Comment by phibz
1 day ago
In database design typically it recommends giving out opaque natural keys, and keeping your monotonically increasing integer IDs secret and used internally.
1 day ago
In database design typically it recommends giving out opaque natural keys, and keeping your monotonically increasing integer IDs secret and used internally.
That is a best practice for two real reasons:
1. You don't want third parties to know how many objects you have
2. You don't want folks to be able to iterate each object by incrementing the id
But if you have composite IDs like this, that doesn't matter. All objects that belong to a repository have the repository id inside them. Incrementing the id gives you more objects from the same repo. Incrementing the repo id gives you...a random object or nothing at all. And if your IDs include a little entropy or a timestamp, you've effectively kneecapped anyone who's trying to abuse this.
> You don't want folks to be able to iterate each object by incrementing the id
If you have a lot of public or semi-public data that you don't want people to page through, then I suppose this is true. But it's important to note that separate natural and primary keys are not a replacement for authorization. Random keys may mitigate an IDOR vulnerability but authorization is the correct solution. A sufficiently long and securely generated random token can be used as both as an ID and for authorization, like sharing a Google Doc with "anyone who has a link," but those requirements are important.
I don't disagree. But it's embarrassing when someone is like "your users have only used this feature 150 times?"
What if you used some id that does not allow to count objs like guid?
Uuid4 is extremely random, which makes it bad for most database indexes. You can use uuid7 instead.
Uuid7 would not have helped GitHub, though, because it doesn't solve the sharding issue.
Maybe. Until your natural key changes. Which happens. A lot.
Exposing a surrogate / generated key that is effectively meaningless seems to be wise. Maybe internally Youtube has an index number for all their videos, but they expose a reasonably meaningless coded value to their consumers.