Security questions
Hi!
I love convex, but now i face a project restricted on the security front. So a couple of questions:
*There is no native apikey or token exchange between client and server, and the convex backend url is sent to the front (next_public_convex_url),
Does this means that anyone with knowledge of the schema could attack and steal my data (for example a former developer from my team?)
(in classical scenarios i rotate the passwords and that's about it, but in convex there is no such mechanism, the front directly query the data without any authentication.)
* Currently you invite team members to a team, and that team has access to all projects in it, ¿Is there access control or granularity per project?
I may not want all people accessing all data
Thank you for your help!
11 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
For the first concern, it sounds like you want to implement auth, and check authentication and authorization in all public functions. https://docs.convex.dev/auth
for the second concern, it's true that teams have access to all projects on the team. There are per-project admins to restrict some operations, but we've considered adding more granular permissions. What kind of restrictions are you looking for?
Authentication | Convex Developer Hub
Add authentication to your Convex app.
See https://docs.convex.dev/dashboard/teams#project-admins for details on project admin vs developer distinction
Teams | Convex Developer Hub
In Convex, your projects are organized by team. Teams are used to share access
Does this means that anyone with knowledge of the schema could attack and steal my data (for example a former developer from my team?)just realized this could mean "schema" like data model (i was assuming "schema" meant publically exported functions). with just the next_public_convex_url, you can't access the data model directly. you must go through public functions (or through the dashboard or CLI, which requires logging in to the convex team). therefore public functions like
export const getData = query(...) are where you can put access control.Thank you, but that means i have to create that extra security layer for all my exported queries/mutations and actions?
if i have an exported deleteAllData mutation (in the api, like api.db.deleteAll), i could in theory use the console to invoke that method and have all my data erased without having access to the dashboard or cli, is this correct?
I know it should be lousy design, but a more practicall example would be changing the queries to obtain restricted data..
Thank you for your answers!
Yep. This isn't an "extra" layer of security -- this is the only security layer. If you want the code to be simpler you can use some of our helpers https://stack.convex.dev/custom-functions#consuming-a-function-argument-for-basic-api-key-auth and enforce that the custom function is used with a lint rule https://stack.convex.dev/eslint-setup#enforcing-imports-with-eslint
Customizing serverless functions without middleware
Re-use code and centralize request handler definitions with discoverability and type safety and without the indirection of middleware or nesting of wr...
Set up ESLint for best practices
ESLint is a powerful tool that goes beyond simply type checking. We go over how to set it up and implement some basic workflows with the
thank you!
if i have an exported deleteAllData mutationJust to add some more stuff -- something like this would be a perfect use case for an internal function (https://docs.convex.dev/functions/internal-functions), which can only be called from other Convex functions (e.g. scheduling, or
ctx.runMutation) or by a project admin (e.g. via the CLI or dashboard).But still you would need a public function or action to call that internal one, so the basic problem is not solved
You can call internal functions from the dashboard + the CLI, which requires that you log in to your Convex account and that you're a project admin, so these are useful for things like debugging. If you remove someone from your Convex team (and for good measure, rotate any deploy keys they might've had access to), then they can no longer call these internal functions
concretely, you would use
npx convex run to call it from the CLI https://docs.convex.dev/dashboard/deployments/functions#running-functions, or the function runner to call it from the dashboard https://docs.convex.dev/dashboard/deployments/functions#running-functionsFunctions | Convex Developer Hub
Functions Dashboard View