addActivity API is creating uuid v1

[tushar-compro]

We are using addActivity API in one of our projects (private repo). The response that we are getting is as follow: { ... "id": "08a03f71-5497-11ef-a45d-0e298c33965b", ... }

The response has a property Id which is getting added from somewhere inside the addActivity API. This Id is UUID v1 which is considered comparatively unsafe. Thus, we wanted to know,

1. If this id is being created by addActivity code?
2. Or is it getting added from some third party API/service that getStream is using for addActivity?
3. Is it somehow possible to change it to UUID v4 ? Or any details regarding this would be helpful.

Thanks

[JimmyPettersson85]

hey @tushar-compro

1. the ID is generated on the API side, not in the addActivity JS code.
2. no
3. no that's not possible since it would break existing functionality

Note that if you send in foreign_id and time as stated in the best practices[1] the API will generate the same UUID for the same foreign_id+time pair.

It's true that UUID v1 can be considered unsafe in some situations, is there anything in particular you're worried about in this specific case?

[1] https://getstream.io/activity-feeds/docs/node/what_to_store/

[tushar-compro]

Hi @JimmyPettersson85 ,

We are sending foreign_id and time as suggested.

It has been raised by our pen testing team as an unsafe practice. Though we understand that this particular usecase does not result in any vulnerability in our system.

Can you tell which API are you talking about here? getStream's server side API? or some other third party API is being used by getStream?

[JimmyPettersson85]

It's our server side API generating the UUID, not a third party API.

[tushar-compro]

okay

Thank for the info.