evo-mark / laravel-id-obfuscator
Obfuscate your IDs when sending them to the frontend
Installs: 1 287
Dependents: 0
Suggesters: 0
Security: 0
Stars: 3
Watchers: 2
Forks: 2
Open Issues: 0
Requires
- php: ^8.1
- hashids/hashids: ^5.0
- illuminate/support: ^8.0|^9.0|^10.0|^11.0
Requires (Dev)
- laravel/pint: ^1.0
- orchestra/testbench: ^8.0|^9.0
- phpunit/phpunit: ^10.5
README
Laravel ID Obfuscator
Incrementing primary keys may reveal more than you wish in a public-facing application. Order IDs can reveal your sales volume to competitors and User IDs can invite enumeration attacks.
This package implements a two-way hashing on Obfuscatable models and converts an ID of, say, 7 into an ID of fh38aj2e when it travels to the frontend and converts it back on return.
Warning: This package only obfuscates IDs and should not be used if secure encryption of identifiers is required
Installation
composer require evo-mark/laravel-id-obfuscator
Models
Usage
use EvoMark\LaravelIdObfuscator\Traits\Obfuscatable; class User extends Authenticatable { use Obfuscatable; }
Using the Obfuscatable trait provides automatic route model binding with decoding and then automatic encoding when the primary key is sent to the frontend
Route::get('/users/{user}', [SomeController::class, 'index']); // SomeController public function index(User $user) { // $user will now have the decoded ID ready for internal use // If you need to access the obfuscated ID internally, you can use $obfuscatedId = $user->obfuscatedId; }
Obfuscatable models will also feature automatic decoding when using the model's find-style functions: e.g. find, findOrFail, findMany, findOrNew, findOr
// SomeController /** * @param string $id The obfuscated order ID */ public function index($id) { $order = Order::find($id); }
Validation
Laravel ID Obfuscator comes with a built-in rule extension for validating incoming obfuscated ids, simply:
public function store($request) { $validated = $request->validate([ 'id' => ['required','id_exists:users'] ]); }
Facade
You can access the encoding and decoding features anytime via the provided facade.
use EvoMark\LaravelIdObfuscator\Facades\Obfuscate; $encoded = Obfuscate::encode(5); $decoded = Obfuscate::decode($encoded);
Config
You can publish the package config by running the following Artisan command:
php artisan v:p --provider="EvoMark\LaravelIdObfuscator\Provider"
Q & A
- Why not use UUIDs?
- UUIDs can be Bad for database performance, whereas this obfuscation only runs when data bridges between the backend and the frontend of your application.
Limitations
- Laravel ID Obfuscator can only be used on incrementing primary keys
- Since this package overrides the
newEloquentBuildermethod on obfuscated models, it is incompatible with any other packages that also do the same. Some examples might include: - Presently, if an
Obfuscatablemodel appears as part of another model as a foreign key, it will not be obfuscated