Auth for internal functions
When using the ConvexHttpClient in a node.js environment, if I need to use queries and mutations on behalf of users (given specific document IDs or query params) where I don't have access to auth tokens - as this is performed as part of background async jobs. What's the recommended pattern for performing those queries and mutations?
Here's two patterns:
1) Public queries and mutations, but instead of using ctx.auth.getUserIdentity() to validate users, it instead validates a shared environment variable. As recommended here: https://docs.convex.dev/auth.
2) Internal queries and mutations which can be accessed via the ConvexHttpClient by setting admin auth.
Personal bias, I prefer option 2 and that's the method I'm attempting, because I prefer the fact that the admin/system queries and mutations are never exposed publicly. However, when using option 2, I noticed in the github repo, https://github.com/get-convex/convex-js/blob/main/src/browser/http_client.ts, setAdminAuth is marked as @internal - meaning accessing it requires some type gymnastics ("(client as any).setAdminAuth(process.env.CONVEX_DEPLOY!);" to get it working). Does that mean it's not the recommended approach? Along with that, client.query() expects a public query, so additional type gymnastics is required to get that working with internal queries - such as // @ts-ignore - which unfortunately removes the implicit type.
To recap, what is the recommended / intended design pattern for solving the problem stated above? Which is running queries and mutations on an external service, where no auth token is available - but there's an obvious need to perform authentication for the system (It's my servers attempting to perform these admin level queries and mutations).
Is design pattern 1, 2 or an alternative pattern recommended?
Thanks!
Here's two patterns:
1) Public queries and mutations, but instead of using ctx.auth.getUserIdentity() to validate users, it instead validates a shared environment variable. As recommended here: https://docs.convex.dev/auth.
2) Internal queries and mutations which can be accessed via the ConvexHttpClient by setting admin auth.
Personal bias, I prefer option 2 and that's the method I'm attempting, because I prefer the fact that the admin/system queries and mutations are never exposed publicly. However, when using option 2, I noticed in the github repo, https://github.com/get-convex/convex-js/blob/main/src/browser/http_client.ts, setAdminAuth is marked as @internal - meaning accessing it requires some type gymnastics ("(client as any).setAdminAuth(process.env.CONVEX_DEPLOY!);" to get it working). Does that mean it's not the recommended approach? Along with that, client.query() expects a public query, so additional type gymnastics is required to get that working with internal queries - such as // @ts-ignore - which unfortunately removes the implicit type.
To recap, what is the recommended / intended design pattern for solving the problem stated above? Which is running queries and mutations on an external service, where no auth token is available - but there's an obvious need to perform authentication for the system (It's my servers attempting to perform these admin level queries and mutations).
Is design pattern 1, 2 or an alternative pattern recommended?
Thanks!
