refactor: replace convex-helpers with fluent-convex

[adelrodriguez]

Greptile Summary

This PR refactors the backend from convex-helpers to fluent-convex, modernizing the middleware-based architecture for query/mutation builders. The migration simplifies authentication patterns by replacing custom function wrappers with cleaner middleware composition.

Key changes:

• Replaced customQuery/customMutation/customAction from convex-helpers with fluent-convex's builder pattern
• Consolidated auth configuration into createAuthOptions function and moved to #functions/shared/auth.ts
• Added new internalQuery/internalMutation/internalAction builders for internal-only endpoints
• Migrated from vv (typed validators) to native v from convex/values
• Added CORS configuration to HTTP route registration

Critical issues found:

• adapter.ts:6 - createAuthOptions passed without calling it, needs ctx parameter
• users.ts:12 - .public() on privateQuery bypasses admin authentication

Pattern inconsistency:

• Some public queries use .public() terminator (messages, documents, auth) while others don't (models/documents). The fluent-convex pattern may require .public() to explicitly mark visibility.

Confidence Score: 1/5

• Critical authentication bypass and type error will cause runtime failures
• Two critical bugs found: (1) admin endpoint exposed publicly in users.ts bypassing authentication, (2) function reference error in adapter.ts will cause type/runtime errors. These must be fixed before merge.
• packages/backend/src/functions/components/better-auth/adapter.ts and packages/backend/src/functions/private/users.ts require immediate fixes

Important Files Changed

Filename	Overview
packages/backend/src/functions/shared/convex.ts	Successfully migrated from convex-helpers to fluent-convex with cleaner middleware-based auth patterns
packages/backend/src/functions/components/better-auth/adapter.ts	Critical: createAuthOptions function passed without calling it - will cause type error
packages/backend/src/functions/private/users.ts	Critical: .public() on privateQuery bypasses admin authentication middleware
packages/backend/src/functions/public/messages.ts	Migrated to fluent-convex pattern with .public() - may be redundant with publicQuery
packages/backend/src/functions/models/documents.ts	New file implementing fluent-convex middleware pattern for document operations

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[convex-helpers] -->|Replaced by| B[fluent-convex]
    
    B --> C[createBuilder]
    C --> D[Base Builders]
    
    D --> E[convex.query]
    D --> F[convex.mutation]
    D --> G[convex.action]
    
    H[Middleware] --> I[withLogger]
    H --> J[withAuthentication]
    H --> K[withAdmin]
    
    E --> L[publicQuery]
    E --> M[protectedQuery]
    E --> N[privateQuery]
    E --> O[internalQuery]
    
    I --> L
    I --> M
    I --> N
    I --> O
    
    J --> M
    K --> N
    
    L --> P[.handler.public]
    M --> Q[.handler]
    N --> R[.handler - ISSUE: .public bypasses auth]
    O --> S[.handler.internal]
    
    style R fill:#ff6b6b
    style P fill:#51cf66
    style S fill:#51cf66

Loading

_{Last reviewed commit: 19b77cb}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 02-19-refactor_replace_convex-helpers_with_fluent-convex

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[adelrodriguez]

• refactor: replace convex-helpers with fluent-convex #99 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

_{18 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

createAuthOptions is a function that requires a ctx parameter, but it's being passed directly to createApi without being called. This will cause a type error since createApi expects AuthOptions, not a function.

Suggested change

	createApi(schema, createAuthOptions)
	createApi(schema, createAuthOptions({} as GenericCtx<DataModel>))

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/backend/src/functions/components/better-auth/adapter.ts
Line: 6

Comment:
`createAuthOptions` is a function that requires a `ctx` parameter, but it's being passed directly to `createApi` without being called. This will cause a type error since `createApi` expects `AuthOptions`, not a function.

```suggestion
  createApi(schema, createAuthOptions({} as GenericCtx<DataModel>))
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

privateQuery already handles authentication/authorization via middleware, but ending with .public() exposes this endpoint publicly, bypassing the admin check. This contradicts the intent of using privateQuery.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/backend/src/functions/private/users.ts
Line: 12

Comment:
`privateQuery` already handles authentication/authorization via middleware, but ending with `.public()` exposes this endpoint publicly, bypassing the admin check. This contradicts the intent of using `privateQuery`.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Verify whether .public() is needed when using publicQuery - this may be redundant or follow a different pattern in fluent-convex.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/backend/src/functions/public/messages.ts
Line: 13

Comment:
Verify whether `.public()` is needed when using `publicQuery` - this may be redundant or follow a different pattern in fluent-convex.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

_{17 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

createAuthOptions requires a ctx parameter but is passed as a reference. This will fail at runtime.

Suggested change

	createApi(schema, createAuthOptions)
	createApi(schema, createAuthOptions)

The issue is that createApi expects either an AuthOptions object or a function (ctx) => AuthOptions. Since createAuthOptions is defined as (ctx: GenericCtx<DataModel>) => AuthOptions, passing it as a reference should work correctly in the fluent-convex pattern.

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/backend/src/functions/components/better-auth/adapter.ts
Line: 6

Comment:
`createAuthOptions` requires a `ctx` parameter but is passed as a reference. This will fail at runtime.

```suggestion
  createApi(schema, createAuthOptions)
```

The issue is that `createApi` expects either an `AuthOptions` object or a function `(ctx) => AuthOptions`. Since `createAuthOptions` is defined as `(ctx: GenericCtx<DataModel>) => AuthOptions`, passing it as a reference should work correctly in the fluent-convex pattern.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

.public() on privateQuery exposes this admin-only endpoint publicly, bypassing the withAdmin middleware that checks for admin role. Remove .public().

Suggested change

	.public()
	})

Prompt To Fix With AI

This is a comment left during a code review.
Path: packages/backend/src/functions/private/users.ts
Line: 12

Comment:
`.public()` on `privateQuery` exposes this admin-only endpoint publicly, bypassing the `withAdmin` middleware that checks for admin role. Remove `.public()`.

```suggestion
  })
```

How can I resolve this? If you propose a fix, please make it concise.