I am confused about Prisma and CUID (deprecated v1 vs v2). Does anyone understand?
I started using Prisma and checked how the T3 stack generates IDs. I see that the schema uses
cuid()
and Prisma documentation doesn't say anything about the version used. Is it v1 or v2? I've found a thread but it's not much helping (https://github.com/prisma/prisma/issues/17102).
So, is Prisma using v1 or v2? If v1, isn't anyone concerned about using a deprecated version for security reasons ?! (https://github.com/paralleldrive/cuid#status-deprecated-due-to-security-use-cuid2-instead) Also, why the T3 app is not using the middleware solution proposed in the thread in that case? This seems quite important.Solution:Jump to solution
From what I understand, the rust port of cuid that Prisma uses in production doesn’t suffer from the same security issues as the js package. Cuid2 is still better due to being even more collision resistant, but if there isn’t a significant security risk then imo it’s better to just wait until cuid2 is supported natively by Prisma.
Am I misunderstanding the situation?...
5 Replies
Someone replied to me on the thread that Prisma is still using v1. Then how come T3 stack still use it despite the security concerns? Are you all using the v1 on your projects?
Solution
From what I understand, the rust port of cuid that Prisma uses in production doesn’t suffer from the same security issues as the js package. Cuid2 is still better due to being even more collision resistant, but if there isn’t a significant security risk then imo it’s better to just wait until cuid2 is supported natively by Prisma.
Am I misunderstanding the situation?
If I understand what you say, by using Prisma
cuid()
function to generate IDs, it uses the Rust API so it's safe enough to use while waiting for an official support for v2?Yea they are different implementations (the rust cuid that Prisma uses in prod vs the js cuid that is apparently insecure)
That being said I know little about cryptography or security so I’m only basing this on things I read
Also of course we should aim to be secure where possible, but I personally believe that it’s a mistake to base your security model on people not being able to guess primary keys
Of course! Let's wait for updates on that thread. Thanks 👍