How to implement sharing a document via link?

Question

If I want to generate a shareable link for a document, I could simply use the document id website.com/shared/:id.

class Item: Object, ObjectKeyIdentifiable {
    @Persisted(primaryKey: true) var _id: ObjectId
    @Persisted var userId: String
    @Persisted var name: String
}

However, I won't be able to generate a new link if a malicious user found the document id. So, I am thinking of having a separate share id website.com/shared/:shareId.

class Item: Object, ObjectKeyIdentifiable {
    @Persisted(primaryKey: true) var _id: ObjectId
    @Persisted var userId: String
    @Persisted var name: String
    
    @Persisted var shareId: ObjectId // or UUID or string
}

Is it okay to simply use ObjectId or UUID?

I tried generating a link on Google Docs, and they don't seem to use a separate id. When I am editing, the link is https://docs.google.com/document/d/1HDPFRcAxzeOCVyil9OEunOcFO_vknq_kBDYGFysb35A/edit, and the shared link is https://docs.google.com/document/d/1HDPFRcAxzeOCVyil9OEunOcFO_vknq_kBDYGFysb35A/edit?usp=sharing.

Are there any best practices for sharing? I am not able to find much information on the topic.

Are you not validating or checking the permission of the user with the document id? — Santhosh, Jul 14 '23 at 09:15
@santhosh Yes, there is a rule like `"ownerId": "%%user.id"` in MongoDB Atlas. I am not sure how to add a condition to allow others to edit the document if it is shared. — BPDev, Jul 14 '23 at 13:26
The question is a bit unclear and what's the correlation to Realm? It appears you're asking about storing a *URL* in a Realm Objects property. Realm does not have a URL property so it would simply be stored as a String, and that's all it is to Realm: a String. Your code can then do whatever you need with it. Beyond that, - *sharing a document* - isn't a Realm process as Realm itself doesn't have documents per se and Realm objects are not shared and also do not have links. We may be able to help but the question needs a lot more clarity. — Jay, Jul 14 '23 at 18:06
For supported types in Realm see [Supported Types](https://www.mongodb.com/docs/realm/sdk/swift/model-data/supported-types/#supported-property-types) and also see [Map Unsupported Types to Supported Types](https://www.mongodb.com/docs/realm/sdk/swift/model-data/supported-types/#map-unsupported-types-to-supported-types) — Jay, Jul 14 '23 at 18:07
@Jay I am using Realm Swift with Atlas Sync. I am asking how to approach sharing Realm objects/MongoDB documents, as I wasn't able to find anything online. Can I just use the id of the document or should I be careful in generating a hard-to-guess link? (Then, I have to worry about having conditional Atlas permissions and syncing shared documents) — BPDev, Jul 14 '23 at 22:58
Additional clarity is needed. You're using *Realm Swift with Atlas sync* - meaning you are *not* using the RealmSwift SDK with [FlexSync](https://www.mongodb.com/docs/realm/sdk/swift/sync/add-sync-to-app/) and you *are* using AppServices to interact with Atlas (which is a different API and talks to the server using more complex and lower level calls) — Jay, Jul 15 '23 at 13:50
Using AppServices, Documents can be accessed by any user (e.g. 'shared') who has permission to access that document. For example, any user who runs this code [Find One Document](https://www.mongodb.com/docs/realm/sdk/swift/app-services/mongodb-remote-access/#find-a-single-document) is 'sharing' that document. So perhaps the goal is to provide a specific document id (primary key) to a group of users? So the question "Is it okay to simply use ObjectId or UUID".... the answer is.. sure? Why not? — Jay, Jul 15 '23 at 14:04

score 0 · Answer 1 · answered Jul 17 '23 at 21:36

MongoDB ids are guessable. You could have a separate share id field that is harder to guess using UUID, or use a cryptographically secure random number generator that isn't guaranteed to be unique website.com/:documentId/:secureToken. (On the server, validate the the token in the request is the same as the one in the database)

It's probably better to have an array of collaborators and generate invitation links that can expire or have a maximum capacity.

How to implement sharing a document via link?

1 Answers1