user_id can only be an Integer

[tordne]

Hi,

So my second issue I've come across with the user_id's is the fact that you expect us to use an Integer.

Initially I started off using normal Integers as Id's, but it creates a very obvious security risk, that in every project user_id 1 will probably be the admin/root user.

I've been reading through several projects, and the most secure ones use UUID as id's for their tables.
easily done by
from sqlalchemy.dialects.postgresql import UUID
import uuid

and in the users table
id = db.Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)

I also have not really looked into the code of flask-authorize, but it would be a nice idea, to adopt a more secure approach and give a choice in between Integer or uuid4, which will solve a major security issue of easily guessing user ID's

[bprinty]

Thanks for the suggestion! You make a good point - I agree that the type of the User.id field should be flexible enough to accommodate UUIDs. It would make this package more useful in large applications that require split databases or multitenancy.

I'll add this to the feature roadmap for the project and comment back on this issue when it has been added to a production release of this package. Thanks!