Open lautarodragan opened 5 years ago
Let's not rely on the database specific ObjectId here as that would lock us in to a vendor.
You're right.
Maybe https://github.com/ericelliott/cuid 140k weekly downloads and up in npm
14m for good old https://www.npmjs.com/package/uuid
Since the email address of a user can change, and there is no other attribute of the
user
object that remains immutable, we need to introduce a new, immutableid
attribute.In the future, once we have decentralized ids and the API functions as a proper IDP, we'll need to research further into this topic and decide whether we can use the DID as the unique and only identifier or we'd rather keep the centralized ID of each user and associate it with a DID instead.
Right now, we need a more immediate solution.
A bit of research on centralized but collision resistant identifiers needs to be done. The
ObjectId
generated by MongoDB may do the job just fine, though.Once we have the new ID in place, we should add it to the API Tokens and update the authorization middleware's validation not to verify the token's email but the immutable ID instead.