Validate a user during the auth step
I'm working on a personal app (i.e. nobody else should use it but me), and the easiest way I could think of to launch it is to deploy it online (e.g. Vercel) and use auth to prevent anyone but me from using it.
I added Convex Auth to the app code yesterday, configured to use GitHub, and that part works fine. Once the auth phase is complete, I can look at the user details, see whether or not it's me, and just not render anything if it's some other GitHub user. However, is there a way to restrict any other GitHub user from even completing the auth phase? For example, GitHub verifies that someone has a GitHub account, but compares that against a list that I provide to only allow select users (e.g. me) to complete the rest of the auth.
I'm likely going to face a similar challenge in the future when adding auth to an app that I'll be creating for work. It should only be usable by company employees, and the company emails are all run through a Google workspace, so I was thinking of using Google auth to verify our users and only allow those with emails from our workspace/domain to access the app. However, I have a similar question about a mid-phase verification. For example, the Google auth page loads and a user picks their Google account that they'd like to use to log in. What I'd ideally like to do is prevent the password entry from even appearing if their email isn't on our domain.
Is something like that even possible, whether it's with Convex Auth or some other provider like Clerk?
9 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
I can only think of google business, and i know github have organization, that may actually restrict access to your app only by your org users.
Look it up 🙂
While GitHub does have organizations, GitHub's OAuth app setup doesn't use them, nor does it contain any user-restriction features that I can see.
I dug into the Google side of things, and it looks like their auth config does provide the ability to limit access to members of an organization. I'll see about pivoting to use that and share any insights I find along the way.
Thank you 🙂
From Google's docs (https://cloud.google.com/resource-manager/docs/manage-google-cloud-resources):
An organization resource is available for Google Workspace and Cloud Identity customersTL/DR: it's not free. In my case, I'm already paying for a basic Google Workspace account, so I should be able to do it. It would be nice if free Google accounts had this option as well.
Of course not free...its organizations 😄
Took out Convex Auth and set up the app to use Clerk and Google. Works perfectly, and restricts access to my lone Google workspace account.
Thank you
Forgot to mention that setting up the Google workspace restriction is as simple as choosing "Internal" in the "User Type" section of the OAuth consent screen config.