ElMonoSabio
ElMonoSabio
PostsComments
CCConvex Community
Created by ElMonoSabio on 3/25/2024 in #support-community
Reactively authenticating organization through ctx.auth
Yeah, if you’re using custom components for the user to switch, that sounds like a good solution.
18 replies
CCConvex Community
Created by ElMonoSabio on 3/25/2024 in #support-community
Reactively authenticating organization through ctx.auth
1. For security purposes, I will probably also use the OrganizationMembership webhook and store that in convex to double check that the user is a member of the organization that I get through the clerk session data. I'm not sure if that's necessary, as the clerk webhook is being validated, but I'm not an expert on that by any means. 2. Instead of redirecting, you could also use the organization id in your urls (like /[orgId]/dashboard) and use then ensure that the active org matches the orgId or else redirect.
18 replies
CCConvex Community
Created by ElMonoSabio on 3/25/2024 in #support-community
Reactively authenticating organization through ctx.auth
Two other notes:
18 replies
CCConvex Community
Created by ElMonoSabio on 3/25/2024 in #support-community
Reactively authenticating organization through ctx.auth
I confirmed with Clerk that there is no webhook for the active org switching, and no way to get that information upon change. Here's where I ended up: I have the code below as a customFunction that pulls the user and active organization from the session details into the context. The trick, as I mentioned in my first post, is that I updated Clerk's JWT token to send the active organization ID through the "language" parameter. 
export const mutationWithOrganizationUser = customMutation(
  mutation,
  customCtx(async (ctx) => {
    const { clerkUserId, clerkOrganizationId } = await getUserInfo(ctx);
    if (clerkUserId === undefined) {
      throw new ConvexError("Not authenticated");
    }
    if (clerkOrganizationId === undefined) {
      throw new ConvexError("No active organization");
    }

    const user = await getOneFromOrThrow(
      ctx.db,
      "users",
      "by_clerkId",
      clerkUserId
    );

    const organization = await getOneFromOrThrow(
      ctx.db,
      "organizations",
      "by_clerkId",
      clerkOrganizationId,
      "clerkId"
    );

    const userId = user._id;
    const orgId = organization._id;

    return { orgId, userId };
  })
);

async function getUserInfo(ctx: { auth: Auth }) {
  const authInfo = await ctx.auth.getUserIdentity();
  return {
    clerkUserId: authInfo?.subject,
    clerkOrganizationId: authInfo?.language,
  };
}
export const mutationWithOrganizationUser = customMutation(
  mutation,
  customCtx(async (ctx) => {
    const { clerkUserId, clerkOrganizationId } = await getUserInfo(ctx);
    if (clerkUserId === undefined) {
      throw new ConvexError("Not authenticated");
    }
    if (clerkOrganizationId === undefined) {
      throw new ConvexError("No active organization");
    }

    const user = await getOneFromOrThrow(
      ctx.db,
      "users",
      "by_clerkId",
      clerkUserId
    );

    const organization = await getOneFromOrThrow(
      ctx.db,
      "organizations",
      "by_clerkId",
      clerkOrganizationId,
      "clerkId"
    );

    const userId = user._id;
    const orgId = organization._id;

    return { orgId, userId };
  })
);

async function getUserInfo(ctx: { auth: Auth }) {
  const authInfo = await ctx.auth.getUserIdentity();
  return {
    clerkUserId: authInfo?.subject,
    clerkOrganizationId: authInfo?.language,
  };
}
So replacing all of my mutations with mutationWithOrganizationUser (and likewise with a separate custom query) I'm able to get the org ID and user ID through context. The only caveat I've run into is that it is not reactive to a change in the active organization. So if you're feeding the org ID directly as a argument (which is not secure) changing the active org would trigger a re-render from convex. The session data does not do that. So my solution was just to force a redirect to my homepage on changing your org, which works just fine so far in testing.
18 replies
CCConvex Community
Created by ElMonoSabio on 3/25/2024 in #support-community
Reactively authenticating organization through ctx.auth
Thanks @lee and @Indy for the input. I was passing the active org to my query through useOrganization, but realized that wasn't a secure way to gate it, so that's when I moved to the JWT token method. For security sake, as you suggested I can create a organizationMember table from Clerk's webhook's and check against that, was just trying to streamline and avoid any unneeded queries. But I'll look into adding the to the ctx argument. A custom function was the step I was prepping this for regardless to avoid boilerplate in all of my queries. P.S. really loving Convex. Genuinely hard to imagine moving back to the old way of handling backend.
18 replies
CCConvex Community
Created by ElMonoSabio on 3/25/2024 in #support-community
Reactively authenticating organization through ctx.auth
@lee Thanks for the response. I might be missing something, but as far as I can tell, there's no Clerk webhook for a user's active organization. It isn't included in the user or the organization update webhook that I can see. As far as I can tell, this is only an issue when the organization is switched, so for now I think I'll probably just force a refresh on change. Outside of an edge case like having just been removed from an organization, I don't believe there's a security concern because we know they have permission for that data.
18 replies