Is it safe to expose UUIDs from auth.users to the client?
I know that supabase-js for instance works with JWTs which include the UUID of a user but that there are more factors when determining if a user is "actually that user". From my understanding, someone could do some snooping and get a user's UUID generated from auth.users, but they wouldn't be able to act as that user (send fake requests to the backend) with just that information. I have a public.users table which uses the UUID as an FK with some other fields. I want to call some basic RPCs from the client side (my website) which require the UUID of a user as a parameter. I could instead use the username as a parameter, but then it increases my RPC logic to do a corresponding UUID lookup.
I know it is probably better to not expose the UUIDs of other users to the client (again, someone could still find this info but it creates more work for them) but wanted to hear your guys' thoughts. Thanks!
I know it is probably better to not expose the UUIDs of other users to the client (again, someone could still find this info but it creates more work for them) but wanted to hear your guys' thoughts. Thanks!
