# Convex Security Scanner — Find public-query data leaks (`renzomacar/convex-security-scanner`) Actor Probes a public Convex deployment for queries that return data without auth. Convex queries are public-by-default unless you check auth inside the handler. Returns counts + reproducer. - **URL**: https://apify.com/renzomacar/convex-security-scanner.md - **Developed by:** [Renzo Madueno](https://apify.com/renzomacar) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Convex Security Scanner — Find public-query data leaks > **Convex queries are PUBLIC BY DEFAULT.** The framework gives you `query()` and `mutation()` builders that, unless you add an explicit `const userId = await getAuthUserId(ctx)` check at the top, will execute for any caller posting to your deployment's `/api/query` endpoint. Every Convex starter on GitHub I've reviewed has at least one query that forgot the auth check. **This actor finds those leaks in 30 seconds.** Probes a public Convex deployment for **queries that return data without authentication**. Sends `POST /api/query` with the standard Convex protocol per function path. Returns item counts + a verbatim `curl` reproducer per finding. Counts only — never row data persisted. > 💸 **Found a leak?** I do turnkey Convex audits + auth-guard rewrites for **$99** ([Stripe](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01) — 48h, money-back if nothing actionable). Or **$29/mo** weekly auto-scans at [rls-monitor.vercel.app](https://rls-monitor.vercel.app/). > ⭐️ **Solo dev competing with bigger Apify publishers.** A [30-second review](https://apify.com/renzomacar/convex-security-scanner#reviews) is the single thing that lifts ranking. Thank you. ### Why this exists Convex's mental model is functions-as-API. You write `query()` handlers in TypeScript, and the framework deploys them. The default behavior is **no auth required** — the handler runs for every caller. To require auth you must explicitly write: ```ts const userId = await getAuthUserId(ctx); if (!userId) throw new Error('Unauthorized'); ```` This works great when you remember. The problem: tutorials show queries without auth checks (to keep examples simple), and that pattern bleeds into real code. Worst offenders: 1. **`users:list`, `users:listAll`** — copy-pasted from "show all users" tutorials, ships to production with no guard 2. **`messages:list`, `chats:list`** — same pattern, leaks every conversation 3. **`orders:list`, `payments:list`** — when the team builds an admin dashboard, they often clone an existing list function and forget the role check This scanner probes ~30 common Convex function paths (`users:list`, `messages:list`, etc.) plus any custom paths you pass as hints. ### How to run Either: 1. **Leave inputs empty** + click **Run** for a DEMO sample report 2. **Provide your `convexUrl`** to scan your actual deployment ```json { "convexUrl": "https://abc-fox-456.convex.cloud", "functionHints": ["custom:listForUser", "myFile:getSomething"], "outputFormat": "both" } ``` ### What you get - **HTML report** in run's KV store: severity-coded findings, copy-pasteable `curl` reproducers, paste-ready auth-guard snippets to add to each handler - **Dataset rows**: one structured row per finding ### Sample finding ``` [CRITICAL] users:list — returns data anonymously Items returned: 2,891 Sample columns: _id, _creationTime, email, name, imageUrl, clerkId, role, stripeCustomerId Sensitive columns detected: email, clerkId, stripeCustomerId Reproducer: curl -X POST 'https://abc-fox-456.convex.cloud/api/query' \\ -H 'Content-Type: application/json' \\ -d '{"path":"users:list","args":{}}' ``` ### How to fix (code change) In each leaky query, add an auth guard at the top of the handler: ```ts // convex/users.ts import { v } from 'convex/values'; import { query } from './_generated/server'; import { getAuthUserId } from '@convex-dev/auth/server'; export const list = query({ args: {}, handler: async (ctx) => { const userId = await getAuthUserId(ctx); if (!userId) throw new Error('Unauthorized'); return await ctx.db.query('users').collect(); }, }); ``` For per-user scoped reads (most common case): ```ts handler: async (ctx) => { const userId = await getAuthUserId(ctx); if (!userId) throw new Error('Unauthorized'); return await ctx.db .query('orders') .withIndex('byOwner', q => q.eq('ownerId', userId)) .collect(); } ``` For role-gated reads (admin dashboard): ```ts handler: async (ctx) => { const userId = await getAuthUserId(ctx); if (!userId) throw new Error('Unauthorized'); const me = await ctx.db.get(userId); if (me?.role !== 'admin') throw new Error('Forbidden'); return await ctx.db.query('orders').collect(); } ``` ### Ethical use - Only scan deployments you own - Probe queries do not write data; they only call existing queries ### Related - **Stripe audit ($99 one-time)**: [buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01) - **Weekly auto-scans ($29/mo)**: [rls-monitor.vercel.app](https://rls-monitor.vercel.app/) - **Sister scanners**: [Supabase](https://apify.com/renzomacar/supabase-rls-scanner), [Firebase](https://apify.com/renzomacar/firebase-security-auditor), [Strapi](https://apify.com/renzomacar/strapi-security-scanner), [Directus](https://apify.com/renzomacar/directus-security-scanner), [Payload CMS](https://apify.com/renzomacar/payload-security-scanner), [Convex](https://apify.com/renzomacar/convex-security-scanner), [Hasura](https://apify.com/renzomacar/hasura-security-scanner), [PocketBase](https://apify.com/renzomacar/pocketbase-security-scanner), [Appwrite](https://apify.com/renzomacar/appwrite-security-auditor), [Nhost](https://apify.com/renzomacar/nhost-security-scanner). Built by [Renzo](https://github.com/Perufitlife). # Actor input Schema ## `convexUrl` (type: `string`): Your Convex deployment URL, e.g. https://abc-fox-456.convex.cloud. Find it in the Convex dashboard. Leave empty + click Run for a sample report. ## `functionHints` (type: `array`): Beyond ~30 common function paths, list any custom ones from your Convex schema. Format: 'file:functionName' (e.g. 'messages:list', 'users:getCurrentUser'). ## `outputFormat` (type: `string`): JSON for programmatic use; HTML report saved to KV store under report.html. ## Actor input object example ```json { "functionHints": [], "outputFormat": "both" } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("renzomacar/convex-security-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("renzomacar/convex-security-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call renzomacar/convex-security-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=renzomacar/convex-security-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Convex Security Scanner — Find public-query data leaks", "description": "Probes a public Convex deployment for queries that return data without auth. Convex queries are public-by-default unless you check auth inside the handler. Returns counts + reproducer.", "version": "0.1", "x-build-id": "EWLi5geFZqFg6SUPf" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/renzomacar~convex-security-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-renzomacar-convex-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/renzomacar~convex-security-scanner/runs": { "post": { "operationId": "runs-sync-renzomacar-convex-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/renzomacar~convex-security-scanner/run-sync": { "post": { "operationId": "run-sync-renzomacar-convex-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "convexUrl": { "title": "Convex Deployment URL (leave empty for DEMO)", "type": "string", "description": "Your Convex deployment URL, e.g. https://abc-fox-456.convex.cloud. Find it in the Convex dashboard. Leave empty + click Run for a sample report." }, "functionHints": { "title": "Extra function paths to probe (optional)", "type": "array", "description": "Beyond ~30 common function paths, list any custom ones from your Convex schema. Format: 'file:functionName' (e.g. 'messages:list', 'users:getCurrentUser').", "default": [], "items": { "type": "string" } }, "outputFormat": { "title": "Output format", "enum": [ "json", "html-report", "both" ], "type": "string", "description": "JSON for programmatic use; HTML report saved to KV store under report.html.", "default": "both" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```