greends
greendsā€¢2mo ago

security risks of just code

for example the whole thing revolves around code and it's very open to risks from all fronts
29 Replies
jamwt
jamwtā€¢2mo ago
I'm confused -- everything in convex is default private. can you say more? nothing is exposed unless you write a function to expose it thanks for the feedback, by the way! just want to clarify it to make sure we're understanding
greends
greendsOPā€¢2mo ago
I'll need to expose things of course I'll need to expose a column of a row to a specific user.role and not another user.role or I'll need to take something from a table and use it in a server api... you guys use cookies for auth (right?)
jamwt
jamwtā€¢2mo ago
well, we do, and clerk, and auth0, and... almost everything, that's correct. but us too
greends
greendsOPā€¢2mo ago
whose cookie goes where when I use them in a server function?
jamwt
jamwtā€¢2mo ago
is this with convex auth? or clerk auth? what authentication provider is your app using?
greends
greendsOPā€¢2mo ago
none. I'm not using convex I'm just window shopping I couldn't figure out the access policies
jamwt
jamwtā€¢2mo ago
ah. convex works the same as anything else, really. the only thing that can be accessed is what you server function explicitly expose. by default everything is private pushing those functions can only be done by developers on your convex team so those functions cannot be changed by the internet at large
jamwt
jamwtā€¢2mo ago
if you want to use some sort of authorization system in convex, there are many different options people use. many folks like something similar to "row level security" -- here's an article on that: https://stack.convex.dev/row-level-security
Row Level Security
Add row-level security to your database access by wrapping database reads and writes in your Convex serverless functions.
jamwt
jamwtā€¢2mo ago
but by default no one can get to anything until you decide to expose it, or protect it with whatever policy you'd like. either just using regular ol code, or using some sort of data-driven scheme like RLS or RBAC
greends
greendsOPā€¢2mo ago
it's not centralized... it's all over the place
jamwt
jamwtā€¢2mo ago
sorry, what does centralized mean here?
greends
greendsOPā€¢2mo ago
i'll have code here and there
jamwt
jamwtā€¢2mo ago
nope, not in the approach taken with the article 
// in convex/messages.js
import { queryWithRLS, mutationWithRLS } from "./rls";

export const list = queryWithRLS({
  args: {},
    handler: async (ctx) => {
    return await ctx.db.query("messages").collect();
    },
});

export const publish = mutationWithRLS({
  args: { messageId: v.id("messages") },
    handler: async (ctx, args) => {
    await ctx.db.patch(args.messageId, {published: true});
    },
});
// in convex/messages.js
import { queryWithRLS, mutationWithRLS } from "./rls";

export const list = queryWithRLS({
  args: {},
    handler: async (ctx) => {
    return await ctx.db.query("messages").collect();
    },
});

export const publish = mutationWithRLS({
  args: { messageId: v.id("messages") },
    handler: async (ctx, args) => {
    await ctx.db.patch(args.messageId, {published: true});
    },
});
You create your queries with queryWithRLS, which centralizes the checks and protects all queries basically, this is a middleware approach so all routes are automatically protected you don't have to repeat the logic everywhere convex has helper libraries to create these kinds of middleware patterns to implement whatever common sets of checks or enrichments or whatever you want to use throughout your project
greends
greendsOPā€¢2mo ago
too much code. open to mistakes
jamwt
jamwtā€¢2mo ago
ah, okay
greends
greendsOPā€¢2mo ago
  const identity = await ctx.auth.getUserIdentity();
  return {
    messages: {
      read: async ({ auth }, message) => {
        if (identity === null) {
          return message.published;
        }
        return true;
      },
      modify: async ({ auth }, message) => {
        if (identity === null) {
          return false;
        }
        return message.author === identity.tokenIdentifier;
      },
    },
  } satisfies Rules<QueryCtx, DataModel>;
}
  const identity = await ctx.auth.getUserIdentity();
  return {
    messages: {
      read: async ({ auth }, message) => {
        if (identity === null) {
          return message.published;
        }
        return true;
      },
      modify: async ({ auth }, message) => {
        if (identity === null) {
          return false;
        }
        return message.author === identity.tokenIdentifier;
      },
    },
  } satisfies Rules<QueryCtx, DataModel>;
}
I'll have to get roles from another table check it against identity
jamwt
jamwtā€¢2mo ago
well, that's what your database does...
greends
greendsOPā€¢2mo ago
learning management teachers, students, content creators, hr, finance
jamwt
jamwtā€¢2mo ago
well, they can just update the tables on the convex dashboard. they don't have to write this code
greends
greendsOPā€¢2mo ago
they can't see each other's tables. they can access only their relevant data is there a way to configure that? I guess not šŸ˜„ from the dashboard
jamwt
jamwtā€¢2mo ago
if you want them to have a table view they can manipulate directly, ala something like airtable, then no -- convex is more of a developer product, not a no-code product or whatever. airtable is a better fit
jamwt
jamwtā€¢2mo ago
I think it sounds like you're not excited about defining things via software rather than relying on built-in features ala ( https://stack.convex.dev/the-software-defined-database ) -- that's okay, I get it. then you're right, convex may not be your thing
Convex: The Software-Defined Database
Which to choose, the expressive power of code, or the robustness of built-in database features? With Convex, you can have both. By eliminating the bou...
greends
greendsOPā€¢2mo ago
I've built the teacher and student frontend but things are going to get messy once I add more roles I'm rather scared of making mistakes 
Security notice: ConvexAuthNextjsServerProvider uses cookies to store authentication state. Therefore to prevent CSRF attacks you must not perform any side-effects from the Next.js server on GET requests."
Security notice: ConvexAuthNextjsServerProvider uses cookies to store authentication state. Therefore to prevent CSRF attacks you must not perform any side-effects from the Next.js server on GET requests."
jamwt
jamwtā€¢2mo ago
gotcha
rishsane
rishsaneā€¢2mo ago
Where are you from?
greends
greendsOPā€¢2mo ago
@rishsane Sorry for the broken English, I don't think grammatically about what I write before I hit the send button every time. Is it not correct English? Should I have said I've created ? šŸ˜„
rishsane
rishsaneā€¢2mo ago
Sorry man. I didn't try to tell you are bad in English. Just wanted to know about the school. I mean where the school is based. Actually I also not so good at english šŸ¤”
greends
greendsOPā€¢2mo ago
West Asia.
rishsane
rishsaneā€¢2mo ago
ok. thanks

Did you find this page helpful?