Rust-based Auth

Out of interest. Seeing convex is rust based. Why wasn't there a native rust implementation of auth?

I suppose the choice to go with auth.js is that there are more important things to do first?

ballingt•1/14/25, 8:01 PM

On the backend auth (validating the JWT, etc.) is implemented in Rust. But for an auth library, ecosystem compatibility and programability are the top priorities.

ballingt•1/14/25, 8:03 PM

@Paul what aspects of auth might you expect to be implemented in Rust? Are you talking about the Convex Auth library?

ballingt•1/14/25, 8:04 PM

Today in Convex developers write their applications, frontend and Convex backend functions, in TypeScript. Someday we'd like to see folks writing backend functions in Rust, but we haven't prioritized a Rust SDK for writing Convex functions because the power of using the same language on the frontend and the backend is so great.

Bballingt On the backend auth (validating the JWT, etc.) is implemented in Rust. But for a...

PaulOP•1/14/25, 8:22 PM

On the backend auth (validating the JWT, etc.) is implemented in Rust. But for an auth library, ecosystem compatibility and programability are the top priorities.

I didn't know that! I haven't yet gone through the code and assumed that due to auth.js being used. That's where the emphasis for the question was.

what aspects of auth might you expect to be implemented in Rust?

creation, query and management of the JWT and refresh via the js SDK.

Rust SDK

I'm not advocating for developing in rust. I have actually thought (deeply) about this, since I have a heavy rust backend. It's always just easier to do things in javascript.

It's probably due to having a much stronger dev exp with it, rather than in rust. Something I will fix this year though.

PaulOP•1/14/25, 8:23 PM

Looks like I'm going to have to put on my list, pulling apart convex and going through the code.

PPaul > On the backend auth (validating the JWT, etc.) is implemented in Rust. But for...

ballingt•1/14/25, 8:30 PM

Happy to answer questions too! Especially interested in what feels like it's missing from the SDK surface, and we can decide internally whether to implement things in Rust vs JS. But if it's userspace code, code that's just a library running on your Convex deployment, today that has to be JS.

ballingt•1/14/25, 8:30 PM

Yeah when you run your own JWT minting by implementing OAuth yourself with the Convex Auth library (the thing that uses parts of auth.js) that's all done in JS on your deployment. It's just user-space code that some people run on their deployments.

ballingt•1/14/25, 8:35 PM

It's always just easier to do things in javascript. It's probably due to having a much stronger dev exp with it, rather than in rust.

It's real, Rust is pretty great language for building a database but very few would cite it as a favorite for business logic

ballingt•1/14/25, 9:11 PM

creation, query and management of the JWT and refresh via the js SDK

That makes sense, yeah if being an OAuth identity provider every becomes part of the core product we could do this. Today this is all userspace stuff though, it's just some JavaScript you're running on your database.

Bballingt > creation, query and management of the JWT and refresh via the js SDK That make...

PaulOP•1/14/25, 9:21 PM

Just to confirm, this is where all the JWT stuff happens on the backend?
https://github.com/get-convex/convex-backend/tree/main/crates/authentication

GitHub

convex-backend/crates/authentication at main · get-convex/convex-ba...

The Convex open-source backend. Contribute to get-convex/convex-backend development by creating an account on GitHub.

ballingt•1/14/25, 9:23 PM

Yeah, here the backend just validates the identity send in on the websocket or HTTP request. https://github.com/get-convex/convex-backend/blob/main/crates/authentication/src/lib.rs in particular

ballingt•1/14/25, 9:31 PM

@Paul All the backend does is validate and expose these to the JS layer of queries, mutations and actions via

ballingt•1/14/25, 9:44 PM

These JWTs can be provided by any OpenID Connect-compliant identity provider, we point people to Clerk or Auth0. The browser goes through that auth flow and then handles keeping the identity up to date by refreshing those tokens over time. If you want to use your Convex backend instead of Clerk, we have an npm library that implements that OpenID Connect identity token flow on the Convex deployment (aka backend) and relevant client code to talk to it.

Bballingt These JWTs can be provided by any OpenID Connect-compliant identity provider, we...

PaulOP•1/14/25, 9:46 PM

we have an npm library

Is that the lib that's based on auth.js?

ballingt•1/14/25, 9:46 PM

Yeah, https://labs.convex.dev/auth https://github.com/get-convex/convex-auth

PPaul > we have an npm library Is that the lib that's based on auth.js?

ballingt•1/14/25, 9:49 PM

it uses parts of auth.js as a dependency https://github.com/get-convex/convex-auth/blob/main/package.json#L76

Bballingt it uses parts of auth.js as a dependency https://github.com/get-convex/convex-au...

PaulOP•1/14/25, 9:51 PM

Also a few pilcrowonpaper libs I see as well.

PPaul Also a few pilcrowonpaper libs I see as well. 😄

ballingt•1/14/25, 9:53 PM

yeah his work has been really helpful!

PaulOP•1/14/25, 9:55 PM

It's a shame lucia was deprecated. Definitely really liked his work.

I think I have what I need to start taking a look. So much appreciative! Although it won't be for a week or so. About to go down another different rabbit hole.

PaulOP•1/14/25, 9:55 PM

So thanks again!

ballingt•1/14/25, 9:58 PM

Good luck on your other rabbit hole! Would love to hear how you find it when you get back to Convex. Then later if you dive into the Rust stuff, we're working on our open source flows atm, either for debugging or contributions the codebase should be easier to interact with soon.