search

FoalTS / foal

Full-featured Node.js framework, with no complexity. 🚀 Simple and easy to use, TypeScript-based and well-documented.
https://foalts.org/
MIT License
1.88k stars 137 forks source link

The user ID must be a number In SessionStore? #1105

Closed ryanhyslop closed 1 year ago

ryanhyslop commented 1 year ago

I was just following along with some of the boilerplate instructions (https://foalts.org/docs/security/csrf-protection) and everything was going well util retrying to set a user onto the session.

Our user ids are uuid strings, and saving our user throws the following error:

Error: [TypeORMStore] Impossible to save the session. The user ID must be a number. at TypeORMStore.save (/usr/src/app/node_modules/@foal/typeorm/lib/typeorm-store.service.js:58:19)

I'm just wondering if theres a work around or if theres a particular reason this rule is so strictly enforced?

LoicPoullain commented 1 year ago

Yes, this is a limitation of the framework. The user ID must be a number when using TypeORM store.

The reason behind this it that we have to specify a type for the user ID column of the session SQL table. This one must be a primitive type (either an integer or a string) and the choice was made to use integers as they seem to be more widely used for relational databases.

I'm curious, is there any reason why you use uuid and not numbers for your user IDs?

A workaround could be to use the redis store which supports both strings and numbers as user ID type.

ryanhyslop commented 1 year ago

Thanks for getting back to me @LoicPoullain.

As to why we're using uuids instead of auto incrementing integers, this blog post covers a few reasons why this could be a valid use case (https://www.clever-cloud.com/blog/engineering/2015/05/20/why-auto-increment-is-a-terrible-idea/) - if you ignore the clickbait title as I'm not particularly ideological about it. The main thing for us is our user ids were exposed via an API and linked to another SaaS service, uuids gave us a level of obfuscation over, say, user id '2'.

Good to know theres a work around with the Redis store we can explore that option, hoping you'd be open minded to supporting via the regular SessionStore in the future!

LoicPoullain commented 1 year ago

As to why we're using uuids instead of auto incrementing integers, this blog post covers a few reasons why this could be a valid use case (https://www.clever-cloud.com/blog/engineering/2015/05/20/why-auto-increment-is-a-terrible-idea/) - if you ignore the clickbait title as I'm not particularly ideological about it. The main thing for us is our user ids were exposed via an API and linked to another SaaS service, uuids gave us a level of obfuscation over, say, user id '2'.

Thank you for the explanation! Didn't know about that.

Good to know theres a work around with the Redis store we can explore that option, hoping you'd be open minded to supporting via the regular SessionStore in the future!

It's not on the agenda right now so I'm going to close this issue for now. 👍