Comment by beej71
2 months ago
I don't get it. If someone gets a hold of the encrypted customer ID, can't they impersonate the customer? Is it just that the customer ID is guessable?
2 months ago
I don't get it. If someone gets a hold of the encrypted customer ID, can't they impersonate the customer? Is it just that the customer ID is guessable?
That's true for now -- we definitely don't recommend using the encrypted customer ID as a fully secure method for auth, but implemented it more as a way for users to quick start without friction
1. This is also why we've built plugins for popular auth providers like Clerk, Better Auth and Supabase, which are called on the backend to fetch the user / org ID.
2. The encrypted customer ID is more of an experiment atm, and down the line if we continue working on it we might even build an auth system involving JWTs -- though that'd be reinventing the wheel and not something we're keen on
3. We are actually now working more on a framework agnostic pattern where users register a middleware on their backend which will spin up routes for Autumn, and the frontend provider contains a client which simply calls these routes
Also we can make these rotate with each request