search

prisma / prisma-engines

🚂 Engine components of Prisma ORM
https://www.prisma.io/docs/concepts/components/prisma-engines
Apache License 2.0
1.14k stars 218 forks source link

Update CUID to CUID2 to improve security #3826

Open Vashiru opened 1 year ago

Vashiru commented 1 year ago

The issue

Prisma supports using cuid() as a default for the primary key of a table. This is based on the CUID specification outlined here. This github shows the following:

Status: Deprecated due to security. Use Cuid2, instead. Note: All monotonically increasing (auto-increment), and timestamp-based ids share the security issues with Cuid. V4 UUIDs and GUIDs are also insecure because it’s possible to predict future values of many random algorithms, and many of them are biased, leading to increased probability of collision.

According to the comment here, in order to switch to CUID2, the query-engine of prisma-engines has to be updated.

This can be done by using the cuid2 crate, which has been released a few months ago according to this comment.

Currently it can be worked around by using cuid2 in your middleware and generating them yourself, but it would be nice if Prisma would support it natively. A lot of people are hoping for support in this ticket.

What needs to be done?

I'm not a Rust developer, but looking at the codebase I believe it's a matter of updating the dependencies listed here as well as the default_generators from cuid to cuid2 here. And updating cuid::cuid().unwrap() to cuid2::create_id() in mod.rs and default_value.rs.

After which the types/documentation for Prisma has to be updated to reflect that it's no longer 'cuid' but rather 'cuid2', though I can't seem to find where exactly this has to be done. The text in question is:

Generate a globally unique identifier based on the cuid spec.

Which is referred to here: https://www.prisma.io/docs/reference/api-reference/prisma-schema-reference#cuid and in the typescript tooltip in VScode.

tomhoule commented 1 year ago

Issues on this repository are not taken into account the same way as on prisma/prisma, the discussion should happen in https://github.com/prisma/prisma/issues/17102

We're planning to disable issues on this repo in the future, so all discussions happen on the main repo.

dBianchii commented 5 months ago

I don't understand. How can I preemptively generate a cuid() ? Before hitting the database? Can I use https://github.com/paralleldrive/cuid2 ?

anri-asaturov commented 2 months ago

I don't understand. How can I preemptively generate a cuid() ? Before hitting the database? Can I use https://github.com/paralleldrive/cuid2 ?

yes, you can use cuid2, but you will have to define IDs in your schema like this

 id     String @id

i.e., without @default(cuid())

and then you just provide the id when you create a record

prisma.User.create({
  data: {
     id: cuid(),
     email: 'something@something'
  }
});