Permission Functions in Sync Force Convex Auth Usage

[elazdi-al]

Description:
The optional permission functions in the sync function are limited to two arguments: context and documentId. This restriction prevents passing additional arguments, such as a session token, which is necessary when using alternative authentication solutions like Better Auth to verify user identity or permissions (e.g., write access). As a result, developers are forced to use Convex Auth for permission checks, limiting flexibility with other authentication providers.

Proposed Solution:

• Extend the permission functions to accept additional arguments, allowing custom data (e.g., session tokens) to be passed.
• Alternatively, provide a mechanism to access authentication-related data in the context object for non-Convex Auth providers.

[ianmacartney]

Context is not specific to Convex with. Clerk, oauth providers, and the implementation of better with that erquhart is developing all use ctx.auth under the hood. Passing a session ID as an explicit argument to every function is another pattern butit would require custom hooks and complex types to ensure that if you specify those extra validators the type shows up in the callbacks and the parameters are required on the client somehow. I’m open to PRs for this

…

On Thu, May 8, 2025 at 2:09 AM elazdi-al ***@***.***> wrote: *elazdi-al* created an issue (get-convex/prosemirror-sync#9) <#9> *Description:* The optional permission functions in the sync function are limited to two arguments: context and documentId. This restriction prevents passing additional arguments, such as a session token, which is necessary when using alternative authentication solutions like Better Auth to verify user identity or permissions (e.g., write access). As a result, developers are forced to use Convex Auth for permission checks, limiting flexibility with other authentication providers. *Proposed Solution:* - Extend the permission functions to accept additional arguments, allowing custom data (e.g., session tokens) to be passed. - Alternatively, provide a mechanism to access authentication-related data in the context object for non-Convex Auth providers. — Reply to this email directly, view it on GitHub <#9>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACZQW2PZJO246EWROVFZX325MNLXAVCNFSM6AAAAAB4V6VWBOVHI2DSMVQWIX3LMV43ASLTON2WKOZTGA2DQMZSHE2DIMY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[ianmacartney]

lmk if this meets your needs @elazdi-al

[elazdi-al]

I get what you're seeing, I'm indeed using better auth but the better-auth kit convex implementation, I tried erquhart but it was honnestly a bit messier and wouldn't support my whole config (I'm using some identity linking etc). For now I have basically checked auth by passing around the session token in client called functions, any suggestions for this to be maybe included in ctx without using convex developped solutions or sm ?

edit:I missclicked completing the issue, didn't mean to

[ianmacartney]

gotcha. Yeah currently that's pretty tough with the current implementation without making a bespoke way to specify extra args on both sides. You could use `process.env.CONVEX_SITE_URL` instead of "your.issuer.url.com" to validate your own JWTs via httpActions One approach here would be to issue a custom JWT with the session ID inside of it. This is a new feature: https://docs.convex.dev/auth/advanced/custom-jwt

…

On Tue, May 13, 2025 at 5:37 PM elazdi-al ***@***.***> wrote: Reopened #9 <#9>. — Reply to this email directly, view it on GitHub <#9 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACZQWZV6Z2MFSXVLAADDH326KF5NAVCNFSM6AAAAAB4V6VWBOVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJXGY2DINBRHA3DENI> . You are receiving this because you commented.Message ID: ***@***.***>