Storage ID authorization
If I get the storage ID only after the upload from the URL upload on the client.
and then the client side make request to store that storage ID,
It's not possible to validate that this storage ID is indeed belongs to that user.
2 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
If you validate that it hasn't already been stored, then a malicious actor would have to intercept the storage id somehow before it's stored, which should be a very minimal window. This isn't generally considered a risk for most uploads. If there are security concerns and you want to be absolutely sure, though, you can upload via http action: https://docs.convex.dev/file-storage/upload-files#uploading-files-via-an-http-action