hunterInt hunterInt -3 years ago 98
Node.js Question

using mongoose's ObjectId for authorization

Would it be good practice to use the ObjectId generated by mongoose as a way of checking if data belongs to a certain user?

Example sudo code:

Example in db:

[ObjectId]: {
myStuff: 'foo'
}


Example checking authorization:

if (jwt.bar.ObjectId === ObjectId) {
//then you can mod this data because it is yours
}


If not, what is a recommended way of approaching this?

Answer Source

You cannot use the ObjectID as a session identifier, because it is never renewed once the document is created, and it is predictable.

From MongoDB Documentation:

The 12-byte ObjectId value consists of:

a 4-byte value representing the seconds since the Unix epoch,

a 3-byte machine identifier,

a 2-byte process id,

and a 3-byte counter, starting with a random value.

From a security's perspective, it would be a bad practice.

Use proper sessions IDs to identify requests coming from users.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download