Convex Security Audit
Comprehensive security review patterns for Convex applications including authorization logic, data access boundaries, action isolation, rate limiting, and protecting sensitive operations.
Documentation Sources
Before implementing, do not assume; fetch the latest documentation:
- Primary: https://docs.convex.dev/auth/functions-auth
- Production Security: https://docs.convex.dev/production
- For broader context: https://docs.convex.dev/llms.txt
Instructions
Security Audit Areas
- Authorization Logic - Who can do what
- Data Access Boundaries - What data users can see
- Action Isolation - Protecting external API calls
- Rate Limiting - Preventing abuse
- Sensitive Operations - Protecting critical functions
Authorization Logic Audit
Role-Based Access Control (RBAC)
typescript1// convex/lib/auth.ts 2import { QueryCtx, MutationCtx } from "./_generated/server"; 3import { ConvexError } from "convex/values"; 4import { Doc } from "./_generated/dataModel"; 5 6type UserRole = "user" | "moderator" | "admin" | "superadmin"; 7 8const roleHierarchy: Record<UserRole, number> = { 9 user: 0, 10 moderator: 1, 11 admin: 2, 12 superadmin: 3, 13}; 14 15export async function getUser(ctx: QueryCtx | MutationCtx): Promise<Doc<"users"> | null> { 16 const identity = await ctx.auth.getUserIdentity(); 17 if (!identity) return null; 18 19 return await ctx.db 20 .query("users") 21 .withIndex("by_tokenIdentifier", (q) => 22 q.eq("tokenIdentifier", identity.tokenIdentifier) 23 ) 24 .unique(); 25} 26 27export async function requireRole( 28 ctx: QueryCtx | MutationCtx, 29 minRole: UserRole 30): Promise<Doc<"users">> { 31 const user = await getUser(ctx); 32 33 if (!user) { 34 throw new ConvexError({ 35 code: "UNAUTHENTICATED", 36 message: "Authentication required", 37 }); 38 } 39 40 const userRoleLevel = roleHierarchy[user.role as UserRole] ?? 0; 41 const requiredLevel = roleHierarchy[minRole]; 42 43 if (userRoleLevel < requiredLevel) { 44 throw new ConvexError({ 45 code: "FORBIDDEN", 46 message: `Role '${minRole}' or higher required`, 47 }); 48 } 49 50 return user; 51} 52 53// Permission-based check 54type Permission = "read:users" | "write:users" | "delete:users" | "admin:system"; 55 56const rolePermissions: Record<UserRole, Permission[]> = { 57 user: ["read:users"], 58 moderator: ["read:users", "write:users"], 59 admin: ["read:users", "write:users", "delete:users"], 60 superadmin: ["read:users", "write:users", "delete:users", "admin:system"], 61}; 62 63export async function requirePermission( 64 ctx: QueryCtx | MutationCtx, 65 permission: Permission 66): Promise<Doc<"users">> { 67 const user = await getUser(ctx); 68 69 if (!user) { 70 throw new ConvexError({ code: "UNAUTHENTICATED", message: "Authentication required" }); 71 } 72 73 const userRole = user.role as UserRole; 74 const permissions = rolePermissions[userRole] ?? []; 75 76 if (!permissions.includes(permission)) { 77 throw new ConvexError({ 78 code: "FORBIDDEN", 79 message: `Permission '${permission}' required`, 80 }); 81 } 82 83 return user; 84}
Data Access Boundaries Audit
typescript1// convex/data.ts 2import { query, mutation } from "./_generated/server"; 3import { v } from "convex/values"; 4import { getUser, requireRole } from "./lib/auth"; 5import { ConvexError } from "convex/values"; 6 7// Audit: Users can only see their own data 8export const getMyData = query({ 9 args: {}, 10 returns: v.array(v.object({ 11 _id: v.id("userData"), 12 content: v.string(), 13 })), 14 handler: async (ctx) => { 15 const user = await getUser(ctx); 16 if (!user) return []; 17 18 // SECURITY: Filter by userId 19 return await ctx.db 20 .query("userData") 21 .withIndex("by_user", (q) => q.eq("userId", user._id)) 22 .collect(); 23 }, 24}); 25 26// Audit: Verify ownership before returning sensitive data 27export const getSensitiveItem = query({ 28 args: { itemId: v.id("sensitiveItems") }, 29 returns: v.union(v.object({ 30 _id: v.id("sensitiveItems"), 31 secret: v.string(), 32 }), v.null()), 33 handler: async (ctx, args) => { 34 const user = await getUser(ctx); 35 if (!user) return null; 36 37 const item = await ctx.db.get(args.itemId); 38 39 // SECURITY: Verify ownership 40 if (!item || item.ownerId !== user._id) { 41 return null; // Don't reveal if item exists 42 } 43 44 return item; 45 }, 46}); 47 48// Audit: Shared resources with access list 49export const getSharedDocument = query({ 50 args: { docId: v.id("documents") }, 51 returns: v.union(v.object({ 52 _id: v.id("documents"), 53 content: v.string(), 54 accessLevel: v.string(), 55 }), v.null()), 56 handler: async (ctx, args) => { 57 const user = await getUser(ctx); 58 const doc = await ctx.db.get(args.docId); 59 60 if (!doc) return null; 61 62 // Public documents 63 if (doc.visibility === "public") { 64 return { ...doc, accessLevel: "public" }; 65 } 66 67 // Must be authenticated for non-public 68 if (!user) return null; 69 70 // Owner has full access 71 if (doc.ownerId === user._id) { 72 return { ...doc, accessLevel: "owner" }; 73 } 74 75 // Check shared access 76 const access = await ctx.db 77 .query("documentAccess") 78 .withIndex("by_doc_and_user", (q) => 79 q.eq("documentId", args.docId).eq("userId", user._id) 80 ) 81 .unique(); 82 83 if (!access) return null; 84 85 return { ...doc, accessLevel: access.level }; 86 }, 87});
Action Isolation Audit
typescript1// convex/actions.ts 2"use node"; 3 4import { action, internalAction } from "./_generated/server"; 5import { v } from "convex/values"; 6import { api, internal } from "./_generated/api"; 7import { ConvexError } from "convex/values"; 8 9// SECURITY: Never expose API keys in responses 10export const callExternalAPI = action({ 11 args: { query: v.string() }, 12 returns: v.object({ result: v.string() }), 13 handler: async (ctx, args) => { 14 // Verify user is authenticated 15 const identity = await ctx.auth.getUserIdentity(); 16 if (!identity) { 17 throw new ConvexError("Authentication required"); 18 } 19 20 // Get API key from environment (not hardcoded) 21 const apiKey = process.env.EXTERNAL_API_KEY; 22 if (!apiKey) { 23 throw new Error("API key not configured"); 24 } 25 26 // Log usage for audit trail 27 await ctx.runMutation(internal.audit.logAPICall, { 28 userId: identity.tokenIdentifier, 29 endpoint: "external-api", 30 timestamp: Date.now(), 31 }); 32 33 const response = await fetch("https://api.example.com/query", { 34 method: "POST", 35 headers: { 36 "Authorization": `Bearer ${apiKey}`, 37 "Content-Type": "application/json", 38 }, 39 body: JSON.stringify({ query: args.query }), 40 }); 41 42 if (!response.ok) { 43 // Don't expose external API error details 44 throw new ConvexError("External service unavailable"); 45 } 46 47 const data = await response.json(); 48 49 // Sanitize response before returning 50 return { result: sanitizeResponse(data) }; 51 }, 52}); 53 54// Internal action - not exposed to clients 55export const _processPayment = internalAction({ 56 args: { 57 userId: v.id("users"), 58 amount: v.number(), 59 paymentMethodId: v.string(), 60 }, 61 returns: v.object({ success: v.boolean(), transactionId: v.optional(v.string()) }), 62 handler: async (ctx, args) => { 63 const stripeKey = process.env.STRIPE_SECRET_KEY; 64 65 // Process payment with Stripe 66 // This should NEVER be exposed as a public action 67 68 return { success: true, transactionId: "txn_xxx" }; 69 }, 70});
Rate Limiting Audit
typescript1// convex/rateLimit.ts 2import { mutation, query } from "./_generated/server"; 3import { v } from "convex/values"; 4import { ConvexError } from "convex/values"; 5 6const RATE_LIMITS = { 7 message: { requests: 10, windowMs: 60000 }, // 10 per minute 8 upload: { requests: 5, windowMs: 300000 }, // 5 per 5 minutes 9 api: { requests: 100, windowMs: 3600000 }, // 100 per hour 10}; 11 12export const checkRateLimit = mutation({ 13 args: { 14 userId: v.string(), 15 action: v.union(v.literal("message"), v.literal("upload"), v.literal("api")), 16 }, 17 returns: v.object({ allowed: v.boolean(), retryAfter: v.optional(v.number()) }), 18 handler: async (ctx, args) => { 19 const limit = RATE_LIMITS[args.action]; 20 const now = Date.now(); 21 const windowStart = now - limit.windowMs; 22 23 // Count requests in window 24 const requests = await ctx.db 25 .query("rateLimits") 26 .withIndex("by_user_and_action", (q) => 27 q.eq("userId", args.userId).eq("action", args.action) 28 ) 29 .filter((q) => q.gt(q.field("timestamp"), windowStart)) 30 .collect(); 31 32 if (requests.length >= limit.requests) { 33 const oldestRequest = requests[0]; 34 const retryAfter = oldestRequest.timestamp + limit.windowMs - now; 35 36 return { allowed: false, retryAfter }; 37 } 38 39 // Record this request 40 await ctx.db.insert("rateLimits", { 41 userId: args.userId, 42 action: args.action, 43 timestamp: now, 44 }); 45 46 return { allowed: true }; 47 }, 48}); 49 50// Use in mutations 51export const sendMessage = mutation({ 52 args: { content: v.string() }, 53 returns: v.id("messages"), 54 handler: async (ctx, args) => { 55 const identity = await ctx.auth.getUserIdentity(); 56 if (!identity) throw new ConvexError("Authentication required"); 57 58 // Check rate limit 59 const rateCheck = await checkRateLimit(ctx, { 60 userId: identity.tokenIdentifier, 61 action: "message", 62 }); 63 64 if (!rateCheck.allowed) { 65 throw new ConvexError({ 66 code: "RATE_LIMITED", 67 message: `Too many requests. Try again in ${Math.ceil(rateCheck.retryAfter! / 1000)} seconds`, 68 }); 69 } 70 71 return await ctx.db.insert("messages", { 72 content: args.content, 73 authorId: identity.tokenIdentifier, 74 createdAt: Date.now(), 75 }); 76 }, 77});
Sensitive Operations Protection
typescript1// convex/admin.ts 2import { mutation, internalMutation } from "./_generated/server"; 3import { v } from "convex/values"; 4import { requireRole, requirePermission } from "./lib/auth"; 5import { internal } from "./_generated/api"; 6 7// Two-factor confirmation for dangerous operations 8export const deleteAllUserData = mutation({ 9 args: { 10 userId: v.id("users"), 11 confirmationCode: v.string(), 12 }, 13 returns: v.null(), 14 handler: async (ctx, args) => { 15 // Require superadmin 16 const admin = await requireRole(ctx, "superadmin"); 17 18 // Verify confirmation code 19 const confirmation = await ctx.db 20 .query("confirmations") 21 .withIndex("by_admin_and_code", (q) => 22 q.eq("adminId", admin._id).eq("code", args.confirmationCode) 23 ) 24 .filter((q) => q.gt(q.field("expiresAt"), Date.now())) 25 .unique(); 26 27 if (!confirmation || confirmation.action !== "delete_user_data") { 28 throw new ConvexError("Invalid or expired confirmation code"); 29 } 30 31 // Delete confirmation to prevent reuse 32 await ctx.db.delete(confirmation._id); 33 34 // Schedule deletion (don't do it inline) 35 await ctx.scheduler.runAfter(0, internal.admin._performDeletion, { 36 userId: args.userId, 37 requestedBy: admin._id, 38 }); 39 40 // Audit log 41 await ctx.db.insert("auditLogs", { 42 action: "delete_user_data", 43 targetUserId: args.userId, 44 performedBy: admin._id, 45 timestamp: Date.now(), 46 }); 47 48 return null; 49 }, 50}); 51 52// Generate confirmation code for sensitive action 53export const requestDeletionConfirmation = mutation({ 54 args: { userId: v.id("users") }, 55 returns: v.string(), 56 handler: async (ctx, args) => { 57 const admin = await requireRole(ctx, "superadmin"); 58 59 const code = generateSecureCode(); 60 61 await ctx.db.insert("confirmations", { 62 adminId: admin._id, 63 code, 64 action: "delete_user_data", 65 targetUserId: args.userId, 66 expiresAt: Date.now() + 5 * 60 * 1000, // 5 minutes 67 }); 68 69 // In production, send code via secure channel (email, SMS) 70 return code; 71 }, 72});
Examples
Complete Audit Trail System
typescript1// convex/audit.ts 2import { mutation, query, internalMutation } from "./_generated/server"; 3import { v } from "convex/values"; 4import { getUser, requireRole } from "./lib/auth"; 5 6const auditEventValidator = v.object({ 7 _id: v.id("auditLogs"), 8 _creationTime: v.number(), 9 action: v.string(), 10 userId: v.optional(v.string()), 11 resourceType: v.string(), 12 resourceId: v.string(), 13 details: v.optional(v.any()), 14 ipAddress: v.optional(v.string()), 15 timestamp: v.number(), 16}); 17 18// Internal: Log audit event 19export const logEvent = internalMutation({ 20 args: { 21 action: v.string(), 22 userId: v.optional(v.string()), 23 resourceType: v.string(), 24 resourceId: v.string(), 25 details: v.optional(v.any()), 26 }, 27 returns: v.id("auditLogs"), 28 handler: async (ctx, args) => { 29 return await ctx.db.insert("auditLogs", { 30 ...args, 31 timestamp: Date.now(), 32 }); 33 }, 34}); 35 36// Admin: View audit logs 37export const getAuditLogs = query({ 38 args: { 39 resourceType: v.optional(v.string()), 40 userId: v.optional(v.string()), 41 limit: v.optional(v.number()), 42 }, 43 returns: v.array(auditEventValidator), 44 handler: async (ctx, args) => { 45 await requireRole(ctx, "admin"); 46 47 let query = ctx.db.query("auditLogs"); 48 49 if (args.resourceType) { 50 query = query.withIndex("by_resource_type", (q) => 51 q.eq("resourceType", args.resourceType) 52 ); 53 } 54 55 return await query 56 .order("desc") 57 .take(args.limit ?? 100); 58 }, 59});
Best Practices
- Never run
npx convex deployunless explicitly instructed - Never run any git commands unless explicitly instructed
- Implement defense in depth (multiple security layers)
- Log all sensitive operations for audit trails
- Use confirmation codes for destructive actions
- Rate limit all user-facing endpoints
- Never expose internal API keys or errors
- Review access patterns regularly
Common Pitfalls
- Single point of failure - Implement multiple auth checks
- Missing audit logs - Log all sensitive operations
- Trusting client data - Always validate server-side
- Exposing error details - Sanitize error messages
- No rate limiting - Always implement rate limits
References
- Convex Documentation: https://docs.convex.dev/
- Convex LLMs.txt: https://docs.convex.dev/llms.txt
- Functions Auth: https://docs.convex.dev/auth/functions-auth
- Production Security: https://docs.convex.dev/production
