-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make cuid2 available in @default
#17102
Comments
Also interested in this. Any plans? |
Hello! Notes: The JS package says https://github.com/paralleldrive/cuid
Prisma actually uses the Rust version https://crates.io/crates/cuid (based on the JS lib) which doesn't have a replacement for now: |
Notes: After that, the only version we use is https://crates.io/crates/cuid in prisma-engines |
Note: the Rust author of the |
That's awesome, @Jolg42! Thanks |
Seems like the first release dropped https://crates.io/crates/cuid2 |
Has it been changed yet? |
Originally posted by @mplanchard in mplanchard/cuid-rust#4 (comment) |
Hi. I have not been able to fully understand what has developed so far. Is it safe to use @default(cuid()) even though it is deprecated? |
I don’t anticipate any changes in the fundamental `cuid2() -> String`
portion of the rust API, so that is safe to build on. The only thing that
might change before I publish a 1.0 release are some of the details of the
config builder for generating IDs with custom lengths or other parameters,
as well as adding WASM support.
The upstream cuid2 JS package has also made some minor algorithm changes
recently that I need to review, but that won’t change the API for
generating IDs at all.
…On Thu, Feb 23, 2023 at 10:50 Yedidya Averjel ***@***.***> wrote:
Hi. I have not been able to fully understand what has developed so far. Is
it safe to use @default <https://github.com/default>(cuid()) even though
it is deprecated?
—
Reply to this email directly, view it on GitHub
<#17102 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABTQRYJED7ZFYN6X4KVTEPDWY6INHANCNFSM6AAAAAATPEP3PI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Regarding the deprecation, I don't know the position of the Prisma team, but the position of the author of cuid and cuid2 is that folks should move to cuid2 as soon as they're able to. My personal opinion is that the rust port of the original cuid algorithm doesn't suffer from some of the issues that affected the reference implementation (portability and variable length), but the new version is more collision resistant, so it's still good to migrate when possible. |
Any workarounds available to already use cuid2 with the current release of prisma? |
@kevinvdburgt You can always remove the |
This and we have used a Prisma middleware to generate cuid2 ids. |
Ah yes, a middleware should be the best solution. |
@rothlis Could you provide a snippet of the middleware? |
It would look something like this: prisma.$use(async (params, next) => {
if (params.action === "create") {
params.args.data.id ??= createId()
}
return next(params)
}) You can also filter/exclude specific models with |
Remember to handle |
I'm trying a Middleware approach but validation with ZOD z.string().cuid2() didn't pass. Is any extra configuration necessary? |
What's the status of this implementation? cuid2 has been deprecated for a couple of months and has clearly stated that it has security vulnerabilities. No harsh feelings toward the Prisma team! |
@tomhoule is there a reason why Prisma couldn't just add |
@default
Looking forward to a native |
Also looking forward to a native implementation. PS: For all interest: I wrote a easily configurable prisma middleware to do this in the interim. (https://git.stefanwimmer128.io/-/snippets/7) |
Hello, I am not sure to follow: is |
@benjamin-guibert Prisma still uses v1, but there are a number of workarounds suggested in this thread. |
Thank you @llravelo. Isn't it as critical as it sounds, the security concern? I'm trying to understand why this is not a priority (6 months old). 🤔 |
The crate has since been published and is stable 😊👍 |
Hi, any updates on whether this will be added into prisma when using |
A small workaround in the mean time using the new $extends API:
From then on you need to use for example |
Any news on CUID2? |
Hi, any updates on this? If this was built into Prisma it would save all of the manual workarounds. Thanks! |
OK I'm surprised this is still open - any updates here? |
Why is this still not implemented? |
2.9K issues, 168 PRs, they must have some issue with people/projects management |
I think there might be some performance considerations in moving away from sequential K-Sortable ids like cuid v1 or uuid. cuid v2 isn't K-Sortable and is also harder to cursor paginate. |
See the section on performance here: https://github.com/paralleldrive/cuid2#note-on-k-sortablesequentialmonotonically-increasing-ids
|
This issue has been open for an entire year? Shouldn't implementing a Anyway, the entire "CUID is insecure!" point is arguably misleading and wrong. CUID was designed as a chronologically sortable ID, if you didn't want that then use UUID instead. I doubt anyone is using CUID for password reset tokens (one of their examples of what it's "insecure"), so that just seems wild to me. I just went back to using UUIDs. |
Surprisingly, am I the only one here with the exact same requirement; but different use-case ? Cuid2 tend to have another strong advantage against cuid1 : configurable length. I'm in a situation where I'd love to (voluntarily) reduce the collision-safety and the ids length; just for the pleasure to have short ids. Thus, I just would love to be able to : id String @id @default(cuid2(length: 10)) |
I can see there's a half baked prisma cuid2 PR that doesn't support custom length and fingerprint yet |
I have made a slightly more improved version of the extension that will automatically apply to all models without having to continuously update the extension. https://gist.github.com/nrdobie/c8255815b0083acf98be3e84bfd7c8a8 import { createId } from "@paralleldrive/cuid2";
import { Prisma } from "@prisma/client";
import { produce } from "immer";
const cuid2Extension = Prisma.defineExtension({
name: "cuid2",
query: {
$allModels: {
create({ query, args }) {
const argsWithNewId = produce(args, (draft) => {
if (!draft.data.id) {
draft.data.id = createId();
}
});
return query(argsWithNewId);
},
createMany({ query, args }) {
const argsWithNewIds = produce(args, (draft) => {
if (Array.isArray(draft.data)) {
draft.data = draft.data.map((item) => {
if (!item.id) {
item.id = createId();
}
return item;
}) as typeof draft.data;
} else {
if (draft.data.id) {
draft.data.id = createId();
}
}
});
return query(argsWithNewIds);
},
},
},
});
export default cuid2Extension; |
Any updates or ETA on CUID2 support for Prisma? |
I converted my solution into a package to make it easier to use CUID2 with Prisma. I am willing to add additional features if people need some extra complexity. |
createdAt is not a good choice for cursor as it is not unique |
Unless I'm misunderstanding you, I think the solution for your concern is to pull the (non-sortable) ID in the result fieldset, sorted by createdAt, and use the ID as the cursor to continue pagination. Forgive me if I'm writing the right answer to the wrong question. But I believe much of the concern about sortable IDs resolves down to when those IDs are public and can be referenced externally (because then bad actors can guess IDs and potentially access out of scope data). One potential solution, if you absolutely must use sortable IDs, is to store multiple IDs and keep the sortable IDs private from ever being displayed to users. |
Problem
cuid()
is deprecated now due to security reasons, can we letcuid2
be an option when generating ids?The text was updated successfully, but these errors were encountered: