De meilleurs identifiants grâce au composant Symfony UID

Slide 1

Slide 1 text

De meilleurs identiﬁants grâce au composant Symfony UID

Slide 2

Slide 2 text

Hello :-) Thomas Calvet - fancyweb

Slide 3

Slide 3 text

A “name” that identiﬁes “something”

Slide 4

Slide 4 text

A value that uniquely identiﬁes a resource

Slide 5

Slide 5 text

The resource unicity depends of the perimeter

Slide 6

Slide 6 text

An elementary and essential knowledge for developers

Slide 7

Slide 7 text

Identiﬁers everywhere

Slide 8

Slide 8 text

What makes a good identiﬁer?

Slide 9

Slide 9 text

Is one identiﬁer format always enough?

Slide 10

Slide 10 text

Functional identiﬁers vs technical identiﬁers

Slide 11

Slide 11 text

Integer identiﬁers

Slide 12

Slide 12 text

Easy to use, to understand, to generate (auto increment) and performant 👍

Slide 13

Slide 13 text

Lexicographically sortable 👍

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Generable only by a central point (database) ⚠

Slide 16

Slide 16 text

Guessable (IDOR) /user/22 ⚠

Slide 17

Slide 17 text

Information leak ⚠

Slide 18

Slide 18 text

Provides no additional context 🤔

Slide 19

Slide 19 text

Random string identiﬁers

Slide 20

Slide 20 text

Generable oﬄine, not guessable, can be preﬁxed 👍

Slide 21

Slide 21 text

Probably a little harder to use, to understand, to generate and a little less performant 🤔

Slide 22

Slide 22 text

Data fragmentation / not lexicographically sortable ⚠

Slide 23

Slide 23 text

UUIDs (Universally Unique IDentiﬁers)

Slide 24

Slide 24 text

3 UUIDs (canonical format)

Slide 25

Slide 25 text

RFC 4122

Slide 26

Slide 26 text

A very very very big integer (128 bits)

Slide 27

Slide 27 text

Theoretically unique because of the number of combinations

Slide 28

Slide 28 text

Identify a UUID version

Slide 29

Slide 29 text

Time based UUIDs (version 1 and 6)

Slide 30

Slide 30 text

Not lexicographically sortable UUID v1

Slide 31

Slide 31 text

MAC address leak UUID v1

Slide 32

Slide 32 text

Lexicographically sortable UUID v6

Slide 33

Slide 33 text

Random node UUID v6

Slide 34

Slide 34 text

Time based UUIDs make good primary keys

Slide 35

Slide 35 text

Timestamp leak ⚠

Slide 36

Slide 36 text

Name based UUIDs (version 3 and 5)

Slide 37

Slide 37 text

Hash of a namespace and a name

Slide 38

Slide 38 text

Reproductible

Slide 39

Slide 39 text

Version 3 = md5 Version 5 = sha1 Prefer version 5

Slide 40

Slide 40 text

Random based UUID (version 4)

Slide 41

Slide 41 text

Only randomness

Slide 42

Slide 42 text

Version 4 UUIDs are good for random values (eg: tokens)

Slide 43

Slide 43 text

Version 2? ⚠

Slide 44

Slide 44 text

ULIDs (Universally unique Lexicographically sortable IDentiﬁers)

Slide 45

Slide 45 text

A ULID (canonical format)

Slide 46

Slide 46 text

Timestamp (48 bits) Randomness (80 bits) Close to a UUID v6

Slide 47

Slide 47 text

Lexicographically sortable

Slide 48

Slide 48 text

github.com/ulid/spec

Slide 49

Slide 49 text

“Compatible” with UUID

Slide 50

Slide 50 text

UUIDs and ULIDs are generable oﬄine 👍

Slide 51

Slide 51 text

Storing UUIDs and ULIDs ⚠

Slide 52

Slide 52 text

UUIDs and ULIDs sum up 🤔

Slide 53

Slide 53 text

UUIDs vs ULIDs 🤔

Slide 54

Slide 54 text

Integers vs strings vs U[U|L]IDs 🤔

Slide 55

Slide 55 text

Using UUIDs and ULIDs in PHP

Slide 56

Slide 56 text

composer require symfony/uid

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

Integrated with other Symfony components

Slide 59

Slide 59 text

Not experimental anymore

Slide 60

Slide 60 text

Factories

Slide 61

Slide 61 text

Commands

Slide 62

Slide 62 text

Generate a UUID / ULID

Slide 63

Slide 63 text

Inspect a UUID / ULID

Slide 64

Slide 64 text

api.video study case

Slide 65

Slide 65 text

2 letters preﬁx 128 bits of randomness to base 62 A current identiﬁer

Slide 66

Slide 66 text

The same identiﬁers everywhere

Slide 67

Slide 67 text

User eXperience and database issues

Slide 68

Slide 68 text

A clear preﬁx A ULID converted to base 58 New functional identiﬁer

Slide 69

Slide 69 text

ULIDs converted to UUID canonical format New technical identiﬁer

Slide 70

Slide 70 text

In the code

Slide 71

Slide 71 text

Transforming new identiﬁers (video_XXX) to VideoIdentiﬁer

Slide 72

Slide 72 text

No content

Slide 73

Slide 73 text

No content

Slide 74

Slide 74 text

No content

Slide 75

Slide 75 text

Sum up

Slide 76

Slide 76 text

Issues solved vs increased complexity

Slide 77

Slide 77 text

Backward compatibility

Slide 78

Slide 78 text

Many possible solutions

Slide 79

Slide 79 text

Generating new identiﬁers for all existing resources

Slide 80

Slide 80 text

No content

Slide 81

Slide 81 text

Transforming legacy identiﬁers (viXXX) to VideoIdentiﬁer

Slide 82

Slide 82 text

No content

Slide 83

Slide 83 text

No content

Slide 84

Slide 84 text

And so many more interesting challenges ;-)

Slide 85

Slide 85 text

Thank you