ORestrict Convex mutation to external Vercel functions, and block access from the client side
Hi,
Since Convex actions are very limited, many peopole prefer to use Vercel functions (espicially with their fluid runtime).
I need a Convex mutation which is restricted to external Vercel functions, but block access from the client side.
Currently on other Discord post I saw that you advised to send a shared secret as a parameter, but it's not considered secure since it can be accidently printed in logs... and it's a bad practice to send secret as a parameter.
I thought on something else:
In Vercel function - tell Clerk (using Clerk api-key) (my auth provider) to issue a JWT with custom claim (e.g. role=backend) and timeout of 60 seconds,
and then call the Convex mutation, and in the mutation check if the JWT contains the custom claim and allow/block access accordingly.
There are some docs in Clerk about this:
https://clerk.com/docs/backend-requests/custom-session-token
https://clerk.com/docs/backend-requests/jwt-templates
Can you please write an example for how to do it in such secure way?
I'm struggling with this, and I think many folks who uses next.js with Vercel functions will benefit from this example.
Thanks
Since Convex actions are very limited, many peopole prefer to use Vercel functions (espicially with their fluid runtime).
I need a Convex mutation which is restricted to external Vercel functions, but block access from the client side.
Currently on other Discord post I saw that you advised to send a shared secret as a parameter, but it's not considered secure since it can be accidently printed in logs... and it's a bad practice to send secret as a parameter.
I thought on something else:
In Vercel function - tell Clerk (using Clerk api-key) (my auth provider) to issue a JWT with custom claim (e.g. role=backend) and timeout of 60 seconds,
and then call the Convex mutation, and in the mutation check if the JWT contains the custom claim and allow/block access accordingly.
There are some docs in Clerk about this:
https://clerk.com/docs/backend-requests/custom-session-token
https://clerk.com/docs/backend-requests/jwt-templates
Can you please write an example for how to do it in such secure way?
I'm struggling with this, and I think many folks who uses next.js with Vercel functions will benefit from this example.
Thanks
Learn how to customize the session token that is generated for you by Clerk.
Learn how to create custom JWT templates to generate JSON Web Tokens with Clerk.
