Reputation: 2211
How unpredictable is the auto generated id of couchdb?
Can I rely on the assumption that each generated id is random, and there's no way to user can guess? So that I don't need to do more double check of ownership and what not, on my application.
Upvotes: 0
Views: 100
Answers (2)
Reputation: 4733
Generally you will only get random uuids if you configure your instance to use the random algorithm. When looking at the source you can see that it then uses Erlang's crypto:rand_bytes/1. I'm not sure how predictable its results are, but you should note that there would also be crypto:strong_rand_bytes/1 - not sure why it hasn't been used.
I think the decision mostly depends on other circumstances.
- What information are you trying to secure?
- Why do you want to avoid ownership-checks as an additional security measure?
- How do you ensure that the _ids are not leaked somehow (eg through CouchDB's
/_logAPI)?
Upvotes: 1
Reputation: 5585
I wouldn't rely on that, no. A malicious user could make a lot of random guesses and could eventually hit something. Best to let identifiers identify things and security restrictions secure them.
Upvotes: 0
Related Questions
- Generate Unique UInt32 ID for Couchbase
- Approaches to generate auto-incrementing numeric ids in CouchDB
- How couchbase ensures uniqueness of id?
- Is it possible to configure couchdb to generate ids other than the UUID way?
- Which is better - auto-generated id or manual id assignment in couchdb documents?
- CouchDB - human readable id
- How to create Manual ID CouchDB
- Should we not rely on CouchDB to generate uuid?
- How long can the _id string for CouchDB documents be?
- How are CouchDB Document ID's Calculated?