Convex Auth
So in Convex Auth, the client side doesn't know the current user id unless they query for it?
15 Replies
that's right, Convex Auth just gets a JWT to the client (which does include some info that isn't encrypted, so e.g. the GitHub email for a GitHub OAuth app is technically on the client)
Convex Auth provides pretty much the same thing that Clerk or Auth0 does, refreshing JWTs on the client that you can use to authenticate the Convex Client
with the addition that these sessions and accounts are stored on your Convex deployment, so you can read then in Convex mutations/queries as well[
so is there a function to parse out the info from the jwt?
instead of on another server like CLerk
in react?
You can, but as a general app architecture thing you don't want to trust this info, you should query for it, because an important step in the flow is verifying the token
but yeah you can use the npm library jwt-decode to look inside a jwt
so generally you write queries and return the info that way
and since you know where the JWTs are coming from (your convex deployment) I don't see why you couldn't trust them; it's just that this is all on the client, where a malicious user can change the JWT to be whatever they want
until its' verified after being sent over the convex websocket
just like a clerk JWT or Auth0 JWT would be
all i want to do is check if current user id = something's owner id, and show UI based on that
on the client side
do you care if people cheat and change their user id?
no
the server double checks
simplest thing to do is still a
const userId = useQuery(api.userAccounts.currentUserId)that seems really unnecessary and would be slower than not doing an extra query
the user id is not in the JWT either, just session info
so I'm wrong, this is your only option
although I think their email (if they used e.g. GitHub OAuth to sign in) might be
the user id isn't in the jwt?
It is if I use Clerk though
I don't think so, you could check by decoding one on https://jwt.io/
looks like it is https://github.com/get-convex/convex-auth/blob/main/src/server/implementation/tokens.ts#L9-L29
args.userId + TOKEN_SUB_CLAIM_DIVIDER + args.sessionId
so yeah with some extra work you could try to get in there and get it, not something exposed currentlyHm. I seem to be running into another problem first:
https://discord.com/channels/1019350475847499849/1335024665554452480/1335024665554452480
So, how do I access the JWT on the client side?
Looks like it's a private field.
I would write a
api.users.me query instead, this different in speed is going to be small. This would be a good issue to open on the convex-auth repo, because it involves changes to the library. You need to get inside the getToken() function that requests the JWT, or get inside the callback passed into client.setAuth(cb) to expose this.