Document ID validation in security
Hi Convex community.
I know that Convex provides
v.id(“table_name”) validator. However, I want to be very clear about the behaviour of this validator.
Suppose I have a mutation api that allows caller to mutate a document by supplying the document ID. Can I trust that the user-supplied document ID truly refers to the document in the expected table? Can a malicious user supplies a document ID of a document from another arbitrary data table?
(Assuming I am not doing any middleware, authentication, row-level rules here to simplify my question.)1 Reply
Thanks for posting in <#1088161997662724167>.
Reminder: If you have a Convex Pro account, use the Convex Dashboard to file support tickets.
- Provide context: What are you trying to achieve, what is the end-user interaction, what are you seeing? (full error message, command output, etc.)
- Use search.convex.dev to search Docs, Stack, and Discord all at once.
- Additionally, you can post your questions in the Convex Community's <#1228095053885476985> channel to receive a response from AI.
- Avoid tagging staff unless specifically instructed.
Thank you!