vɔːʊlkɔː•5d ago

Making a Open Source Convex app, for those who dont want to write any code, and just want a website.

For the past month, I've been working on an app called Mathalogical (just a random name that doesn't really mean anything). It’s designed for people writing papers on math. Mathalogical is a blog/self-noting, self-hosting website where you don’t need to write any code. With simple steps to guide you through the setup process, you can start writing papers in no time—keeping some private or publishing them to the internet. I found Convex very easy to use and far better than other backend services. However, there’s an issue with website functionality related to hosting using the generatekeys.mjs script from the Convex auth guide for manual setup. It seems that you have to run the code on your local device, which requires installing Node.js. This step feels unnecessary for users who just want to write in the editor and have no interest in development tools. I was hoping we could find a solution to this. Thank you!

19 Replies

vɔːʊlkɔːOP•5d ago

Question: So its possible to run generatekeys.mjs on a website? As you (Tom) said "The reason we don't' provide a hosted version of generatekeys.mjs is that it's important that these keys be secret and it's easier to trust that when it's code running on your own machine." , what are the possible vulnerabilities with making a website that with a click of a button, generates the keys, and copies them into the users systems clipboard?

ballingt•5d ago

Yeah! I'd add a page like this to your project site. Right now this script uses Node.js APIs but similar APIs exist in the browser. The security worry here is that you could e.g. give out the same key to everyone, and then anyone could pretend to be anyone on any of these sites. so it's important that you don't do that, that you actually generate these.

vɔːʊlkɔːOP•5d ago

yeah

ballingt•5d ago

And on that same page (I'm imagining you'll have a whole page of instructions about how create your own instance of this, because there are going to be a lot of steps) you could offer as an option running the script

vɔːʊlkɔːOP•5d ago

yep

ballingt•5d ago

for more security-concious folks who would rather do that but yeah totally works to do it on that page jose, the library used there, works in a browser

import { exportJWK, exportPKCS8, generateKeyPair } from "jose";

export async function generateKeys() {
  try {
    const keys = await generateKeyPair("RS256");
    const privateKey = await exportPKCS8(keys.privateKey);
    const publicKey = await exportJWK(keys.publicKey);
    const jwks = JSON.stringify({ keys: [{ use: "sig", ...publicKey }] });
    return {
      JWT_PRIVATE_KEY: `${privateKey.trimEnd().replace(/\n/g, " ")}`,
      JWKS: jwks,
    };
  } catch (error) {
    console.error(
      "Could not generate private and public key, are you running this command using Node.js?\n",
      error,
    );
    process.exit(1);
  }
}

import { exportJWK, exportPKCS8, generateKeyPair } from "jose";

export async function generateKeys() {
  try {
    const keys = await generateKeyPair("RS256");
    const privateKey = await exportPKCS8(keys.privateKey);
    const publicKey = await exportJWK(keys.publicKey);
    const jwks = JSON.stringify({ keys: [{ use: "sig", ...publicKey }] });
    return {
      JWT_PRIVATE_KEY: `${privateKey.trimEnd().replace(/\n/g, " ")}`,
      JWKS: jwks,
    };
  } catch (error) {
    console.error(
      "Could not generate private and public key, are you running this command using Node.js?\n",
      error,
    );
    process.exit(1);
  }
}

so you might wire up a button to run this code and show the two values in the brwoser

vɔːʊlkɔːOP•5d ago

got it, thank you. Yeah there will be a lot of steps but worth it for those who don't like writing code and making their own editors. It will be a verry big project, but as long as I take everything step by step. it'll workout.

ballingt•5d ago

oops missed this question,

what are the possible vulnerabilities with making a website that with a click of a button, generates the keys, and copies them into the users systems clipboard?

the possible vulnerability is that you're running code that could send that token to someone else (probably the person who made the website) or could hand out the same keys to everyone The bigger picture is "what is someone forks your project and changes the code to do this, now Mathalogical is secure, but the copy Logimathical isn't, so we better not encourage it in general" but for your own project you can decide the risks here

vɔːʊlkɔːOP•5d ago

I mean like, I would have a main website, where all the steps to setting up the project are. I will host it, and no one else will have the possibility to host it.

ballingt•5d ago

yeah seems fine!

vɔːʊlkɔːOP•5d ago

So everything, I do, would be more of my responsibility, to keep everyone who want to make their instanse safe.

ballingt•5d ago

Just like anytime you run code written by someone else, yeah

vɔːʊlkɔːOP•5d ago

yep

ballingt•5d ago

Sounds like a cool project! Let us know if there are steps that are hard to walk people through like this, being able to set up a COnvex project just by clicking isn't something we've designed for much so there might be some little things missing but we can probably fix them.

vɔːʊlkɔːOP•5d ago

Thank you so much! I'll be sure to let you know if anything pops up on the way. Its a verry ambitious project lol. This is how the editor looks right now. I'm using KaTeX's default font (CMU Serif Roman). I also noticed that your website uses the same font, lol. My editor can be shared with multiple users, and I'm currently working on publishing documents. There is no KaTeX math or / commands, as they are very hard to implement, and I'm focusing on other aspects of the website at the moment.

vɔːʊlkɔːOP•5d ago

verry simple, but that's the thing, it feels modern, but is still classy. If the user wants to, he can always change stuff.

ballingt•5d ago

oh hah, yeah I'm a fan

vɔːʊlkɔːOP•5d ago

fr, same