How to get retool user id?

Anyone else logged in could not spoof the id in the query I am running to get the customer record using current_user.id

They could, before I asked this question: Is the current_user global secure? and Retool fixed it. They could now, if you forget to turn on the "Beta" anti-spoofing option or another admin accidentally turns it off. And they could in the future, if Retool itself has a bug.

In all of those scenarios, using sid instead of id would probably stop the attack from taking place. Are these scenarios likely? No, but that's the case with nearly all security-related incidents. "We never thought this was even possible...."

In any use case where an id is being used as even a tiny part of the "security" aspects of the use case, I don't think anyone would purposefully choose an integer over a uuid :slight_smile:

I'll also add that I'm personally thinking of malicious API calls originating outside of Retool. Should these ever be able to succeed? No. IP whitelisting and login creds should stop them in their tracks. But if in the event we totally screw allll of that up, the very last line of defense requiring a hacker guess sid makes me sleep a lot better than an integer!

1 Like