Sometimes the data that flows from the backend of your application to the frontend can reveal more than you want to.<\/p>\n\n\n\n

Image an ecommerce scenario where every time an order is completed, a record is added to the orders table. Now imagine that you want your customers to be able to view their own orders within their own frontend account area. If you use standard incrementing IDs to identify these orders, you could easily reveal to that user the amount of orders your site gets in a time period.<\/p>\n\n\n\n

What are your options?<\/h2>\n\n\n\n

The first option is to use UUIDs as your primary key on a table. This is probably the most robust method but it comes with a few downsides:<\/p>\n\n\n\n

\n
• You can’t order records by insert order<\/li>\n\n\n\n
• Your database size is bigger<\/li>\n\n\n\n
• UUIDs can be pretty long<\/li>\n<\/ul>\n\n\n\n

  The second option is to use a standard incrementing primary key internally, but obfuscate it whenever its sent to the frontend.<\/p>\n\n\n\n

  Challenges of obfuscation<\/h2>\n\n\n\n

  Of course, models pass from backend to frontend and vice-versa in a myriad different ways and having to manually apply obfuscation and de-obfuscation every time would be immensely tedious and limit your use of the Laravel framework in some ways (e.g. route model binding).<\/p>\n\n\n\n

  Additionally, you need a robust way to encode and decode your IDs to ensure that they always resolve to the same underlying key. You also don’t want this process to be easily implementable by an unconnected party (thus making standard encoding with base64, MD5 et al. off-limits).<\/p>\n\n\n\n

  The solution<\/h2>\n\n\n\n

  This Laravel package tackles most of those challenges. Once the trait Obfuscatable<\/code> is applied to your model, the following actions are automatically taken:<\/p>\n\n\n\n

  \n
  • Obfuscated keys are resolved when used in route-model-binding.<\/li>\n\n\n\n
  • Model find<\/code> functions work with either the original key, or the obfuscated one<\/li>\n\n\n\n
  • An attribute of obfuscatedId<\/code> is automatically appended to your model instance to allow you to reference it internally<\/li>\n\n\n\n
  • The ID is obfuscated when the model is sent to the frontend via the model’s toArray<\/code> function<\/li>\n\n\n\n
  • Encoding and decoding is seeded using a custom key in your config<\/li>\n\n\n\n
  • You can pad the ID character length to whatever you like<\/li>\n\n\n\n
  • You can even define your own alphabet to use for the obfuscated IDs<\/li>\n\n\n\n
  • Applies a filter to IDs to prevent them accidentally creating offensive strings<\/li>\n<\/ul>\n\n\n\n

    Usage<\/h2>\n\n\n\n

    After installing the package, simply add the supplied trait to any models you want to have the ID obfuscated on:<\/p>\n\n\n\n

    1<\/span>use EvoMark\\LaravelIdObfuscator\\Traits\\Obfuscatable<\/span>;<\/span><\/span><\/span><\/div>
    2<\/span>\n<\/span><\/span><\/div>
    3<\/span>class <\/span>User<\/span> extends <\/span>Authenticatable<\/span><\/span><\/span><\/div>
    4<\/span><\/span>{<\/span><\/span><\/span><\/div>
    5<\/span>    use Obfuscatable<\/span>;<\/span><\/span><\/span><\/div>
    6<\/span><\/span>}<\/span><\/span><\/div><\/code><\/pre><\/div>\n\n\n\n
    Obfuscatable<\/code> models will also feature automatic decoding when using the model’s find<\/code>-style functions: e.g. find<\/code>, findOrFail<\/code>, findMany<\/code>, findOrNew<\/code>, findOr<\/code><\/p>\n\n\n\n
    \/\/ SomeController<\/span><\/span><\/div>
    \n<\/span><\/div>
    <\/span>\/**<\/span><\/div>
     * @param string $id The obfuscated order ID<\/span><\/div>
     *\/<\/span><\/span><\/div>
    public <\/span>function<\/span> <\/span>index<\/span>(<\/span>$id<\/span>)<\/span><\/span><\/div>
    <\/span>{<\/span><\/span><\/div>
        $order <\/span>=<\/span> Order<\/span>:<\/span>:<\/span>find<\/span>(<\/span>$id<\/span>)<\/span>;<\/span><\/span><\/div>
    <\/span>}<\/span><\/div><\/code><\/pre><\/div>\n\n\n\n
    Validation<\/h2>\n\n\n\n
    Laravel ID Obfuscator<\/strong> comes with a built-in rule extension for validating incoming obfuscated ids, simply:<\/p>\n\n\n\n
    public <\/span>function<\/span> <\/span>store<\/span>(<\/span>$request<\/span>)<\/span><\/span><\/div>
    <\/span>{<\/span><\/span><\/div>
        $validated <\/span>=<\/span> $request<\/span>-<\/span>><\/span>validate<\/span>(<\/span>[<\/span><\/span><\/div>
            <\/span>'id'<\/span> <\/span>=<\/span>><\/span> <\/span>[<\/span>'required'<\/span>,<\/span>'id_exists:users'<\/span>]<\/span><\/span><\/div>
        <\/span>]<\/span>)<\/span>;<\/span><\/span><\/div>
    <\/span>}<\/span><\/div><\/code><\/pre><\/div>\n\n\n\n
    Facade<\/h2>\n\n\n\n
    You can access the encoding and decoding features anytime via the provided facade.<\/p>\n\n\n\n
    use EvoMark\\LaravelIdObfuscator\\Facades\\Obfuscate<\/span>;<\/span><\/span><\/div>
    \n<\/span><\/div>
    $encoded <\/span>=<\/span> Obfuscate<\/span>:<\/span>:<\/span>encode<\/span>(<\/span>5<\/span>)<\/span>;<\/span><\/span><\/div>
    $decoded <\/span>=<\/span> Obfuscate<\/span>:<\/span>:<\/span>decode<\/span>(<\/span>$encoded<\/span>)<\/span>;<\/span><\/div><\/code><\/pre><\/div>\n\n\n\n
    Config<\/h2>\n\n\n\n
    You can publish the package config by running the following Artisan command: <\/p>\n\n\n\n
    php artisan v:p --provider<\/span>=<\/span>\"EvoMark\\LaravelIdObfuscator\\Provider\"<\/span><\/div><\/code><\/pre><\/div>\n\n\n\n
    Setting<\/th>
    Type<\/th>
    Default<\/th>
    Description<\/th><\/tr><\/thead>
    seed<\/td>
    string<\/td>
    laravel-id-obfuscator<\/td>
    A seed string for the encoder<\/td><\/tr>
    length<\/td>
    int<\/td>
    8<\/td>
    The amount of chars to pad the output to<\/td><\/tr>
    alphabet<\/td>
    string<\/td>
    [a-zA-Z0-9] (as string)<\/td>
    The alphabet to use when encoding IDs<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
    FAQs<\/h2>\n\n\n
    \n    \n\n
    Why not use UUIDs?<\/h4>\n\n\n\n
    UUIDs can be bad for database performance<\/a>, whereas this obfuscation only runs when data bridges between the backend and the frontend of your application.<\/p>\n\n\n<\/div>\n\n    \n\n\n\n
    Limitations<\/h2>\n\n\n\n
    \n
    Laravel ID Obfuscator can only be used on incrementing primary keys<\/li>\n\n\n\n
    Since this package overrides the newEloquentBuilder<\/code> method on obfuscated models, it is incompatible with any other packages that also do the same. Some examples might include:\n
    \n
    https:\/\/github.com\/mikebronner\/laravel-model-caching<\/li>\n\n\n\n
    https:\/\/github.com\/grimzy\/laravel-mysql-spatial<\/li>\n\n\n\n
    https:\/\/github.com\/fico7489\/laravel-pivot<\/li>\n\n\n\n
    https:\/\/github.com\/spatie\/laravel-query-builder<\/li>\n\n\n\n
    https:\/\/github.com\/dwightwatson\/rememberable<\/li>\n\n\n\n
    https:\/\/github.com\/chelout\/laravel-relationship-events<\/li>\n\n\n\n
    https:\/\/github.com\/lazychaser\/laravel-nestedset<\/li>\n<\/ul>\n<\/li>\n\n\n\n
    Presently, if an Obfuscatable<\/code> model appears as part of another model as a foreign key, it will not be obfuscated<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
    Sometimes the data that flows from the backend of your application to the frontend can reveal more than you want to. Image an ecommerce scenario where every time an order is completed, a record is added to the orders table. Now imagine that you want your customers to be able to view their own orders…<\/p>\n","protected":false},"author":2,"featured_media":443,"parent":218,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"templates\/open-source-software.php","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-440","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/pages\/440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/comments?post=440"}],"version-history":[{"count":23,"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/pages\/440\/revisions"}],"predecessor-version":[{"id":784,"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/pages\/440\/revisions\/784"}],"up":[{"embeddable":true,"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/pages\/218"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/media\/443"}],"wp:attachment":[{"href":"https:\/\/evomark.co.uk\/wp-json\/wp\/v2\/media?parent=440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}