Is it ok to use database ids in the fron't end?

Hassanbhb · December 4, 2019, 3:16pm

Hello,
I am currently doing a project and I want to do it the best way I can, and now I have this question.
is it the standard way to use the documents id that Mongodb gives it in the front end so that i can use that id later to identify it when i want to delete it? or should is there another method?

(I am assuming that since the client has access to the id from the console then it’s not secure enough)
here is an example
post.pug

.posts
      //- reverse posts to display newest at the top
      each post in posts.reverse()
        .card
          .postOwner
            div
              h3= `${post.author.name} ${post.author.lastName}`
              p= post.createdAt
            if(JSON.stringify(user._id) == JSON.stringify(post.author._id))
              div.dropdown-menu 
                .dropdown-content
                  a(href="#" class='deleteBtn' data-post-Id= post._id) Delete
                  a(href="#/" class='editModelBtn' data-postId= post._id data-postBody= post.body) Edit
          .postText
            p= post.body
          .comments
            //- reverse comment array to display newest at the top
            each comment in post.comments.reverse()
              .comment
                .commentOwner
                  div
                    h5=`${comment.author.name} ${comment.author.lastName}`
                    p=comment.createdAt
                  if(JSON.stringify(user._id) == JSON.stringify(comment.author._id))
                    div.dropdown-menu 
                      .dropdown-content
                        a(href="#" class='deleteBtn' data-Id= `${post._id} ${comment._id}`) Delete
                .commentText
                  p=comment.text

post.js

const deleteBtns = document.querySelectorAll(".deleteBtn");
deleteBtns.forEach(btn => {
  btn.addEventListener("click", e => {
    e.preventDefault();
    let Id;
    let url;
    let method;
    if (e.target.getAttribute("data-post-Id")) {
      url = window.location.href + "/delete/post";
      Id = e.target.getAttribute("data-post-Id");
      method = "DELETE";
    } else {
      url = window.location.href + "/delete/comment";
      Id = e.target.getAttribute("data-Id");
      method = "PUT";
    }

    const xhttp = new XMLHttpRequest();
    xhttp.open(method, url, true);
    xhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

    xhttp.onreadystatechange = function() {
      if (xhttp.readyState == 4 && xhttp.status === 200) {
        location.href = "/dashboard";
      }
    };

    xhttp.send(`postId=${Id}`);
  });
});

as you can see i have the posts id that the server sends to the front end in the data-post-Id so that when the user deletes or edits i can send that id from the front end to the server so it can identify it.

is this secure? is it how it should be done? if no, then how should i do it.

sorry if my English is bad.
thank you very much.

snigo · December 4, 2019, 4:23pm

Generally, IDs of any public information can be public without any limitation - it’s perfectly fine to use them. As far as I know there are only couple cases when you need to hide IDs:

If you have numeric or any kind of sequential IDs it’s becoming very easy to scrape information from your website/app - not a case with MongoDB.
If it’s a user ID that is used for password match lookup and validation - not happening in most of real-world situations, as lookup is done based on email only
If it’s critical to hide the date the record in DB was made

MongoDB ID is basically hashed date + random bytes - nothing really important

Hassanbhb · December 4, 2019, 8:02pm

Thank you so much, I recently got into securing my apps, and trying to learn how to do stuff safely.
which is something all educational channels ignore or don’t talk about.

ilenia · January 16, 2021, 11:31am