TTC
Theo's Typesafe Cult11mo ago
Benjamin

I am confused about Prisma and CUID (deprecated v1 vs v2). Does anyone understand?

I started using Prisma and checked how the T3 stack generates IDs. I see that the schema uses cuid() and Prisma documentation doesn't say anything about the version used. Is it v1 or v2? I've found a thread but it's not much helping (https://github.com/prisma/prisma/issues/17102). So, is Prisma using v1 or v2? If v1, isn't anyone concerned about using a deprecated version for security reasons ?! (https://github.com/paralleldrive/cuid#status-deprecated-due-to-security-use-cuid2-instead) Also, why the T3 app is not using the middleware solution proposed in the thread in that case? This seems quite important.
Solution:
From what I understand, the rust port of cuid that Prisma uses in production doesn’t suffer from the same security issues as the js package. Cuid2 is still better due to being even more collision resistant, but if there isn’t a significant security risk then imo it’s better to just wait until cuid2 is supported natively by Prisma. Am I misunderstanding the situation?...
Jump to solution
5 Replies
Benjamin
Benjamin11mo ago
Someone replied to me on the thread that Prisma is still using v1. Then how come T3 stack still use it despite the security concerns? Are you all using the v1 on your projects?
Solution
cje
cje11mo ago
From what I understand, the rust port of cuid that Prisma uses in production doesn’t suffer from the same security issues as the js package. Cuid2 is still better due to being even more collision resistant, but if there isn’t a significant security risk then imo it’s better to just wait until cuid2 is supported natively by Prisma. Am I misunderstanding the situation?
Benjamin
Benjamin11mo ago
If I understand what you say, by using Prisma cuid() function to generate IDs, it uses the Rust API so it's safe enough to use while waiting for an official support for v2?
cje
cje11mo ago
Yea they are different implementations (the rust cuid that Prisma uses in prod vs the js cuid that is apparently insecure) That being said I know little about cryptography or security so I’m only basing this on things I read Also of course we should aim to be secure where possible, but I personally believe that it’s a mistake to base your security model on people not being able to guess primary keys
Benjamin
Benjamin11mo ago
Of course! Let's wait for updates on that thread. Thanks 👍
Want results from more Discord servers?
Add your server
More Posts
Authentication (next-auth) Persistence Issue with iOS Home Screen Web AppHello Everyone, I'm currently working on a web application built with next-auth and react and I'm tmaking sure nothing runs with SSRI've created an app with create-t3-app, it uses trpc and has two procedures that create a new entry Custom protected routes?Hey guys I'm wondering about the best way to achieve something. I added a custom property to my UseHow to prefix planetscale tables for dev dbs using drizzle?I remember Theo talking about a clever workaround for the planetscale db/project limit by making spedates are not same in server and client(dayjs)```js currentDate = new Date(); const options = { timeZone: "Asia/Kolkata" }; const indianDateATS Unchecked Indexed AccessHey guys, I have a question about ts. I have a "noUncheckedIndexedAccess": true in my tsconfig. I amQuestions about ReactLately, I've been very lost with some things, I need opinions from more experienced developers aboutSentry IntegrationI'm currently integrating Sentry reporting and I wanna ask what's the best way to add a function thaDoes anyone have experience with TipTap custom Nodes?I have the following problem... I can't get the update event and value when my custom node changes.NextJs 13 app folder - SPAI want to migrate 3yrs old React-Express app. Im considering migrating to Nextjs App folder. What is