Document ID validation in security
Hi Convex community.
I know that Convex provides
Suppose I have a mutation api that allows caller to mutate a document by supplying the document ID. Can I trust that the user-supplied document ID truly refers to the document in the expected table? Can a malicious user supplies a document ID of a document from another arbitrary data table?
(Assuming I am not doing any middleware, authentication, row-level rules here to simplify my question.)
I know that Convex provides
v.id(“table_name”)v.id(“table_name”) validator. However, I want to be very clear about the behaviour of this validator.Suppose I have a mutation api that allows caller to mutate a document by supplying the document ID. Can I trust that the user-supplied document ID truly refers to the document in the expected table? Can a malicious user supplies a document ID of a document from another arbitrary data table?
(Assuming I am not doing any middleware, authentication, row-level rules here to simplify my question.)
