Validate convex auth from standalone hono server.
I have a use case where we have a standalone hono server with cloudflare AI worker.
It lives in the same repo as our convex backend, and the rest of our stack.
I'd like to make calls with it from our frontend, but want those calls to only be made from an authed user.
I know I can roll a simple jwt solution. But I thought, I could perhaps pass the convexAuthToken as a header. Then from the hono server, can I import convex, and validate that user in a hono middleware?
Let me know if this needs more explaination. And if it is possible with a quick guide. 🙏
Attached a screenshot of how you can do this with say Fastify and Clerk. I don't think it needs a custom plugin. Just a function that can validate the passed in token. And can be reused if we need to call convex from the hono server. And we don't even need the whole user obj. Knowing that the user has a valid session, and perhaps their userId would suffice.
Thank you.
cc: @Michal Srb cc: @Mordsith
5 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Ask in the <#1228095053885476985> channel to get a response from <@1072591948499664996>.
- Avoid tagging staff unless specifically instructed.
Thank you!
You could call a Convex function with the provided token (e.g. using the Convex HTTP client) from your endpoints which effectively just returns
auth.getUserIdentity() (or whatever subset you need).
Happy to write up a little pseudocode for what this would look like if that would be helpfulSo call that http endpoint, and just pass back the convexAuthToken as headers, But that's an api call I'd like to avoid. I'd ideally like something to just verify the headers. In the case of the clerk example above, getAuth does not make an api call. Ony the clerkClient.user does, which in our case, we don't really need to get the user for each and every call.
https://clerk.com/docs/references/tanstack-start/get-auth#get-auth
I'm not super familiar with the Clerk libraries here, but at least with Convex, you have to talk to a Convex server to validate the identity associated with an auth token (and right now, the main way of doing this is via a Convex function call, and we don't expose a separate API for this).
From a little bit of reading of the code, it looks like the Clerk library might be doing an API call in middleware to be able to supply the result of
getAuth (https://github.com/clerk/javascript/blob/5e0da19123b585d0cbf502f3138076be6c4c126f/packages/fastify/src/withClerkMiddleware.ts)
Is the concern here having to pay for too many function calls if you validated the identity with a Convex function?GitHub
javascript/packages/fastify/src/withClerkMiddleware.ts at 5e0da1912...
Official Javascript repository for Clerk authentication - clerk/javascript
Thanks @sshader . It's not so much having to pay. This particular standalone server host all our llm stuff. And is used frequently. I just don't like the overhead of having to make an additional api request for every call to it. An alternate solution will be for us to retrieve a temp short-lived session cookie for the user, that we locally validate in the hono middleware and use that in the request when in a view that needs it. And this bypasses that extra api call for each request. We don't really care as much who the user is most times. Just that that are authenticated. And will be ok to call the convex function when we do. Just thought there might be a convex solution here. I do appreciate your responses. And will explore more.
Thank you.