Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CUID to CUID2 to improve security #3826

Open
Vashiru opened this issue Mar 29, 2023 · 3 comments
Open

Update CUID to CUID2 to improve security #3826

Vashiru opened this issue Mar 29, 2023 · 3 comments

Comments

@Vashiru
Copy link

Vashiru commented Mar 29, 2023
edited

The issue

Prisma supports using cuid() as a default for the primary key of a table. This is based on the CUID specification outlined here. This github shows the following:

Status: Deprecated due to security. Use Cuid2, instead.
Note: All monotonically increasing (auto-increment), and timestamp-based ids share the security issues with Cuid. V4 UUIDs and GUIDs are also insecure because it’s possible to predict future values of many random algorithms, and many of them are biased, leading to increased probability of collision.

According to the comment here, in order to switch to CUID2, the query-engine of prisma-engines has to be updated.

This can be done by using the cuid2 crate, which has been released a few months ago according to this comment.

Currently it can be worked around by using cuid2 in your middleware and generating them yourself, but it would be nice if Prisma would support it natively. A lot of people are hoping for support in this ticket.

What needs to be done?

I'm not a Rust developer, but looking at the codebase I believe it's a matter of updating the dependencies listed here as well as the default_generators from cuid to cuid2 here. And updating cuid::cuid().unwrap() to cuid2::create_id() in mod.rs and default_value.rs.

After which the types/documentation for Prisma has to be updated to reflect that it's no longer 'cuid' but rather 'cuid2', though I can't seem to find where exactly this has to be done. The text in question is:

Generate a globally unique identifier based on the cuid spec.

Which is referred to here: https://www.prisma.io/docs/reference/api-reference/prisma-schema-reference#cuid and in the typescript tooltip in VScode.
This was referenced Mar 29, 2023
Open
Closed
@tomhoule
Copy link
Contributor

Issues on this repository are not taken into account the same way as on prisma/prisma, the discussion should happen in prisma/prisma#17102

We're planning to disable issues on this repo in the future, so all discussions happen on the main repo.

@dBianchii
Copy link

I don't understand. How can I preemptively generate a cuid() ? Before hitting the database? Can I use https://github.com/paralleldrive/cuid2 ?

@anri-asaturov
Copy link

I don't understand. How can I preemptively generate a cuid() ? Before hitting the database? Can I use https://github.com/paralleldrive/cuid2 ?

yes, you can use cuid2, but you will have to define IDs in your schema like this

 id     String @id

i.e., without @default(cuid())

and then you just provide the id when you create a record

prisma.User.create({
  data: {
     id: cuid(),
     email: 'something@something'
  }
});

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@anri-asaturov @Vashiru @tomhoule @dBianchii