It is considered bad practice to use Mongodb ObjectId in the url?

Question

I'm developing a recipe sharing web app using MERN stack, and i was planning to use this kind of url for showing the recipes info

../recipe/:recipeName/:id

I wanted to know if it is a bad practice to use Mongodb auto generated id in the url or if i should generate a separated public id. The project is for my portfolio and I prefer to avoid all kinds of bad practices so as not to scare away recruiters.

Thanks in advance!

Answer 1

What you are describing in your example is called RESTful service URLs and is perfectly fine for designing an API or a Web App.

Be careful with your URL Depth as best practice is to limit it to resource/identifier/resource and any deeper than that suggests a review of your design.

Using the ObjectId auto-generated by mongodb is an excellent identifier candidate for uniquely identifying your resources in the database so you can use them in the url. Just do not expose any sensitive information in the url and make sure you have authentication and authorisation to protect your routes, especially ones that mutate the data.

Answer 2

Using objectId in url can have 2 problems:

1. It is not good practice to make objectId public. I personally don't believe it's a security risk, but it might look unprofessional.
2. There is also the practical part that objectId is usually quite long and does not make sense to a person, so it does not look really pretty, like if you used for example a name of the product.

Honestly I believe it does not really matter, unless you wanna share the link somewhere, where the format ../recipe/:recipeName/:objectName would be Probably better.

Answer 3

I will vote no, it is (probably) not a good idea.

Now, true, a MongoDB ObjectId is a perfectly fine piece of data, 12 bytes and with a very broad domain. But I see 2 minuses:

1. A timestamp is embedded in ObjectId so in theory you can leak information about the identifier:

> q = new ObjectId("656cb6485731880768c46e34");
ObjectId("656cb6485731880768c46e34")
> q.getTimestamp();
ISODate("2023-12-03T17:09:28.000Z")

2. (This one is a little more philosophical). APIs and keys presented to a consumer should only expose business or local context data, not DB internal data types. Yes, ObjectId used in _id is more permanent than ROWID and ctid in oracle and postgres. And it is a real separate datatype just like UUID, for example. But it is still "environmentally" tied to MongoDB.

If you do wish to use it in an URL, be very careful to stay in control of the creation of it and how it processed coming inbound on an URL. Remember, things like UUID (and regular strings and numbers) are not autogenerated in the MongoDB drivers but _id has the special capability of being autogenerated.

Also, related, consider the effects of dumping and reloading data. If you are not in complete control of _id (assuming that is the ObjectId you are using) then you could end up with new ObjectId that do not match URLs generated in the past.