Name: Convex Security Audit
Author: Waynesutton
Install
Terminal · npx
$npx skills add https://github.com/waynesutton/convexskills --skill convex-security-audit
Works with Paperclip
How Convex Security Audit fits into a Paperclip company.

Convex Security Audit drops into any Paperclip agent that handles convex and security work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.
SaaS FactoryPaired
Pre-configured AI company — 18 agents, 18 skills, one-time purchase.
$27$59
Explore pack
Source file
SKILL.md539 linesmarkdown
Expand
1---2name: convex-security-audit3displayName: Convex Security Audit4description: Deep security review patterns for authorization logic, data access boundaries, action isolation, rate limiting, and protecting sensitive operations5version: 1.0.06author: Convex7tags: [convex, security, audit, authorization, rate-limiting, protection]8---9 10# Convex Security Audit11 12Comprehensive security review patterns for Convex applications including authorization logic, data access boundaries, action isolation, rate limiting, and protecting sensitive operations.13 14## Documentation Sources15 16Before implementing, do not assume; fetch the latest documentation:17 18- Primary: https://docs.convex.dev/auth/functions-auth19- Production Security: https://docs.convex.dev/production20- For broader context: https://docs.convex.dev/llms.txt21 22## Instructions23 24### Security Audit Areas25 261. **Authorization Logic** - Who can do what272. **Data Access Boundaries** - What data users can see283. **Action Isolation** - Protecting external API calls294. **Rate Limiting** - Preventing abuse305. **Sensitive Operations** - Protecting critical functions31 32### Authorization Logic Audit33 34#### Role-Based Access Control (RBAC)35 36```typescript37// convex/lib/auth.ts38import { QueryCtx, MutationCtx } from "./_generated/server";39import { ConvexError } from "convex/values";40import { Doc } from "./_generated/dataModel";41 42type UserRole = "user" | "moderator" | "admin" | "superadmin";43 44const roleHierarchy: Record<UserRole, number> = {45  user: 0,46  moderator: 1,47  admin: 2,48  superadmin: 3,49};50 51export async function getUser(ctx: QueryCtx | MutationCtx): Promise<Doc<"users"> | null> {52  const identity = await ctx.auth.getUserIdentity();53  if (!identity) return null;54  55  return await ctx.db56    .query("users")57    .withIndex("by_tokenIdentifier", (q) => 58      q.eq("tokenIdentifier", identity.tokenIdentifier)59    )60    .unique();61}62 63export async function requireRole(64  ctx: QueryCtx | MutationCtx, 65  minRole: UserRole66): Promise<Doc<"users">> {67  const user = await getUser(ctx);68  69  if (!user) {70    throw new ConvexError({71      code: "UNAUTHENTICATED",72      message: "Authentication required",73    });74  }75  76  const userRoleLevel = roleHierarchy[user.role as UserRole] ?? 0;77  const requiredLevel = roleHierarchy[minRole];78  79  if (userRoleLevel < requiredLevel) {80    throw new ConvexError({81      code: "FORBIDDEN",82      message: `Role '${minRole}' or higher required`,83    });84  }85  86  return user;87}88 89// Permission-based check90type Permission = "read:users" | "write:users" | "delete:users" | "admin:system";91 92const rolePermissions: Record<UserRole, Permission[]> = {93  user: ["read:users"],94  moderator: ["read:users", "write:users"],95  admin: ["read:users", "write:users", "delete:users"],96  superadmin: ["read:users", "write:users", "delete:users", "admin:system"],97};98 99export async function requirePermission(100  ctx: QueryCtx | MutationCtx,101  permission: Permission102): Promise<Doc<"users">> {103  const user = await getUser(ctx);104  105  if (!user) {106    throw new ConvexError({ code: "UNAUTHENTICATED", message: "Authentication required" });107  }108  109  const userRole = user.role as UserRole;110  const permissions = rolePermissions[userRole] ?? [];111  112  if (!permissions.includes(permission)) {113    throw new ConvexError({114      code: "FORBIDDEN",115      message: `Permission '${permission}' required`,116    });117  }118  119  return user;120}121```122 123### Data Access Boundaries Audit124 125```typescript126// convex/data.ts127import { query, mutation } from "./_generated/server";128import { v } from "convex/values";129import { getUser, requireRole } from "./lib/auth";130import { ConvexError } from "convex/values";131 132// Audit: Users can only see their own data133export const getMyData = query({134  args: {},135  returns: v.array(v.object({136    _id: v.id("userData"),137    content: v.string(),138  })),139  handler: async (ctx) => {140    const user = await getUser(ctx);141    if (!user) return [];142    143    // SECURITY: Filter by userId144    return await ctx.db145      .query("userData")146      .withIndex("by_user", (q) => q.eq("userId", user._id))147      .collect();148  },149});150 151// Audit: Verify ownership before returning sensitive data152export const getSensitiveItem = query({153  args: { itemId: v.id("sensitiveItems") },154  returns: v.union(v.object({155    _id: v.id("sensitiveItems"),156    secret: v.string(),157  }), v.null()),158  handler: async (ctx, args) => {159    const user = await getUser(ctx);160    if (!user) return null;161    162    const item = await ctx.db.get(args.itemId);163    164    // SECURITY: Verify ownership165    if (!item || item.ownerId !== user._id) {166      return null; // Don't reveal if item exists167    }168    169    return item;170  },171});172 173// Audit: Shared resources with access list174export const getSharedDocument = query({175  args: { docId: v.id("documents") },176  returns: v.union(v.object({177    _id: v.id("documents"),178    content: v.string(),179    accessLevel: v.string(),180  }), v.null()),181  handler: async (ctx, args) => {182    const user = await getUser(ctx);183    const doc = await ctx.db.get(args.docId);184    185    if (!doc) return null;186    187    // Public documents188    if (doc.visibility === "public") {189      return { ...doc, accessLevel: "public" };190    }191    192    // Must be authenticated for non-public193    if (!user) return null;194    195    // Owner has full access196    if (doc.ownerId === user._id) {197      return { ...doc, accessLevel: "owner" };198    }199    200    // Check shared access201    const access = await ctx.db202      .query("documentAccess")203      .withIndex("by_doc_and_user", (q) => 204        q.eq("documentId", args.docId).eq("userId", user._id)205      )206      .unique();207    208    if (!access) return null;209    210    return { ...doc, accessLevel: access.level };211  },212});213```214 215### Action Isolation Audit216 217```typescript218// convex/actions.ts219"use node";220 221import { action, internalAction } from "./_generated/server";222import { v } from "convex/values";223import { api, internal } from "./_generated/api";224import { ConvexError } from "convex/values";225 226// SECURITY: Never expose API keys in responses227export const callExternalAPI = action({228  args: { query: v.string() },229  returns: v.object({ result: v.string() }),230  handler: async (ctx, args) => {231    // Verify user is authenticated232    const identity = await ctx.auth.getUserIdentity();233    if (!identity) {234      throw new ConvexError("Authentication required");235    }236    237    // Get API key from environment (not hardcoded)238    const apiKey = process.env.EXTERNAL_API_KEY;239    if (!apiKey) {240      throw new Error("API key not configured");241    }242    243    // Log usage for audit trail244    await ctx.runMutation(internal.audit.logAPICall, {245      userId: identity.tokenIdentifier,246      endpoint: "external-api",247      timestamp: Date.now(),248    });249    250    const response = await fetch("https://api.example.com/query", {251      method: "POST",252      headers: {253        "Authorization": `Bearer ${apiKey}`,254        "Content-Type": "application/json",255      },256      body: JSON.stringify({ query: args.query }),257    });258    259    if (!response.ok) {260      // Don't expose external API error details261      throw new ConvexError("External service unavailable");262    }263    264    const data = await response.json();265    266    // Sanitize response before returning267    return { result: sanitizeResponse(data) };268  },269});270 271// Internal action - not exposed to clients272export const _processPayment = internalAction({273  args: {274    userId: v.id("users"),275    amount: v.number(),276    paymentMethodId: v.string(),277  },278  returns: v.object({ success: v.boolean(), transactionId: v.optional(v.string()) }),279  handler: async (ctx, args) => {280    const stripeKey = process.env.STRIPE_SECRET_KEY;281    282    // Process payment with Stripe283    // This should NEVER be exposed as a public action284    285    return { success: true, transactionId: "txn_xxx" };286  },287});288```289 290### Rate Limiting Audit291 292```typescript293// convex/rateLimit.ts294import { mutation, query } from "./_generated/server";295import { v } from "convex/values";296import { ConvexError } from "convex/values";297 298const RATE_LIMITS = {299  message: { requests: 10, windowMs: 60000 }, // 10 per minute300  upload: { requests: 5, windowMs: 300000 },  // 5 per 5 minutes301  api: { requests: 100, windowMs: 3600000 },  // 100 per hour302};303 304export const checkRateLimit = mutation({305  args: {306    userId: v.string(),307    action: v.union(v.literal("message"), v.literal("upload"), v.literal("api")),308  },309  returns: v.object({ allowed: v.boolean(), retryAfter: v.optional(v.number()) }),310  handler: async (ctx, args) => {311    const limit = RATE_LIMITS[args.action];312    const now = Date.now();313    const windowStart = now - limit.windowMs;314    315    // Count requests in window316    const requests = await ctx.db317      .query("rateLimits")318      .withIndex("by_user_and_action", (q) => 319        q.eq("userId", args.userId).eq("action", args.action)320      )321      .filter((q) => q.gt(q.field("timestamp"), windowStart))322      .collect();323    324    if (requests.length >= limit.requests) {325      const oldestRequest = requests[0];326      const retryAfter = oldestRequest.timestamp + limit.windowMs - now;327      328      return { allowed: false, retryAfter };329    }330    331    // Record this request332    await ctx.db.insert("rateLimits", {333      userId: args.userId,334      action: args.action,335      timestamp: now,336    });337    338    return { allowed: true };339  },340});341 342// Use in mutations343export const sendMessage = mutation({344  args: { content: v.string() },345  returns: v.id("messages"),346  handler: async (ctx, args) => {347    const identity = await ctx.auth.getUserIdentity();348    if (!identity) throw new ConvexError("Authentication required");349    350    // Check rate limit351    const rateCheck = await checkRateLimit(ctx, {352      userId: identity.tokenIdentifier,353      action: "message",354    });355    356    if (!rateCheck.allowed) {357      throw new ConvexError({358        code: "RATE_LIMITED",359        message: `Too many requests. Try again in ${Math.ceil(rateCheck.retryAfter! / 1000)} seconds`,360      });361    }362    363    return await ctx.db.insert("messages", {364      content: args.content,365      authorId: identity.tokenIdentifier,366      createdAt: Date.now(),367    });368  },369});370```371 372### Sensitive Operations Protection373 374```typescript375// convex/admin.ts376import { mutation, internalMutation } from "./_generated/server";377import { v } from "convex/values";378import { requireRole, requirePermission } from "./lib/auth";379import { internal } from "./_generated/api";380 381// Two-factor confirmation for dangerous operations382export const deleteAllUserData = mutation({383  args: {384    userId: v.id("users"),385    confirmationCode: v.string(),386  },387  returns: v.null(),388  handler: async (ctx, args) => {389    // Require superadmin390    const admin = await requireRole(ctx, "superadmin");391    392    // Verify confirmation code393    const confirmation = await ctx.db394      .query("confirmations")395      .withIndex("by_admin_and_code", (q) => 396        q.eq("adminId", admin._id).eq("code", args.confirmationCode)397      )398      .filter((q) => q.gt(q.field("expiresAt"), Date.now()))399      .unique();400    401    if (!confirmation || confirmation.action !== "delete_user_data") {402      throw new ConvexError("Invalid or expired confirmation code");403    }404    405    // Delete confirmation to prevent reuse406    await ctx.db.delete(confirmation._id);407    408    // Schedule deletion (don't do it inline)409    await ctx.scheduler.runAfter(0, internal.admin._performDeletion, {410      userId: args.userId,411      requestedBy: admin._id,412    });413    414    // Audit log415    await ctx.db.insert("auditLogs", {416      action: "delete_user_data",417      targetUserId: args.userId,418      performedBy: admin._id,419      timestamp: Date.now(),420    });421    422    return null;423  },424});425 426// Generate confirmation code for sensitive action427export const requestDeletionConfirmation = mutation({428  args: { userId: v.id("users") },429  returns: v.string(),430  handler: async (ctx, args) => {431    const admin = await requireRole(ctx, "superadmin");432    433    const code = generateSecureCode();434    435    await ctx.db.insert("confirmations", {436      adminId: admin._id,437      code,438      action: "delete_user_data",439      targetUserId: args.userId,440      expiresAt: Date.now() + 5 * 60 * 1000, // 5 minutes441    });442    443    // In production, send code via secure channel (email, SMS)444    return code;445  },446});447```448 449## Examples450 451### Complete Audit Trail System452 453```typescript454// convex/audit.ts455import { mutation, query, internalMutation } from "./_generated/server";456import { v } from "convex/values";457import { getUser, requireRole } from "./lib/auth";458 459const auditEventValidator = v.object({460  _id: v.id("auditLogs"),461  _creationTime: v.number(),462  action: v.string(),463  userId: v.optional(v.string()),464  resourceType: v.string(),465  resourceId: v.string(),466  details: v.optional(v.any()),467  ipAddress: v.optional(v.string()),468  timestamp: v.number(),469});470 471// Internal: Log audit event472export const logEvent = internalMutation({473  args: {474    action: v.string(),475    userId: v.optional(v.string()),476    resourceType: v.string(),477    resourceId: v.string(),478    details: v.optional(v.any()),479  },480  returns: v.id("auditLogs"),481  handler: async (ctx, args) => {482    return await ctx.db.insert("auditLogs", {483      ...args,484      timestamp: Date.now(),485    });486  },487});488 489// Admin: View audit logs490export const getAuditLogs = query({491  args: {492    resourceType: v.optional(v.string()),493    userId: v.optional(v.string()),494    limit: v.optional(v.number()),495  },496  returns: v.array(auditEventValidator),497  handler: async (ctx, args) => {498    await requireRole(ctx, "admin");499    500    let query = ctx.db.query("auditLogs");501    502    if (args.resourceType) {503      query = query.withIndex("by_resource_type", (q) => 504        q.eq("resourceType", args.resourceType)505      );506    }507    508    return await query509      .order("desc")510      .take(args.limit ?? 100);511  },512});513```514 515## Best Practices516 517- Never run `npx convex deploy` unless explicitly instructed518- Never run any git commands unless explicitly instructed519- Implement defense in depth (multiple security layers)520- Log all sensitive operations for audit trails521- Use confirmation codes for destructive actions522- Rate limit all user-facing endpoints523- Never expose internal API keys or errors524- Review access patterns regularly525 526## Common Pitfalls527 5281. **Single point of failure** - Implement multiple auth checks5292. **Missing audit logs** - Log all sensitive operations5303. **Trusting client data** - Always validate server-side5314. **Exposing error details** - Sanitize error messages5325. **No rate limiting** - Always implement rate limits533 534## References535 536- Convex Documentation: https://docs.convex.dev/537- Convex LLMs.txt: https://docs.convex.dev/llms.txt538- Functions Auth: https://docs.convex.dev/auth/functions-auth539- Production Security: https://docs.convex.dev/production
Related skills
Avoid Feature Creep

Install Avoid Feature Creep skill for Claude Code from waynesutton/convexskills.
Convex

This is an umbrella skill that routes you to 11 specialized Convex development skills instead of trying to cram everything into one giant prompt. Hit `/convex-f
Convex Agents

Install Convex Agents skill for Claude Code from waynesutton/convexskills.