How does authorization check work on convex-storage?
It seems to me that everything on the filestorage is automaticaly publicly accessible by a url correct?
So if a user wanted to upload an image just for himself, private use, it would be better to put it in the db instead of storage right ?!
Split it up in 16 MiB chuncs so a query can handle it.
Because with db I can request authentification before handing the data over.
Storage is more like a youtube / insta thing where everyone is supposed to see the media...
7 Replies
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!
No database records, including on the storage table, can be directly accessed over an api. A Convex function that access the table must be written and deployed. More on serving files here: https://docs.convex.dev/file-storage/serve-files#serving-files-from-http-actions
Serving Files | Convex Developer Hub
Serve files stored in Convex to users
it says
"But note that the HTTP actions response size is currently limited to 20MB. For larger files you need to use file URLs as described above"
so i need to use
ctx.storage.getUrl() for users downloading videos > 20MB
i guess my question is :
1. does the url exist all the time, and its just returned, or will it freshly be generated upon calling ctx.storage.url ?
2. will the url invalidate itself, or can we invalidate the url after x Minutes, so the urls cant be guessed by someone unauthorized?It's generated, similar to generating urls for S3 or R2. I believe getUrl does not currently expire. For more control check out the R2 component https://www.convex.dev/components/cloudflare-r2
This is so good 😊 thanks for holding the line on these community questions 💕
The R2 components reads as if applying a CORS policy will prevent direct url access, is that right? If so, is it possible to apply CORS policies in Convex? @erquhart
CORS only works against browsers, and only to protect the users of those browsers. It's powerless to actually prevent data access through any other method, eg., server to server, or pretty much anything other than a modern, secure browser.