I'm using convex agents component and I'
I'm using convex agents component and I'm worried about the access management. Threads accept
userId parameters, queries and mutations don't seem to have any checks, I can retrieve any thread from any user using those queries. Am I missing something?6 Replies
You would add your own access checks, eg., make sure the authenticated user matches userId before calling a method.
Can I do something about these publicly exposed queries and mutations that the component adds?
All component methods are internal, regardless of their public/internal type, it's enforced at the system level.
The only way a component function goes public is if you export it yourself from your app's own convex files.
Looking closer at this component now to make sure I'm not missing something
So here, if you look at the first example: https://docs.convex.dev/agents/getting-started#defining-your-first-agent
You define the agent, but then you have to create an action yourself to actually use it. That action can be public or internal, it's up to you. Within the action is where you would run an authorization check if needed for your use case.
You can see in this example the reference to
getAuthUserId, a function you may or may not have, but the concept is you do your authz check before actually calling the method: https://docs.convex.dev/agents/threads#creating-a-threadDoes that mean the component queries and mutations are not exposed?
I've seen code like that and assumed it could be queried directly because in the dashboard some of them have the lock icon and some of them don't.
Correct - when you're looking at the functions of the component, they aren't exposed
Which makes the litte lock icons very confusing actually
Cool, thank you for the answers!