Stormpath customData is a powerful way to store almost any data related to a user. It vastly expands integration to third party services and abolishes the need for user tables. (Read the docs) Here are some important considerations when storing custom user data in Stormpath.
Let’s start with the Don’ts, as they are the most important:
...Sensitive user data you have not encrypted.
Custom Data is stored in the data store unencrypted to support search functionality at a later date. Any sensitive
customData should be encrypted using a strong encryption cipher, such as AES-256-CBC with a secure random Initialization Vector.
Always encrypt data your customers would consider sensitive, such as credit cards and social security numbers.
…Large quantities of binary data.
customData resource is restricted to 10MB in size. Large
customData payloads will also be less efficient; if you need help with data model design, let us know. We are happy to help.
…Data that isn’t valid JSON.
Getting data into Stormpath requires that it be formatted as JSON, so all
customData needs to be a valid name value pairs. The values can themselves be complex JSON objects as well. Binary data must be base-64 encoded as JSON cannot represent binary directly.
…Anything you would store in a user table.
customData can store any JSON name-value pair, so what you store there is limited only to your imagination and the 10MB limit.
…IDs for 3rd party services.
Stripe. Google Authenticator. SendGrid. Part of the reason we are launching
customData as a generic data map, is to remove all restrictions on what services you can integrate with Stormpath.
Want users to set their own security questions for an added level of security? You can do that with custom data. Just be sure to encrypt it first!
…And lots more!
We have many sample projects and tutorials that show ways to use customData in different ways. You can find them on our blog, in our Knowledge Base, and on Github.