- Home
- Skills
- Waynesutton
- Convexskills
- Convex Security Check
convex-security-check_skill
- JavaScript
225
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill waynesutton/convexskills --skill convex-security-check- SKILL.md9.6 KB
Overview
This skill is a concise security audit checklist for Convex applications focused on authentication, function exposure, argument validation, row-level access control, and environment variable handling. It highlights concrete checks and code patterns to prevent common backend security mistakes. Use it to quickly assess Convex functions, actions, and database access before production deployment.
How this skill works
The skill inspects common risk areas: verifies authentication checks and session validation, flags publicly exposed functions versus internal-only functions, enforces strict argument and return validators, and validates row-level ownership checks. It also confirms environment variables are used for secrets and only accessed in server-side actions. The guidance is actionable and maps to Convex coding patterns for queries, mutations, actions, and internal functions.
When to use it
- Before deploying a Convex app to staging or production
- During code review for backend functions and database access patterns
- When adding new public queries, mutations, or HTTP actions
- When auditing use of environment variables and API keys
- When implementing role-based or row-level access controls
Best practices
- Require and verify user identity (ctx.auth.getUserIdentity()) before returning sensitive data
- Mark sensitive operations as internal (internalQuery/internalMutation/internalAction) and review public functions carefully
- Validate all function args and returns with strict validators; avoid v.any() for sensitive data
- Verify ownership and roles before update/delete operations to enforce row-level access control
- Store secrets in environment variables and access them only in actions; use separate keys for dev/prod
Example use cases
- Run a pre-release checklist to confirm all public endpoints have non-sensitive payloads
- Convert client-callable mutations that modify sensitive data into internal functions called from authenticated actions
- Audit all database reads to ensure queries filter by the authenticated user or proper index
- Add validators to legacy functions that currently accept v.any() to prevent injection or malformed writes
- Validate that API keys are not hardcoded and that actions error clearly if keys are missing
FAQ
Confirm authentication is enforced where required and that no sensitive operations are exposed as public functions.
Where should secrets live in a Convex app?
Store API keys and secrets in environment variables and only access them inside server-side actions; never hardcode in code or schema.
How do I protect data ownership?
Always fetch the resource and compare its owner field to the authenticated identity before updating or deleting; throw an auth error if they differ.