unsphere
unsphere5mo ago

How to obtain cookies in Convex Auth ConvexCredentials authorize?

Hi there, is it somehow possible to get the cookies inside ConvexCredentials authorize? I need to get them to verify the credentials. In NextAuth there is the req parameter in authorize. Your http actions have it as well. 
export const { auth, signIn, signOut, store } = convexAuth({
  providers: [
    ConvexCredentials({
      id: "siwe",
      authorize: async (
        credentials: {
          message?: string;
          signature?: `0x${string}`;
        },
        ctx,
      ) => {
        try {
          const { message, signature } = credentials;

          if (!message || !signature) {
            return null;
          }

          const parsed = parseSiweMessage(message);

          if (!parsed.nonce || !parsed.address || !parsed.chainId) {
            return null;
          }

          const chain = Object.values(chains).find(
            (chain) => chain.id === parsed.chainId,
          );

          if (!chain) {
            return null;
          }

          /* NEED COOKIES HERE
          const session = await getIronSession<{ nonce: string }>(cookies(), sessionConfig);

          if (parsed.nonce !== session.nonce) {
            return null
          }
          */

          const publicClient = createPublicClient({
            chain,
            transport: http(),
          });

          const verified = await publicClient.verifySiweMessage({
            message,
            signature,
            //nonce: session.nonce,
            scheme: process.env.NODE_ENV === "development" ? "http" : "https",
            domain: DOMAIN,
            time: new Date(),
          });

          if (!verified) {
            return null;
          }

          const userId = await ctx.runMutation(internal.user.store, {
            wallet: parsed.address,
          });

          return {
            userId,
          };
        } catch (error) {
          console.error(error);
          return null;
        }
      },
    }),
  ],
});
export const { auth, signIn, signOut, store } = convexAuth({
  providers: [
    ConvexCredentials({
      id: "siwe",
      authorize: async (
        credentials: {
          message?: string;
          signature?: `0x${string}`;
        },
        ctx,
      ) => {
        try {
          const { message, signature } = credentials;

          if (!message || !signature) {
            return null;
          }

          const parsed = parseSiweMessage(message);

          if (!parsed.nonce || !parsed.address || !parsed.chainId) {
            return null;
          }

          const chain = Object.values(chains).find(
            (chain) => chain.id === parsed.chainId,
          );

          if (!chain) {
            return null;
          }

          /* NEED COOKIES HERE
          const session = await getIronSession<{ nonce: string }>(cookies(), sessionConfig);

          if (parsed.nonce !== session.nonce) {
            return null
          }
          */

          const publicClient = createPublicClient({
            chain,
            transport: http(),
          });

          const verified = await publicClient.verifySiweMessage({
            message,
            signature,
            //nonce: session.nonce,
            scheme: process.env.NODE_ENV === "development" ? "http" : "https",
            domain: DOMAIN,
            time: new Date(),
          });

          if (!verified) {
            return null;
          }

          const userId = await ctx.runMutation(internal.user.store, {
            wallet: parsed.address,
          });

          return {
            userId,
          };
        } catch (error) {
          console.error(error);
          return null;
        }
      },
    }),
  ],
});
2 Replies
sshader
sshader5mo ago
Convex Auth mostly uses actions (as opposed to HTTP actions), so they don't have access to cookies. We use local storage for the most client side secret storage (see https://labs.convex.dev/auth/security#client-secrets-storage). Can you say more about why you need to use cookies here? Generally you'd need some sort of proxy between whatever is serving your frontend code + Convex in order to use cookies (e.g. NextJS middleware)
Keep your authentication secure - Convex Auth
Authentication library for your Convex backend
unsphere
unsphereOP5mo ago
Ah yeah, totally forgot the third party cookie aspect. Thanks. I solved it now by using convex helper sessions and will post a full example repo here soon.

Did you find this page helpful?