security risks of just code
for example the whole thing revolves around code and it's very open to risks from all fronts
29 Replies
I'm confused -- everything in convex is default private. can you say more?
nothing is exposed unless you write a function to expose it
thanks for the feedback, by the way! just want to clarify it to make sure we're understanding
I'll need to expose things of course
I'll need to expose a column of a row to a specific user.role and not another user.role
or I'll need to take something from a table and use it in a server api... you guys use cookies for auth (right?)
well, we do, and clerk, and auth0, and... almost everything, that's correct. but us too
whose cookie goes where when I use them in a server function?
is this with convex auth? or clerk auth? what authentication provider is your app using?
none. I'm not using convex
I'm just window shopping
I couldn't figure out the access policies
ah. convex works the same as anything else, really. the only thing that can be accessed is what you server function explicitly expose. by default everything is private
pushing those functions can only be done by developers on your convex team
so those functions cannot be changed by the internet at large
if you want to use some sort of authorization system in convex, there are many different options people use. many folks like something similar to "row level security" -- here's an article on that: https://stack.convex.dev/row-level-security
Row Level Security
Add row-level security to your database access by wrapping database reads and writes in your Convex serverless functions.
but by default no one can get to anything until you decide to expose it, or protect it with whatever policy you'd like. either just using regular ol code, or using some sort of data-driven scheme like RLS or RBAC
it's not centralized...
it's all over the place
sorry, what does centralized mean here?
i'll have code here and there
nope, not in the approach taken with the article
You create your queries with
queryWithRLS
, which centralizes the checks and protects all queries
basically, this is a middleware approach so all routes are automatically protected
you don't have to repeat the logic everywhere
convex has helper libraries to create these kinds of middleware patterns to implement whatever common sets of checks or enrichments or whatever you want to use throughout your projecttoo much code.
open to mistakes
ah, okay
I'll have to get roles from another table
check it against identity
well, that's what your database does...
learning management
teachers, students, content creators, hr, finance
well, they can just update the tables on the convex dashboard. they don't have to write this code
they can't see each other's tables. they can access only their relevant data
is there a way to configure that?
I guess not š from the dashboard
if you want them to have a table view they can manipulate directly, ala something like airtable, then no -- convex is more of a developer product, not a no-code product or whatever. airtable is a better fit
I think it sounds like you're not excited about defining things via software rather than relying on built-in features ala ( https://stack.convex.dev/the-software-defined-database ) -- that's okay, I get it. then you're right, convex may not be your thing
Convex: The Software-Defined Database
Which to choose, the expressive power of code, or the robustness of built-in database features? With Convex, you can have both. By eliminating the bou...
I've built the teacher and student frontend
but things are going to get messy once I add more roles
I'm rather scared of making mistakes
gotcha
Where are you from?
@rishsane Sorry for the broken English, I don't think grammatically about what I write before I hit the send button every time. Is it not correct English?
Should I have said I've created ?
š
Sorry man. I didn't try to tell you are bad in English. Just wanted to know about the school. I mean where the school is based. Actually I also not so good at english š¤
West Asia.
ok. thanks