evo-mark / laravel-id-obfuscator
Obfuscate your IDs when sending them to the frontend
Installs: 1 436
Dependents: 0
Suggesters: 0
Security: 0
Stars: 3
Watchers: 2
Forks: 2
Open Issues: 0
Requires
- php: ^8.1
- hashids/hashids: ^5.0
- illuminate/support: ^8.0|^9.0|^10.0|^11.0|^12.0
Requires (Dev)
- laravel/pint: ^1.0
- orchestra/testbench: ^8.0|^9.0|^10.0
- phpunit/phpunit: ^10.5|^11.0|^12.0
README
Laravel ID Obfuscator
Incrementing primary keys may reveal more than you wish in a public-facing application. Order IDs can reveal your sales volume to competitors and User IDs can invite enumeration attacks.
This package implements a two-way hashing on Obfuscatable models and converts an ID of, say, 7 into an ID of fh38aj2e when it travels to the frontend and converts it back on return.
Warning: This package only obfuscates IDs and should not be used if secure encryption of identifiers is required
Installation
composer require evo-mark/laravel-id-obfuscator
Models
Usage
use EvoMark\LaravelIdObfuscator\Traits\Obfuscatable; class User extends Authenticatable { use Obfuscatable; }
Using the Obfuscatable trait provides automatic route model binding with decoding and then automatic encoding when the primary key is sent to the frontend
Route::get('/users/{user}', [SomeController::class, 'index']); // SomeController public function index(User $user) { // $user will now have the decoded ID ready for internal use // If you need to access the obfuscated ID internally, you can use $obfuscatedId = $user->obfuscatedId; }
Obfuscatable models will also feature automatic decoding when using the model's find-style functions: e.g. find, findOrFail, findMany, findOrNew, findOr
// SomeController /** * @param string $id The obfuscated order ID */ public function index($id) { $order = Order::find($id); }
Validation
Laravel ID Obfuscator comes with a built-in rule extension for validating incoming obfuscated ids, simply:
public function store($request) { $validated = $request->validate([ 'id' => ['required','id_exists:users'] ]); }
Facade
You can access the encoding and decoding features anytime via the provided facade.
use EvoMark\LaravelIdObfuscator\Facades\Obfuscate; $encoded = Obfuscate::encode(5); $decoded = Obfuscate::decode($encoded);
toArray
Primary keys on Obfuscated models will automatically be obfuscated when sending models to the frontend.
If you want to encode foreign keys on the model as well, enable the encodeForeign setting in your obfuscator config.
Config
You can publish the package config by running the following Artisan command:
php artisan v:p --provider="EvoMark\LaravelIdObfuscator\Provider"
| Setting | Type | Default | Description |
|---|---|---|---|
| seed | string | laravel-id-obfuscator | A seed string for the encoder |
| length | int | 8 | The amount of chars to pad the output to |
| alphabet. | string | [a-zA-Z0-9] (as string) | The alphabet to use when encoding IDs |
| encodeForeign | bool | false | Encode obfuscated foreign keys too. |
Q & A
- Why not use UUIDs?
- UUIDs can be Bad for database performance, whereas this obfuscation only runs when data bridges between the backend and the frontend of your application.
Limitations
- Laravel ID Obfuscator can only be used on incrementing primary keys
- Since this package overrides the
newEloquentBuildermethod on obfuscated models, it is incompatible with any other packages that also do the same. Some examples might include:
Support Open-Source Software
We're providing this community adapter free-of-charge without any paywalled features. However, all development and maintenance costs time, energy and money. So please help fund this project if you can.