Does my auth provider need to integrate directly with DB of choice or just Start in order to work?
This feels like a stupid question. I’m building an app with TanStack Start and want to use Convex as DB. Let’s say I’m planning on using auth ProviderX. Does the auth provider have to also integrate directly with Convex or does it only need to interact with TS Start? If a user is authenticated on an app level do they also need to be authenticated on a DB level to run queries that are a part of the page loaders?
When I was playing with Remix/RR7 last year, the access to a DB, even for checking for valid users, was all based on page loaders, and then a DB query that just used a user/pass from the .env, not something that needed to check with the database on its own if it had permission to read/write. Live SSR vs Client side I guess?
Does this question make sense?
8 Replies
adverse-sapphire•2mo ago
cc @ballingt
fair-rose•2mo ago
If you're usng convex, I recommend checking out Clerk. Integrates in VERY easily and will pass clerk token on convex requests.
Convex + Clerk + React Query is STUPID good TBH
correct-apricotOP•2mo ago
@Peacock Thanks. I considered Clerk but my app is a closed system. Only users whose accounts are created and authorized in advance can login. User fills in email address, app checks against table for canLogin = true, if true user is sent OTP. I would need to work in Clerks scripting world to get that to work and it seemed overly complicated to get it to do something so simple so I gave up on it. But you’re right, for more generic “anyone can sign up/in” it’s great.
fair-rose•2mo ago
Pretty sure clerk has the ability to handle a list of accepted users.
fair-rose•2mo ago
@Corbi-Wan Kenobi This - https://clerk.com/docs/authentication/configuration/restrictions#restricted
Sign-up & Sign-in: Restrictions
Learn how to manage user access to your application by configuring Clerk's access restrictions.
correct-apricotOP•2mo ago
@Peacock I’ll look into that but the basic question remains; does an auth provider need to be able to directly integrate into a DB and a framework, or is integration into a framework sufficient? I think the latter is true, just wanted to make sure.
fair-rose•2mo ago
That depends how you want to handle security.
Technically your convex functions can be externally hit, thus the JWT headers being used.
broad-brown•2mo ago
Does the auth provider have to also integrate directly with Convex or does it only need to interact with TS Start? If a user is authenticated on an app level do they also need to be authenticated on a DB level to run queries that are a part of the page loaders?If you want to make authed queries to a Convex deployment from the frontend, then yes you need to integrate auth with Convex. Endpoints hit directly from the frontend are open to the public as @Peacock points out.
When I was playing with Remix/RR7 last year, the access to a DB, even for checking for valid users, was all based on page loaders, and then a DB query that just used a user/pass from the .env, not something that needed to check with the database on its own if it had permission to read/write. Live SSR vs Client side I guess?If you only use Convex from the backend then yeah, no user auth necessary: you could use a shared secret instead. You still need some kind of access control because these endpoints are public, anyone can hit them.