Using custom userId vs Mongo Object_Id

(just started coding a year ago and am still in awe of how cool people on StackOverflow are :))

Anyhow, on my previous job we used custom UUID's for userId's in the backend instead of the automatically generated mongo Object ID's.

Back then I though it had to do with possible security issues when exposing these via URL routes. Yet I can't really figure out how that is any less secure then exposing the custom ID's. Hackers can assume my db?

Could anyone shed some light on best practices in this regard?

Thanks!

Solution

ObjectIds are not in any way less secure than, say, UUID.

They do carry a timestamp part, so if you expose the object id, clients can know the time of generation of this id. But:

This assumes that you use the default generation scheme. Some implementations generate completely random object ids (and so the timestamp value is fake)
I can't think of a way how malicious client can use this for anything.

Discord.js MongooseError: Callback must be a function, got [object Object]
MongoDB Authentication Issues with Node.js and Mongo-Express in Docker Compose setup
MongoDB Authentication failes for any user
$unset operator turns a simple object into array
MongoDB query for points with cutout
sorting in mongodb aggregation according to timestamp
multer-gridfs error " TypeError: Cannot read properties of undefined (reading '_id') "
MongoNetworkError: failed to connect to server [localhost:27017] on first connect [MongoNetworkError: connect ECONNREFUSED 127.0.0.1:27017]
Can't connect to MongoClient using Node
Postman show up infinite "Sending request..." on my nodeJS MongoDB application
Cannot resolve reference to bean 'mongoTemplate' while setting bean property 'mongoOperations'
Mongo as replica set in Testcontainers in .NET
java.lang.IllegalStateException: should be impossible for sortable string fields to be present in embedded documents
Updating an array within an array gives Location40324 error in mongodb
EJS Rendering Error: "allChats is not defined" Despite Data in MongoDB
how to set the data type of mongoexport
Is there a way to create or update a MongoDB index?
Group By Condition in MongoDB
MongoDB aggregate merge condition
GraphQL query with variables results in 400 error
Pymongo: automatic IP
Cannot read properties of null (reading 'collection'), this error is coming when submitting form. Unable to store data in database
Mongoose Activity model with dynamic reference
Mongoose Unique index not working!
How to search field's in a MongoDB Schema which has Reference to another Schema?
How to Unwind / populate an Array in Mongoose Aggregate Pipeline
Error: Accessing non-existent property. Module exports in circular dependency
MongoDB Full and Partial Text Search
How to import Wikipedia XML dump into MongoDB?
MongoDB - change simple field into an object