feat: Convex shared auth integration

Author: NamesMT

apps/backend-convex/.env

@@ -0,0 +1,4 @@
+# Use `npx convex env` command to set the following environment variables:
+
+# CUSTOM_JWT_ISSUER=
+# CUSTOM_JWT_JWKS_URL=

apps/backend-convex/convex/_generated/api.d.ts

@@ -13,6 +13,7 @@ import type {
   FilterApi,
   FunctionReference,
 } from "convex/server";
+import type * as authInfo from "../authInfo.js";
 import type * as tasks from "../tasks.js";
 
 /**
@@ -24,6 +25,7 @@ import type * as tasks from "../tasks.js";
  * ```
  */
 declare const fullApi: ApiFromModules<{
+  authInfo: typeof authInfo;
   tasks: typeof tasks;
 }>;
 export declare const api: FilterApi<

apps/backend-convex/convex/auth.config.ts

@@ -0,0 +1,11 @@
+/* eslint-disable node/prefer-global/process */
+export default {
+  providers: [
+    {
+      type: 'customJwt',
+      issuer: process.env.CUSTOM_JWT_ISSUER!,
+      jwks: process.env.CUSTOM_JWT_JWKS_URL!,
+      algorithm: 'RS256',
+    },
+  ],
+}

apps/backend-convex/convex/authInfo.ts

@@ -0,0 +1,8 @@
+import { query } from './_generated/server'
+
+export const get = query({
+  args: {},
+  handler: async (ctx) => {
+    return await ctx.auth.getUserIdentity()
+  },
+})

apps/backend/src/api/$.ts

@@ -1,7 +1,7 @@
 import { appFactory } from '#src/helpers/factory.js'
 import { apiRouteApp } from './$$'
 import { authApp } from './auth/$'
-import { dummyConvexRouteApp } from './dummy/convex'
+import { dummyConvexTasksRouteApp } from './dummy/convexTasks'
 import { dummyGreetRouteApp } from './dummy/greet'
 import { dummyHelloRouteApp } from './dummy/hello'
 
@@ -13,7 +13,7 @@ export const apiApp = appFactory.createApp()
   .route('/auth', authApp)
 
   // Some example routes
-  .route('/dummy/convex', dummyConvexRouteApp)
+  .route('/dummy/convexTasks', dummyConvexTasksRouteApp)
   .route('/dummy/hello', dummyHelloRouteApp)
   .route('/dummy/greet', dummyGreetRouteApp)
 

apps/backend/src/api/auth/$.routes.ts

@@ -1,4 +1,8 @@
-import type { ClaimTokenType, FlagType } from '@kinde-oss/kinde-typescript-sdk'
+/**
+ * This file contains routes and sample routes for possible APIs usecases with Kinde.
+ */
+
+// import type { ClaimTokenType, FlagType } from '@kinde-oss/kinde-typescript-sdk'
 import { appFactory } from '#src/helpers/factory.js'
 import { getSessionManager } from '#src/helpers/kinde.js'
 import { getKindeClient } from '#src/providers/auth/kinde-main.js'
@@ -9,6 +13,18 @@ export const authRoutesApp = appFactory.createApp()
     return c.text('Good', 200)
   })
 
+  .get('/authState', async (c) => {
+    const kindeClient = await getKindeClient()
+    const sessionManager = getSessionManager(c)
+
+    const [profile, token] = await Promise.all([
+      kindeClient.getUserProfile(sessionManager).catch(() => null),
+      kindeClient.getToken(sessionManager).catch(() => null),
+    ])
+
+    return c.json({ profile, token })
+  })
+
   .get('/login', async (c) => {
     const kindeClient = await getKindeClient()
     const org_code = c.req.query('org_code')
@@ -49,92 +65,92 @@ export const authRoutesApp = appFactory.createApp()
     return c.redirect(logoutUrl.toString())
   })
 
-  .get('/isAuth', async (c) => {
-    const kindeClient = await getKindeClient()
+// .get('/isAuth', async (c) => {
+//   const kindeClient = await getKindeClient()
 
-    const isAuthenticated = await kindeClient.isAuthenticated(getSessionManager(c)) // Boolean: true or false
+//   const isAuthenticated = await kindeClient.isAuthenticated(getSessionManager(c)) // Boolean: true or false
 
-    return c.json(isAuthenticated)
-  })
+//   return c.json(isAuthenticated)
+// })
 
-  .get('/profile', async (c) => {
-    const kindeClient = await getKindeClient()
+// .get('/profile', async (c) => {
+//   const kindeClient = await getKindeClient()
 
-    const profile = await kindeClient.getUserProfile(getSessionManager(c))
+//   const profile = await kindeClient.getUserProfile(getSessionManager(c))
 
-    return c.json(profile)
-  })
+//   return c.json(profile)
+// })
 
-  .get('/createOrg', async (c) => {
-    const kindeClient = await getKindeClient()
-    const org_name = c.req.query('org_name')?.toString()
+// .get('/createOrg', async (c) => {
+//   const kindeClient = await getKindeClient()
+//   const org_name = c.req.query('org_name')?.toString()
 
-    const createUrl = await kindeClient.createOrg(getSessionManager(c), { org_name })
+//   const createUrl = await kindeClient.createOrg(getSessionManager(c), { org_name })
 
-    return c.redirect(createUrl.toString())
-  })
+//   return c.redirect(createUrl.toString())
+// })
 
-  .get('/getOrg', async (c) => {
-    const kindeClient = await getKindeClient()
+// .get('/getOrg', async (c) => {
+//   const kindeClient = await getKindeClient()
 
-    const org = await kindeClient.getOrganization(getSessionManager(c))
+//   const org = await kindeClient.getOrganization(getSessionManager(c))
 
-    return c.json(org)
-  })
+//   return c.json(org)
+// })
 
-  .get('/getOrgs', async (c) => {
-    const kindeClient = await getKindeClient()
+// .get('/getOrgs', async (c) => {
+//   const kindeClient = await getKindeClient()
 
-    const orgs = await kindeClient.getUserOrganizations(getSessionManager(c))
+//   const orgs = await kindeClient.getUserOrganizations(getSessionManager(c))
 
-    return c.json(orgs)
-  })
+//   return c.json(orgs)
+// })
 
-  .get('/getPerm/:perm', async (c) => {
-    const kindeClient = await getKindeClient()
+// .get('/getPerm/:perm', async (c) => {
+//   const kindeClient = await getKindeClient()
 
-    const perm = await kindeClient.getPermission(getSessionManager(c), c.req.param('perm'))
+//   const perm = await kindeClient.getPermission(getSessionManager(c), c.req.param('perm'))
 
-    return c.json(perm)
-  })
+//   return c.json(perm)
+// })
 
-  .get('/getPerms', async (c) => {
-    const kindeClient = await getKindeClient()
+// .get('/getPerms', async (c) => {
+//   const kindeClient = await getKindeClient()
 
-    const perms = await kindeClient.getPermissions(getSessionManager(c))
+//   const perms = await kindeClient.getPermissions(getSessionManager(c))
 
-    return c.json(perms)
-  })
+//   return c.json(perms)
+// })
 
-  // Try: /api/auth/getClaim/aud, /api/auth/getClaim/email/id_token
-  .get('/getClaim/:claim', async (c) => {
-    const kindeClient = await getKindeClient()
-    const type = (c.req.query('type') ?? 'access_token') as ClaimTokenType
+// // Try: /api/auth/getClaim/aud, /api/auth/getClaim/email/id_token
+// .get('/getClaim/:claim', async (c) => {
+//   const kindeClient = await getKindeClient()
+//   const type = (c.req.query('type') ?? 'access_token') as ClaimTokenType
 
-    if (!/^(?:access_token|id_token)$/.test(type))
-      return c.text('Bad request: type', 400)
+//   if (!/^(?:access_token|id_token)$/.test(type))
+//     return c.text('Bad request: type', 400)
 
-    const claim = await kindeClient.getClaim(getSessionManager(c), c.req.param('claim'), type)
-    return c.json(claim)
-  })
+//   const claim = await kindeClient.getClaim(getSessionManager(c), c.req.param('claim'), type)
+//   return c.json(claim)
+// })
 
-  .get('/getFlag/:code', async (c) => {
-    const kindeClient = await getKindeClient()
+// .get('/getFlag/:code', async (c) => {
+//   const kindeClient = await getKindeClient()
 
-    const claim = await kindeClient.getFlag(
-      getSessionManager(c),
-      c.req.param('code'),
-      c.req.query('default'),
-      c.req.query('flagType') as keyof FlagType | undefined,
-    )
+//   const claim = await kindeClient.getFlag(
+//     getSessionManager(c),
+//     c.req.param('code'),
+//     c.req.query('default'),
+//     c.req.query('flagType') as keyof FlagType | undefined,
+//   )
 
-    return c.json(claim)
-  })
+//   return c.json(claim)
+// })
 
-  .get('/getToken', async (c) => {
-    const kindeClient = await getKindeClient()
+// .get('/getToken', async (c) => {
+//   const kindeClient = await getKindeClient()
 
-    const accessToken = await kindeClient.getToken(getSessionManager(c))
+//   const accessToken = await kindeClient.getToken(getSessionManager(c))
 
-    return c.text(accessToken)
-  })
+//   return c.text(accessToken)
+// })

apps/backend/src/api/dummy/convex.ts apps/backend/src/api/dummy/convexTasks.tsapps/backend/src/api/dummy/convex.ts renamed to apps/backend/src/api/dummy/convexTasks.ts

@@ -5,11 +5,11 @@ import { api } from 'backend-convex/convex/_generated/api'
 import { describeRoute } from 'hono-openapi'
 import { resolver } from 'hono-openapi/arktype'
 
-export const dummyConvexRouteApp = appFactory.createApp()
+export const dummyConvexTasksRouteApp = appFactory.createApp()
   .get(
     '',
     describeRoute({
-      description: 'Items from `tasks` table',
+      description: 'Get items from `tasks` table',
       responses: {
         200: {
           description: 'The tasks list',

apps/frontend/app/app.vue

@@ -8,7 +8,7 @@ defineOgImageComponent('NuxtSeo', {
   colorMode: 'dark',
 })
 
-const { $init } = useNuxtApp()
+const { $init, $auth } = useNuxtApp()
 onMounted(async () => {
   await nextTick()
   $init.mounted = true
@@ -17,8 +17,13 @@ onMounted(async () => {
 // Init convex client if url configured
 const convexVueContext = inject<ConvexVueContext>('convex-vue')
 // Don't init if on server, see https://github.com/chris-visser/convex-vue/issues/6
-if (import.meta.client && convexVueContext?.options?.url)
+if (import.meta.client && convexVueContext?.options?.url) {
   convexVueContext.initClient(convexVueContext.options)
+  // Also set auth hook for the client
+  convexVueContext.clientRef.value?.setAuth(async () => {
+    return $auth.token
+  })
+}
 </script>
 
 <template>

apps/frontend/app/components/ConvexIntegrationTest.vue

@@ -6,6 +6,7 @@ const { $apiClient } = useNuxtApp()
 const convexClient = useConvexClient()
 
 const { data: tasks } = useConvexQuery(api.tasks.get)
+const { data: authInfo } = useConvexQuery(api.authInfo.get)
 const { mutate: mutateAddTask } = useConvexMutation(api.tasks.add)
 
 const taskInputRef = ref('')
@@ -15,21 +16,24 @@ async function addTask() {
     .then(() => { taskInputRef.value = '' })
 }
 
-const isFetching = ref(false)
-async function testConvexViaBackendCTA() {
-  isFetching.value = true
+const isFetchingTasks = ref(false)
+async function testConvexViaBackendTasksCTA() {
+  isFetchingTasks.value = true
 
-  await hcParse($apiClient.api.dummy.convex.$get())
+  await hcParse($apiClient.api.dummy.convexTasks.$get())
     .then(r => toast.add({ detail: r.map(t => t.text).join('\n') }))
     .catch(e => toast.add({ severity: 'error', detail: e.message }))
 
-  isFetching.value = false
+  isFetchingTasks.value = false
 }
 </script>
 
 <template>
-  <div class="mb-4 text-xl">
-    {{ $t('components.convexIntegrationTest.configuredUrl') }}: <code class="rounded bg-gray-100 px-1 py-0.5 text-base dark:bg-gray-800">{{ convexClient.client.url }}</code>
+  <div class="mb-4 w-full text-xl">
+    <div>
+      {{ $t('components.convexIntegrationTest.configuredUrl') }}: <code class="rounded bg-gray-100 px-1 py-0.5 text-base dark:bg-gray-800">{{ convexClient.client.url }}</code>
+    </div>
+    <div>{{ $t('components.convexIntegrationTest.authInfo') }}: <pre class="max-w-full w-full overflow-x-auto rounded bg-black p-2 px-4 text-left text-xs text-white">{{ authInfo }}</pre></div>
   </div>
   <div class="max-w-md w-full flex flex-col gap-5">
     <IftaLabel class="w-full">
@@ -38,7 +42,7 @@ async function testConvexViaBackendCTA() {
     </IftaLabel>
   </div>
 
-  <div class="mt-6 max-w-md w-full">
+  <div class="max-w-md w-full">
     <h3 class="mb-2 text-lg font-semibold">
       {{ $t('components.convexIntegrationTest.tasksList.title') }}
     </h3>
@@ -52,5 +56,7 @@ async function testConvexViaBackendCTA() {
     </p>
   </div>
 
-  <Button :loading="isFetching" class="mt-8" :label="$t('components.convexIntegrationTest.testBackendButton')" @pointerdown="testConvexViaBackendCTA()" />
+  <div class="my-8 flex flex-col gap-4">
+    <Button :loading="isFetchingTasks" :label="$t('components.convexIntegrationTest.testBackendButton.fetchTasks')" @pointerdown="testConvexViaBackendTasksCTA()" />
+  </div>
 </template>

apps/frontend/app/plugins/auth.ts

@@ -1,10 +1,15 @@
 import type { UserType } from '@kinde-oss/kinde-typescript-sdk'
 import type { Reactive } from 'vue'
 
-export type AuthState = { loggedIn: true, user: UserType } | { loggedIn: false, user: null }
+export type AuthState = (
+  { loggedIn: true, user: UserType, token: string }
+  | { loggedIn: false, user: null, token: null }
+)
 
 // The current plugin targets SSG and CSR, if you use SSR, you need to converts it to useState and useAsyncData for optimized performance
 
+// Note: token is passed down for use 3rd party integrations like Convex, if you only use `frontend` and `backend`, you can remove it to be more secure.
+
 export default defineNuxtPlugin({
   name: 'local-auth',
   parallel: true,
@@ -18,18 +23,21 @@ export default defineNuxtPlugin({
     const auth = reactive({
       loggedIn: false,
       user: null,
+      token: null,
     }) as Reactive<AuthState>
 
     async function refreshAuth() {
-      const profile = await hcParse(authApi.profile.$get()).catch(() => null)
+      const authState = await hcParse(authApi.authState.$get())
 
-      if (profile) {
+      if (authState?.profile) {
         auth.loggedIn = true
-        auth.user = profile
+        auth.user = authState.profile
+        auth.token = authState.token
       }
       else {
         auth.loggedIn = false
         auth.user = null
+        auth.token = null
       }
 
       // Refresh every 15 minutes