Clerk Webhook for User Creation - is this really suitable?
The docs recommend using a web to store user data from clerk into a Users table in Convex.
Not entirely sure this is a suitable method as webhooks are considered brittle, and so if we have to implement a fallback of sorts, should this really be the recommended option for external auth? Perhaps the docs could recommend using the Clerk User object and a mutation (or even better, build a convex-helper function). https://clerk.com/docs/references/javascript/user/user
Would like to know your thoughts.
JavaScript: User object
The User object holds all the information for a user of your application and provides a set of methods to manage their account. Users have a unique authentication identifier which might be their email address, phone number or a username.
5 Replies
In sveltekit I'm thinking of using the afterSignUpUrl option of the clerk hook to create the User record in convex based on the Clerk User object. Not sure how it's done in the react solution.
Careful about orchestrating this from the frontend: if you accept user objects in Convex mutations and queries without validating that it's really from this user via
auth.getUserIdentity() this isn't secure; a malicious frontend could send in anything.
If you're in a Convex action, then yeah using a user object works great! But since this is a network request, you can't do it in the same transaction as other code. That's much of the reason to suggest webhooks by default: instead of needing to fetch a user in every Convex backend interaction that needs a user, the users are sitting in a table where you can access them in the same transaction.I've been using auth.getUserIdentity() in my queries, but I appreciate the advice! The clerk-sveltekit library makes the user object available server side after sign-in so perhaps I can handle it there.
e.g. new user signs-up via clerk, clerk hook redirects them to the afterSignUpUrl, a server-side page load function uses the Clerk User object that's been injected into the locals.session, a Convex mutation checks getUserIdentity() and creates the user table entry.
Or is locals.session unsafe?
https://github.com/markjaquith/clerk-sveltekit?tab=readme-ov-file#using-clerk-data-on-the-server
GitHub
GitHub - markjaquith/clerk-sveltekit: Clerk adapter for SvelteKit
Clerk adapter for SvelteKit. Contribute to markjaquith/clerk-sveltekit development by creating an account on GitHub.
That sounds safe since it's server-side, just warning folks about the naive approach of sending the current user as an argument to a function.
gotcha, always appreciated