This repository has been archived by the owner. It is now read-only.

cuid

crystal crystal-lang cuid

Collision-resistant ids optimized for horizontal scaling and performance, in Crystal

cuid (Deprecated)

Implementation of https://github.com/ericelliott/cuid in Crystal.

The CUID is a Crystal library that provides collision-resistant IDs optimized for horizontal scaling and sequential lookup performance.

Status: Deprecated due to security.

See original implementation Cuid2, not yet ported to Crystal.

Note: All monotonically increasing (auto-increment, k-sortable), and timestamp-based ids share the security issues with Cuid. V4 UUIDs and GUIDs are also insecure because it's possible to predict future values of many random algorithms, and many of them are biased, leading to increased probability of collision. Likewise, UUID V6-V8 are also insecure because they leak information which could be used to exploit systems or violate user privacy. Here are some example exploits:

Unauthorized password reset via guessable ID

Unauthorized access to private GitLab issues via guessable ids

Unauthorized password reset via guid

Please refer to the main project site for the full story.

Installation

Add the dependency to your shard.yml:

dependencies:
  cuid:
    github: rodrigopinto/cuid

Run shards install

Usage

Basic

require "cuid"

cuid = CUID.random

cuid.to_s # => ck8vrqmp20000df63z8lsaahr

JSON Mapping

require "cuid"
require "cuid/json"

class Example
  JSON.mapping id: CUID
end

example = Example.from_json(%({"id": "ck8vrqmp20000df63z8lsaahr"}))

cuid = CUID.random
cuid.to_json # => "\"ck8vrqmp20000df63z8lsaahr\""

Explanation

c - k8vrqmp2 - 0000 - df63 - z8lsaahr

The groups, in order, are:

'c' - identifies this as a cuid, and allows you to use it in html entity ids.
Timestamp in milliseconds since the epoch coverted in base 36.
Counter - A single process might generate the same random string. The weaker the pseudo-random source, the higher the probability. That problem gets worse as processors get faster. The counter will roll over if the value gets too big.
Fingerprint - The first two characters are based on the process id(Process.pid) and the next two characters are based on the hostname(System.hostname). Same method used in the original Node implementation.
Random - It uses a cryptographically secure pseudorandom number Random::Secure#rand function.

Development

Contributions are welcome. Make sure to check the existing issues (including the closed ones) before requesting a feature, reporting a bug or opening a pull requests.

Getting started

Install dependencies:

shards install

Run tests:

crystal spec

Format the code:

crystal tool format

Contributing

Fork it (https://github.com/rodrigopinto/cuid/fork)
Create your feature branch (git checkout -b my-new-feature)
Commit your changes (git commit -am 'Add some feature')
Push to the branch (git push origin my-new-feature)
Create a new Pull Request

Maintainer

Rodrigo Pinto - creator and maintainer

Repository

cuid

Owner

rodrigopinto

Statistic

7
1
1
1
1
10 days ago
March 23, 2020

License

MIT License

Links

Synced at

Tue, 03 Feb 2026 17:20:17 GMT

Languages

Crystal 100.0%