Comments (1)
Hi, thanks fort taking the time to ask the question...
The main point with Guid
s is that there's the rendering with dashes (.ToString()
/string
) vs the un-dashed representation with .ToString("N")
Within JSON, when rendering/parsing with Newtonsoft or STJ, there's going to be a default rendering (with an option to globally override that).
The comment is drawing attention to the fact that the issue of having a canonical rendering is not relevant as there's no such reflection-driven usage.
You're correct to also consider the XSS aspect (and when you embed a value within a stream name, you need to be sure that it'll be acceptable in any store you maintain it in - i.e. embedded quotes may or may not trigger issues etc)
(The contact preferences aggregate uses an email address in the stream name, which is a pretty bad idea and could do with. being fixed (you need to canonicalize things etc) as its misleading to anyone that'd not got all these concerns internalized to the degree you clearly do)
Most of these Id types were developed (and used in prod) to varying degrees before the arrival of FSharp.UMX.
In general, I tend to use it for UMX strings as a default; IME it's a pragmatic choice in that:
- there's good compile-time type safety, which is generally when it matters for ID types
- if you use it within a model that either gets persisted as an event, or gets serialized directly out as a view model by STJ or Newtonsoft, there's no question of the canonical rendering (which can be problematic with Guids)
- you can't mess up the serialization like you can with an SCDU or any other representation
- while a string is no perf panacea, it can often outperform a Guid as e.g. a dictionary key
- there's relatively few allocations compared to e.g. SCDUs
Of course, there are negatives too:
- you can't Make Illegal States Unrepresentable like you can with SCDUs
- STJ in particular doesn't have good ways of managing validation (and UMX'd strings can't be told apart at reflection level anyway)
- strings are about as prone to XSS as it gets
So, this brings us to two sets of questions:
- your particular need, and its specifics esp wrt XSS. In general I'd start from the position that you should be modelling how you're going to validate and canonicalize such things as a concern separated from an actual event-sourced model - at the point where you're using Equinox or something equivalent to read a stream with a name derived from a specific id, you should be in a position where you're not second-guessing XSS concerns anymore
- the samples, and whether they represent best practice - probably not; in general they're trying to cover a variety of real things that have been done, but e.g. the email in the stream name are clearly wrong (would consider taking a PR if you're interested).
I think there's definitely changes to the samples and/or extensions to the comments that would help a future you get more answers than questions compared to what there's there atm.
The specific question of stream names and canonicalization is covered in more detail in FsCodec's readme - if you have any ideas how to express canonicalization and XSS concerns more completely I'd definitely like to hear them over there...
Hope this helps a little; feel free to refute or ask follow-ons ;)
from equinox.
Related Issues (20)
- V2: constrain dependencies HOT 1
- V2: Cosmos: Backport LogSink signature change HOT 2
- QUESTION: How do you support regulatory requirements to purge persisted Personally Data (e.g. GDPR)? HOT 4
- Cosmos Table support HOT 2
- Cosmos: Fix unfold event numbering
- The canonical definition of AwaitTaskCorrect is incorrect HOT 4
- Add LoadOption.RequireLeader
- missed published packages HOT 6
- StreamId.gen2/3 - consider revert to struct tuples HOT 1
- StreamNotFoundException when trying to add Events to a new Stream with EventStoreDb HOT 5
- Is there a specific message-db version that one has to use? HOT 8
- DynamoDB: EventsContext fails to read when tip not read HOT 1
- Feature: ReadThrough mode HOT 1
- DynamoStore: Needs to write through tip to guarantee order on DDB streams
- Core: NullReferenceException when using cached reads
- DynamoStore: Use ReturnValuesOnConditionCheckFailure to implement Resync
- refactor: Label contexts unambiguously
- Rename AsyncCacheCell to TaskCell
- CosmosStore: Complain about large partition keys if not configured
- Remove Compaction from Domain terms
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from equinox.