Unless I'm mistaken, this means that any
Unless I'm mistaken, this means that any file uploaded to the storage backend is publicly accessible by its uuid, whether or not getUrl has ever been called, right?
9 Replies
No, nothing in your database is directly publicly accessible by any means, ever. Only through Convex functions can data be exposed, you have to write logic that gets and returns your data from a publicly accessible endpoint.
Sorry, I was picking up with a pretty old thread so I may have missed some context. But the File Storage system does expose those files publicly (
/api/storage/{uuid}). My question really is whether or not that happens once the file is uploaded, or if the URL gets "created" somehow when getUrl is called?
I was reading through the backend code, and I'm fairly certain the file's URL is reachable once it's uploaded. But I'm not very proficient at Rust so I may be wrong.Oh no problem on the old thread. But yeah, I don't know Rust at all. What I can say is, if you're able to fetch files directly without hitting a function, it's a bug. There's http api accessible for calling public functions, but not storage: https://docs.convex.dev/http-api/
If files were directly accessible, gating access via http actions wouldn't be effective: https://docs.convex.dev/file-storage/serve-files#serving-files-from-http-actions
So if you're able to get a file directly without hitting a function, definitely let us know.
My guess is something non-obvious is in play to keep the endpoint you're seeing from being directly accessible.
hmm actually your point on whether that endpoint is created when
getUrl() runs may be accurate...
Which sort of makes sense, when you run getUrl() you're creating a url with no expiration that can access that fileRight, but I actually think you're not creating a URL to retrieve that file, you're returning one that already "exists". In other words, if you upload a file and someone can happen to guess the uuid, then they can access it.
Whether or not you ran getUrl at any point prior.
welp I am learning things today 😅 I still need to confirm this but it seems accurate from the feedback of my highly esteemed colleague Claude
Any confirmation on the above?
Yes - files are available over api on upload. The uuids are effectively secrets, though, there isn't a public api for listing.
Right, there's no way to enumerate them. But I think it should be made clearer in the documentation because it drastically changes the security model. Since there's no authentication required, once someone has received a uuid then they have the means to retrieve that file forever, regardless of any authx model implemented at the application layer.
Which leaves us with choosing one of three options:
1) don't put anything non-public in the file store,
2) application server does all the upload/download and then serves the files to the client (double bandwidth usage), or
3) implement a system for encrypting files prior to upload and managing the key infrastructure
Yeah agree on docs needing to reflect this for sure. I would also add 4) use an external service like cloudflare. Some Convex native functionality like search and storage work well for a lot of use cases, but aren't currently positioned to be feature rich solutions. Components can help here too, eg., the R2 component.