README

Laravel ID Obfuscator

Incrementing primary keys may reveal more than you wish in a public-facing application. Order IDs can reveal your sales volume to competitors and User IDs can invite enumeration attacks.

This package implements a two-way hashing on Obfuscatable models and converts an ID of, say, 7 into an ID of fh38aj2e when it travels to the frontend and converts it back on return.

Warning: This package only obfuscates IDs and should not be used if secure encryption of identifiers is required

Installation

composer require evo-mark/laravel-id-obfuscator

Models

Usage

use EvoMark\LaravelIdObfuscator\Traits\Obfuscatable; class User extends Authenticatable { use Obfuscatable; }

Using the Obfuscatable trait provides automatic route model binding with decoding and then automatic encoding when the primary key is sent to the frontend

Route::get('/users/{user}', [SomeController::class, 'index']); // SomeController public function index(User $user) { // $user will now have the decoded ID ready for internal use // If you need to access the obfuscated ID internally, you can use $obfuscatedId = $user->obfuscatedId; }

Obfuscatable models will also feature automatic decoding when using the model's find-style functions: e.g. find, findOrFail, findMany, findOrNew, findOr

// SomeController /**  * @param string $id The obfuscated order ID  */ public function index($id) { $order = Order::find($id); }

Validation

Laravel ID Obfuscator comes with a built-in rule extension for validating incoming obfuscated ids, simply:

public function store($request) { $validated = $request->validate([ 'id' => ['required','id_exists:users'] ]); }

Facade

You can access the encoding and decoding features anytime via the provided facade.

use EvoMark\LaravelIdObfuscator\Facades\Obfuscate; $encoded = Obfuscate::encode(5); $decoded = Obfuscate::decode($encoded);

toArray

Primary keys on Obfuscated models will automatically be obfuscated when sending models to the frontend.

If you want to encode foreign keys on the model as well, enable the encodeForeign setting in your obfuscator config.

Config

You can publish the package config by running the following Artisan command:

php artisan v:p --provider="EvoMark\LaravelIdObfuscator\Provider"

Q & A

1. Why not use UUIDs?

• UUIDs can be Bad for database performance, whereas this obfuscation only runs when data bridges between the backend and the frontend of your application.

Limitations

• Laravel ID Obfuscator can only be used on incrementing primary keys
• Since this package overrides the newEloquentBuilder method on obfuscated models, it is incompatible with any other packages that also do the same. Some examples might include:
  • mikebronner/laravel-model-caching
  • grimzy/laravel-mysql-spatial
  • fico7489/laravel-pivot
  • spatie/laravel-query-builder
  • dwightwatson/rememberable
  • chelout/laravel-relationship-events
  • lazychaser/laravel-nestedset

Support Open-Source Software

We're providing this community adapter free-of-charge without any paywalled features. However, all development and maintenance costs time, energy and money. So please help fund this project if you can.