'm just looking into the future as we scale if there might be problems. So the way I do it right now is I just call convex when I need user data and query it with their currently logged user ID. So I basically have, 
 <AuthProvider>

        
        <ConvexClientProvider>
          <SidebarProvider>

            <NavBar/>
          
            <LeftSidebar />
              <CollapseLayout>
              {children}
              </CollapseLayout>
              
            </SidebarProvider>
          <Toaster />
          
        </ConvexClientProvider>
      </AuthProvider>
 <AuthProvider>

        
        <ConvexClientProvider>
          <SidebarProvider>

            <NavBar/>
          
            <LeftSidebar />
              <CollapseLayout>
              {children}
              </CollapseLayout>
              
            </SidebarProvider>
          <Toaster />
          
        </ConvexClientProvider>
      </AuthProvider>
then if I need userdata I just call my hook 
"use client"
import { useState, useEffect } from 'react';
import { AuthContext } from '@/providers/AuthProvider';
import { useQuery } from 'convex/react';
import {api} from '@/convex/_generated/api';
import { set } from 'react-hook-form';

const useUserConvexData = () => {
  const {user}:any = AuthContext();
  const [user_ID,  setUser_ID] = useState("notset");
  const userId = user.user?.uid; // Accessing the user's ID, assuming it's in `uid`
  useEffect(() => {
    setUser_ID(userId);
  }, [userId]);
  
  
  const userData = useQuery(api.functions.users.getUser, { userId: user_ID });
   
  return userData;
};

export default useUserConvexData;
"use client"
import { useState, useEffect } from 'react';
import { AuthContext } from '@/providers/AuthProvider';
import { useQuery } from 'convex/react';
import {api} from '@/convex/_generated/api';
import { set } from 'react-hook-form';

const useUserConvexData = () => {
  const {user}:any = AuthContext();
  const [user_ID,  setUser_ID] = useState("notset");
  const userId = user.user?.uid; // Accessing the user's ID, assuming it's in `uid`
  useEffect(() => {
    setUser_ID(userId);
  }, [userId]);
  
  
  const userData = useQuery(api.functions.users.getUser, { userId: user_ID });
   
  return userData;
};

export default useUserConvexData;
erquhart
erquhart10mo ago
No description
Matt Luo
Matt Luo10mo ago
I haven’t completely researched this but it seems like a security issue if a client can impersonate a user by passing someone else’s value for user._id to getUser You can search my discord history where I tried to do something similar but then learned to get the user._id and the user’s business data all in the same query function
pipsai
pipsaiOP10mo ago
i might have figured it out. I might have to try this thing again https://docs.convex.dev/auth/advanced/custom-auth
Custom Auth Integration | Convex Developer Hub
Note: This is an advanced feature! We recommend sticking with the
erquhart
erquhart10mo ago
Oh yeah you'll need to integrate as an auth provider for sure Sorry, I assumed that was what you were doing, should have read your code sample 🤦‍♂️ Looks like you could use Firebase as a provider with NextAuth: https://discord.com/channels/1019350475847499849/1235488494579748965/1237709980350677033 (That message is the team's most recent guidance on using Firebase Auth with Convex.)
Matt Luo
Matt Luo10mo ago
Looks like the key conceptual sentences from that article are: All we really need is to implement the useAuthFromProviderX hook which gets passed to the ConvexProviderWithAuth component. This useAuthFromProviderX hook provides a translation between the auth provider API and the ConvexReactClient API, which is ultimately responsible for making sure that the ID token is passed down to your Convex backend. So my takeaway is: your app's client side code should not be fetching a users._id and then passing it into a subsequent query
erquhart
erquhart10mo ago
Yeah I wasn't explicit about that in my response - totally agree with Matt, don't do this! It looks like the best documented path is using Auth.js with Firebase as a provider, and then following Michael's new guide for using Auth.js with Convex.
pipsai
pipsaiOP10mo ago
Thank you! I'll keep yall updated if I figure it out. Basically I just have to grab the jwt token. instead of _id Yall are the best it works!

Did you find this page helpful?