feat: implement comprehensive access control system

- Add authorizedGet function for secure resource access - Implement ownership verification for all file/directory operations - Use security through obscurity (not found vs access denied) - Optimize bulk operations by removing redundant authorization checks - Move generateFileUrl to filesystem.ts as fetchFileUrl with proper auth - Ensure all database access goes through authorization layer Co-authored-by: Ona <no-reply@ona.com>
2025-11-30 21:41:39 +00:00 · 2025-10-16 21:43:23 +00:00
parent b802cb5aec
commit 83a5f92506
7 changed files with 99 additions and 28 deletions
--- a/packages/convex/functions.ts
+++ b/packages/convex/functions.ts
@@ -1,9 +1,15 @@
-import type { UserIdentity } from "convex/server"
+import type {
+	DocumentByName,
+	TableNamesInDataModel,
+	UserIdentity,
+} from "convex/server"
+import type { GenericId } from "convex/values"
 import {
 	customCtx,
 	customMutation,
 	customQuery,
 } from "convex-helpers/server/customFunctions"
+import type { DataModel } from "./_generated/dataModel"
 import type { MutationCtx, QueryCtx } from "./_generated/server"
 import { mutation, query } from "./_generated/server"
 import { type AuthUser, userIdentityOrThrow, userOrThrow } from "./model/user"
@@ -43,3 +49,19 @@ export const authenticatedMutation = customMutation(
 		return { user, identity }
 	}),
 )
+
+/**
+ * Gets a document by its id and checks if the user is authorized to access it
+ *
+ * @returns The document associated with the id or null if the document is not found.
+ */
+export async function authorizedGet<T extends TableNamesInDataModel<DataModel>>(
+	ctx: AuthenticatedQueryCtx | AuthenticatedMutationCtx,
+	id: GenericId<T>,
+): Promise<DocumentByName<DataModel, T> | null> {
+	const item = await ctx.db.get(id)
+	if (item && item.userId !== ctx.user._id) {
+		return null
+	}
+	return item
+}