Name: Convex Security Check
Author: Waynesutton

Install

Terminal · npx

$npx skills add https://github.com/waynesutton/convexskills --skill convex-security-check

Works with Paperclip

How Convex Security Check fits into a Paperclip company.

Convex Security Check drops into any Paperclip agent that handles convex and security work. Assign it to a specialist inside a pre-configured PaperclipOrg company and the skill becomes available on every heartbeat — no prompt engineering, no tool wiring.

SaaS FactoryPaired

Pre-configured AI company — 18 agents, 18 skills, one-time purchase.

$27$59

Explore pack

Source file

SKILL.md378 linesmarkdown

Expand

1---2name: convex-security-check3displayName: Convex Security Check4description: Quick security audit checklist covering authentication, function exposure, argument validation, row-level access control, and environment variable handling5version: 1.0.06author: Convex7tags: [convex, security, authentication, authorization, checklist]8---9 10# Convex Security Check11 12A quick security audit checklist for Convex applications covering authentication, function exposure, argument validation, row-level access control, and environment variable handling.13 14## Documentation Sources15 16Before implementing, do not assume; fetch the latest documentation:17 18- Primary: https://docs.convex.dev/auth19- Production Security: https://docs.convex.dev/production20- Functions Auth: https://docs.convex.dev/auth/functions-auth21- For broader context: https://docs.convex.dev/llms.txt22 23## Instructions24 25### Security Checklist26 27Use this checklist to quickly audit your Convex application's security:28 29#### 1. Authentication30 31- [ ] Authentication provider configured (Clerk, Auth0, etc.)32- [ ] All sensitive queries check `ctx.auth.getUserIdentity()`33- [ ] Unauthenticated access explicitly allowed where intended34- [ ] Session tokens properly validated35 36#### 2. Function Exposure37 38- [ ] Public functions (`query`, `mutation`, `action`) reviewed39- [ ] Internal functions use `internalQuery`, `internalMutation`, `internalAction`40- [ ] No sensitive operations exposed as public functions41- [ ] HTTP actions validate origin/authentication42 43#### 3. Argument Validation44 45- [ ] All functions have explicit `args` validators46- [ ] All functions have explicit `returns` validators47- [ ] No `v.any()` used for sensitive data48- [ ] ID validators use correct table names49 50#### 4. Row-Level Access Control51 52- [ ] Users can only access their own data53- [ ] Admin functions check user roles54- [ ] Shared resources have proper access checks55- [ ] Deletion functions verify ownership56 57#### 5. Environment Variables58 59- [ ] API keys stored in environment variables60- [ ] No secrets in code or schema61- [ ] Different keys for dev/prod environments62- [ ] Environment variables accessed only in actions63 64### Authentication Check65 66```typescript67// convex/auth.ts68import { query, mutation } from "./_generated/server";69import { v } from "convex/values";70import { ConvexError } from "convex/values";71 72// Helper to require authentication73async function requireAuth(ctx: QueryCtx | MutationCtx) {74  const identity = await ctx.auth.getUserIdentity();75  if (!identity) {76    throw new ConvexError("Authentication required");77  }78  return identity;79}80 81// Secure query pattern82export const getMyProfile = query({83  args: {},84  returns: v.union(v.object({85    _id: v.id("users"),86    name: v.string(),87    email: v.string(),88  }), v.null()),89  handler: async (ctx) => {90    const identity = await requireAuth(ctx);91    92    return await ctx.db93      .query("users")94      .withIndex("by_tokenIdentifier", (q) => 95        q.eq("tokenIdentifier", identity.tokenIdentifier)96      )97      .unique();98  },99});100```101 102### Function Exposure Check103 104```typescript105// PUBLIC - Exposed to clients (review carefully!)106export const listPublicPosts = query({107  args: {},108  returns: v.array(v.object({ /* ... */ })),109  handler: async (ctx) => {110    // Anyone can call this - intentionally public111    return await ctx.db112      .query("posts")113      .withIndex("by_public", (q) => q.eq("isPublic", true))114      .collect();115  },116});117 118// INTERNAL - Only callable from other Convex functions119export const _updateUserCredits = internalMutation({120  args: { userId: v.id("users"), amount: v.number() },121  returns: v.null(),122  handler: async (ctx, args) => {123    // This cannot be called directly from clients124    await ctx.db.patch(args.userId, {125      credits: args.amount,126    });127    return null;128  },129});130```131 132### Argument Validation Check133 134```typescript135// GOOD: Strict validation136export const createPost = mutation({137  args: {138    title: v.string(),139    content: v.string(),140    category: v.union(141      v.literal("tech"),142      v.literal("news"),143      v.literal("other")144    ),145  },146  returns: v.id("posts"),147  handler: async (ctx, args) => {148    const identity = await requireAuth(ctx);149    return await ctx.db.insert("posts", {150      ...args,151      authorId: identity.tokenIdentifier,152    });153  },154});155 156// BAD: Weak validation157export const createPostUnsafe = mutation({158  args: {159    data: v.any(), // DANGEROUS: Allows any data160  },161  returns: v.id("posts"),162  handler: async (ctx, args) => {163    return await ctx.db.insert("posts", args.data);164  },165});166```167 168### Row-Level Access Control Check169 170```typescript171// Verify ownership before update172export const updateTask = mutation({173  args: {174    taskId: v.id("tasks"),175    title: v.string(),176  },177  returns: v.null(),178  handler: async (ctx, args) => {179    const identity = await requireAuth(ctx);180    181    const task = await ctx.db.get(args.taskId);182    183    // Check ownership184    if (!task || task.userId !== identity.tokenIdentifier) {185      throw new ConvexError("Not authorized to update this task");186    }187    188    await ctx.db.patch(args.taskId, { title: args.title });189    return null;190  },191});192 193// Verify ownership before delete194export const deleteTask = mutation({195  args: { taskId: v.id("tasks") },196  returns: v.null(),197  handler: async (ctx, args) => {198    const identity = await requireAuth(ctx);199    200    const task = await ctx.db.get(args.taskId);201    202    if (!task || task.userId !== identity.tokenIdentifier) {203      throw new ConvexError("Not authorized to delete this task");204    }205    206    await ctx.db.delete(args.taskId);207    return null;208  },209});210```211 212### Environment Variables Check213 214```typescript215// convex/actions.ts216"use node";217 218import { action } from "./_generated/server";219import { v } from "convex/values";220 221export const sendEmail = action({222  args: {223    to: v.string(),224    subject: v.string(),225    body: v.string(),226  },227  returns: v.object({ success: v.boolean() }),228  handler: async (ctx, args) => {229    // Access API key from environment230    const apiKey = process.env.RESEND_API_KEY;231    232    if (!apiKey) {233      throw new Error("RESEND_API_KEY not configured");234    }235    236    const response = await fetch("https://api.resend.com/emails", {237      method: "POST",238      headers: {239        "Authorization": `Bearer ${apiKey}`,240        "Content-Type": "application/json",241      },242      body: JSON.stringify({243        from: "noreply@example.com",244        to: args.to,245        subject: args.subject,246        html: args.body,247      }),248    });249    250    return { success: response.ok };251  },252});253```254 255## Examples256 257### Complete Security Pattern258 259```typescript260// convex/secure.ts261import { query, mutation, internalMutation } from "./_generated/server";262import { v } from "convex/values";263import { ConvexError } from "convex/values";264 265// Authentication helper266async function getAuthenticatedUser(ctx: QueryCtx | MutationCtx) {267  const identity = await ctx.auth.getUserIdentity();268  if (!identity) {269    throw new ConvexError({270      code: "UNAUTHENTICATED",271      message: "You must be logged in",272    });273  }274  275  const user = await ctx.db276    .query("users")277    .withIndex("by_tokenIdentifier", (q) => 278      q.eq("tokenIdentifier", identity.tokenIdentifier)279    )280    .unique();281    282  if (!user) {283    throw new ConvexError({284      code: "USER_NOT_FOUND",285      message: "User profile not found",286    });287  }288  289  return user;290}291 292// Check admin role293async function requireAdmin(ctx: QueryCtx | MutationCtx) {294  const user = await getAuthenticatedUser(ctx);295  296  if (user.role !== "admin") {297    throw new ConvexError({298      code: "FORBIDDEN",299      message: "Admin access required",300    });301  }302  303  return user;304}305 306// Public: List own tasks307export const listMyTasks = query({308  args: {},309  returns: v.array(v.object({310    _id: v.id("tasks"),311    title: v.string(),312    completed: v.boolean(),313  })),314  handler: async (ctx) => {315    const user = await getAuthenticatedUser(ctx);316    317    return await ctx.db318      .query("tasks")319      .withIndex("by_user", (q) => q.eq("userId", user._id))320      .collect();321  },322});323 324// Admin only: List all users325export const listAllUsers = query({326  args: {},327  returns: v.array(v.object({328    _id: v.id("users"),329    name: v.string(),330    role: v.string(),331  })),332  handler: async (ctx) => {333    await requireAdmin(ctx);334    335    return await ctx.db.query("users").collect();336  },337});338 339// Internal: Update user role (never exposed)340export const _setUserRole = internalMutation({341  args: {342    userId: v.id("users"),343    role: v.union(v.literal("user"), v.literal("admin")),344  },345  returns: v.null(),346  handler: async (ctx, args) => {347    await ctx.db.patch(args.userId, { role: args.role });348    return null;349  },350});351```352 353## Best Practices354 355- Never run `npx convex deploy` unless explicitly instructed356- Never run any git commands unless explicitly instructed357- Always verify user identity before returning sensitive data358- Use internal functions for sensitive operations359- Validate all arguments with strict validators360- Check ownership before update/delete operations361- Store API keys in environment variables362- Review all public functions for security implications363 364## Common Pitfalls365 3661. **Missing authentication checks** - Always verify identity3672. **Exposing internal operations** - Use internalMutation/Query3683. **Trusting client-provided IDs** - Verify ownership3694. **Using v.any() for arguments** - Use specific validators3705. **Hardcoding secrets** - Use environment variables371 372## References373 374- Convex Documentation: https://docs.convex.dev/375- Convex LLMs.txt: https://docs.convex.dev/llms.txt376- Authentication: https://docs.convex.dev/auth377- Production Security: https://docs.convex.dev/production378- Functions Auth: https://docs.convex.dev/auth/functions-auth

Related skills

Avoid Feature Creep

Install Avoid Feature Creep skill for Claude Code from waynesutton/convexskills.

Convex

This is an umbrella skill that routes you to 11 specialized Convex development skills instead of trying to cram everything into one giant prompt. Hit `/convex-f

Convex Agents

Install Convex Agents skill for Claude Code from waynesutton/convexskills.