Disallow root component UDFs that start with betterAuth/ (#42651)

thomasballinger · Convex, Inc. · commit f188cebbc04d · 2025-11-03T01:54:49.000Z
GitOrigin-RevId: 586784652e7e5e75ff3b1c31c492e548f0f17a90
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/udf/Cargo.toml b/crates/udf/Cargo.toml
@@ -41,6 +41,7 @@ semver = { workspace = true }
 serde_json = { workspace = true }
 sync_types = { workspace = true }
 tokio = { workspace = true }
+tracing = { workspace = true }
 url = { workspace = true }
 value = { workspace = true }
 
diff --git a/crates/udf/src/validation.rs b/crates/udf/src/validation.rs
@@ -1,3 +1,5 @@
+use std::sync::LazyLock;
+
 use anyhow::Context;
 use common::{
     components::{
@@ -86,6 +88,10 @@ pub const SUSPENDED_ERROR_MESSAGE: &str = "Cannot run functions while this deplo
                                            suspended. Please contact Convex if you believe this \
                                            is a mistake.";
 
+/// Convex CLI versions before 1.28.2 double-deployed betterAuth/ paths.
+static MIN_NPM_VERSION_FOR_BETTER_AUTH: LazyLock<Version> =
+    LazyLock::new(|| Version::new(1, 28, 2));
+
 /// Fails with an error if the backend is not running. We have to return a
 /// result of a result of () and a JSError because we use them to
 /// differentiate between system and user errors.
@@ -211,6 +217,15 @@ fn missing_or_internal_error(path: PublicFunctionPath) -> anyhow::Result<String>
     ))
 }
 
+fn should_block_path(path: &ResolvedComponentFunctionPath) -> bool {
+    if path.component != ComponentId::Root {
+        return false;
+    }
+
+    let path_str = path.udf_path.to_string();
+    path_str.starts_with("betterAuth/")
+}
+
 #[fastrace::trace]
 async fn udf_version<RT: Runtime>(
     path: &ResolvedComponentFunctionPath,
@@ -415,6 +430,17 @@ impl ValidatedPathAndArgs {
             )?)));
         };
 
+        if udf_version < *MIN_NPM_VERSION_FOR_BETTER_AUTH && should_block_path(&path) {
+            tracing::warn!(
+                "Blocking betterAuth/ path '{}' for SDK version {} (< 1.28.2)",
+                path.udf_path,
+                udf_version
+            );
+            return Ok(Err(JsError::from_message(missing_or_internal_error(
+                public_path,
+            )?)));
+        }
+
         let returns_validator = if path.udf_path.is_system() {
             ReturnsValidator::Unvalidated
         } else {
diff --git a/npm-packages/js-integration-tests/betterAuth.test.ts b/npm-packages/js-integration-tests/betterAuth.test.ts
@@ -0,0 +1,25 @@
+import { ConvexHttpClient } from "convex/browser";
+import { makeFunctionReference } from "convex/server";
+import { deploymentUrl } from "./common";
+
+describe("betterAuth path blocking", () => {
+  let httpClient: ConvexHttpClient;
+
+  beforeEach(() => {
+    httpClient = new ConvexHttpClient(deploymentUrl);
+  });
+
+  test("betterAuth/ paths should be blocked and return 'not found' error", async () => {
+    // Try to call a function in the betterAuth/ directory
+    // This should be blocked by the validation logic and return the same error
+    // as if the function doesn't exist
+    await expect(
+      httpClient.query(
+        makeFunctionReference<"query">("betterAuth/testFunction:default"),
+        {},
+      ),
+    ).rejects.toThrow(
+      "Could not find public function for 'betterAuth/testFunction'. Did you forget to run `npx convex dev` or `npx convex deploy`?",
+    );
+  });
+});
diff --git a/npm-packages/js-integration-tests/convex/_generated/api.d.ts b/npm-packages/js-integration-tests/convex/_generated/api.d.ts
@@ -15,6 +15,7 @@ import type * as actions_simple from "../actions/simple.js";
 import type * as addUser from "../addUser.js";
 import type * as auth from "../auth.js";
 import type * as basic from "../basic.js";
+import type * as betterAuth_testFunction from "../betterAuth/testFunction.js";
 import type * as cachebust from "../cachebust.js";
 import type * as cleanUp from "../cleanUp.js";
 import type * as component from "../component.js";
@@ -67,6 +68,7 @@ declare const fullApi: ApiFromModules<{
   addUser: typeof addUser;
   auth: typeof auth;
   basic: typeof basic;
+  "betterAuth/testFunction": typeof betterAuth_testFunction;
   cachebust: typeof cachebust;
   cleanUp: typeof cleanUp;
   component: typeof component;
diff --git a/npm-packages/js-integration-tests/convex/betterAuth/testFunction.ts b/npm-packages/js-integration-tests/convex/betterAuth/testFunction.ts
@@ -0,0 +1,9 @@
+import { query } from "../_generated/server";
+
+// This is a test function that should be blocked for SDK versions < 1.28.2
+export default query({
+  args: {},
+  handler: async () => {
+    return { message: "betterAuth function executed successfully" };
+  },
+});
