convex-security-audit

Solid

Deep security review patterns for authorization logic, data access boundaries, action isolation, rate limiting, and protecting sensitive operations

API & Backend 403 stars 30 forks Updated 4 months ago Apache-2.0

Install

View on GitHub

Quality Score: 86/100

Stars 20%

Recency 20%

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Convex Security Audit Comprehensive security review patterns for Convex applications including authorization logic, data access boundaries, action isolation, rate limiting, and protecting sensitive operations. ## Documentation Sources Before implementing, do not assume; fetch the latest documentation: - Primary: https://docs.convex.dev/auth/functions-auth - Production Security: https://docs.convex.dev/production - For broader context: https://docs.convex.dev/llms.txt ## Instructions ### Security Audit Areas 1. **Authorization Logic** - Who can do what 2. **Data Access Boundaries** - What data users can see 3. **Action Isolation** - Protecting external API calls 4. **Rate Limiting** - Preventing abuse 5. **Sensitive Operations** - Protecting critical functions ### Authorization Logic Audit #### Role-Based Access Control (RBAC) ```typescript // convex/lib/auth.ts import { QueryCtx, MutationCtx } from "./_generated/server"; import { ConvexError } from "convex/values"; import { Doc } from "./_generated/dataModel"; type UserRole = "user" | "moderator" | "admin" | "superadmin"; const roleHierarchy: Record<UserRole, number> = { user: 0, moderator: 1, admin: 2, superadmin: 3, }; export async function getUser(ctx: QueryCtx | MutationCtx): Promise<Doc<"users"> | null> { const identity = await ctx.auth.getUserIdentity(); if (!identity) return null; return await ctx.db .query("users") .withIndex("by_tokenIdentifier", (q) => q.eq("tokenIdenti...

Details

Author: waynesutton
Repository: waynesutton/convexskills
Created: 4 months ago
Last Updated: 4 months ago
Language: JavaScript
License: Apache-2.0

Integrates with

Convex · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

API & Backend Solid

convex-security-check

Quick security audit checklist covering authentication, function exposure, argument validation, row-level access control, and environment variable handling

403 Updated 4 months ago

waynesutton

Data & Documents Listed

security-audit

Deep adversarial security audit engine for full-stack web applications. Use this skill when the user wants to audit a codebase for security vulnerabilities, broken access control, injection risks, authentication weaknesses, payment security, file upload exploits, IDOR, CSRF, SSRF, RLS bypass, business logic abuse, rate limiting gaps, or deployment security issues. Trigger whenever the user says "audit my security", "find vulnerabilities", "pen test my app", "is this secure", "check for IDOR", "harden my auth", "review my payment flow for exploits", "can someone bypass this", "what can an attacker do", or shares code and asks about security, exploits, or hardening. Also trigger proactively when reviewing any app that handles auth, payments, file uploads, admin routes, or user-generated content — even if the user doesn't use the word "security".

2 Updated 1 weeks ago

Heet-P

AI & Automation Listed

owasp-security

Implement secure coding practices following OWASP Top 10. Use when preventing security vulnerabilities, implementing authentication, securing APIs, or conducting security reviews. Triggers on OWASP, security, XSS, SQL injection, CSRF, authentication security, secure coding, vulnerability.

2 Updated today

Makiya1202