convex-security-check

# Convex Security Check A quick security audit checklist for Convex applications covering authentication, function exposure, argument validation, row-level access control, and environment variable handling. ## Documentation Sources Before implementing, do not assume; fetch the latest documentation: - Primary: https://docs.convex.dev/auth - Production Security: https://docs.convex.dev/production - Functions Auth: https://docs.convex.dev/auth/functions-auth - For broader context: https://docs.convex.dev/llms.txt ## Instructions ### Security Checklist Use this checklist to quickly audit your Convex application's security: #### 1. Authentication - [ ] Authentication provider configured (Clerk, Auth0, etc.) - [ ] All sensitive queries check `ctx.auth.getUserIdentity()` - [ ] Unauthenticated access explicitly allowed where intended - [ ] Session tokens properly validated #### 2. Function Exposure - [ ] Public functions (`query`, `mutation`, `action`) reviewed - [ ] Internal functions use `internalQuery`, `internalMutation`, `internalAction` - [ ] No sensitive operations exposed as public functions - [ ] HTTP actions validate origin/authentication #### 3. Argument Validation - [ ] All functions have explicit `args` validators - [ ] All functions have explicit `returns` validators - [ ] No `v.any()` used for sensitive data - [ ] ID validators use correct table names #### 4. Row-Level Access Control - [ ] Users can only access their own data - [ ] Admin functions check ...