Primary key obfuscation for CakePHP using HashIds, Optimus, Base62 and/or custom obfuscation strategies.
Install the plugin using Composer:
composer require muffin/obfuscate
Load the plugin by either running this console command:
bin/cake plugin load Muffin/Obfuscate
or by manually adding the following line to src/Application.php
:
$this->addPlugin('Muffin/Obfuscate');
Lastly, install the required obfuscation library depending on the strategy class you want to use and stated below.
Use the HashIdStrategy if you want to:
- obfuscate your primary keys with short, unique, non-sequential ids
- present record ids like 347 as strings like “yr8”
composer require hashids/hashids
Use the OptimusStrategy if you want to:
- obfuscate your primary keys with integers based on Knuth's integer hash
- present record ids like 347 as integers like 372555994
composer require jenssegers/optimus
Use the Base62Strategy if you want to:
- obfuscate your primary keys with base62 strings and integers
- present record ids like 347 as strings like "vk"
composer require tuupola/base62
You can also create your own strategy classes by implementing the StrategyInterface
.
Prepare for obfuscation by attaching the Obfuscate behavior to your table(s) and specifying which strategy you want to use as shown in the following examples.
use Muffin\Obfuscate\Model\Behavior\Strategy\HashIdStrategy;
$this->addBehavior('Muffin/Obfuscate.Obfuscate', [
// Strategy constructor parameter:
// $salt - Random alpha numeric string. You can also set "Obfuscate.salt"
// $minLength (optional) - The minimum hash length. Default: 0
// $alphabet (optional) - Custom alphabet to generate hash from. Default: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
// config instead of passing salt to construction.
// DO NOT USE same salt as set for "Security.salt" config.
'strategy' => new HashIdStrategy('5SX0TEjkR1mLOw8Gvq2VyJxIFhgCAYidrclDWaM3so9bfzZpuUenKtP74QNH6B', 10, 'abcdefghijklmnopqrstuvwxyz')
]);
use Muffin\Obfuscate\Model\Behavior\Strategy\OptimusStrategy;
$this->addBehavior('Muffin/Obfuscate.Obfuscate', [
// Strategy constructor parameters:
// $prime - Large prime number lower than 2147483647
// $inverse - The inverse prime so that (PRIME * INVERSE) & MAXID == 1
// $random - A large random integer lower than 2147483647
// You can use vendor/bin/optimus spark to generate these set of numbers.
'strategy' => new OptimusStrategy(2123809381, 1885413229, 146808189)
]);
use Muffin\Obfuscate\Model\Behavior\Strategy\Base62Strategy;
$this->addBehavior('Muffin/Obfuscate.Obfuscate', [
// Strategy constructor parameters:
// $set - Random alpha-numeric set where each character must only be used exactly once
'strategy' => new Base62Strategy('5SX0TEjkR1mLOw8Gvq2VyJxIFhgCAYidrclDWaM3so9bfzZpuUenKtP74QNH6B')
]);
Please note that attaching the behavior is totally unobtrusive and will do absolutely nothing until you use one of the custom finders.
This plugin comes with the following two custom finders that are responsible for the actual obfuscation (cloaking) and elucidation (uncloaking) process:
findObfuscated
: used to find records using an obfuscated (cloaked) primary keyfindObfuscate
: used to obfuscate (cloak) all primary keys in a find result set
Use this finder if you want to look up a record using an obfuscated id. The plugin will elucidate (uncloak) the obfuscated id and will execute the find using the "normal" primary key as it is used inside your database.
CakePHP example:
public function view($id)
{
$article = $this->Articles->find('obfuscated')
->where(['id' => $id]) // For e.g. if value for $id is 'S' it will search for actual id 1
->first();
}
Crud plugin example:
public function view($id)
{
$this->Crud->on('beforeFind', function (EventInterface $event) {
$event->subject()->query->find('obfuscated');
});
}
Use this finder if you want the plugin to obfuscate all "normal" primary keys found in a find result set.
CakePHP example:
public function index()
{
$articles = $this->Articles->find('obfuscate');
}
Crud plugin example:
public function index()
{
$this->Crud->on('beforePaginate', function (EventInterface $event) {
$event->subject()->query->find('obfuscate');
});
}
Attaching the behavior also makes the following two methods available on the table:
obfuscate(string $str)
elucidate(string $str)
A fairly common use case is applying obfuscation to user ids. To ensure the
Authentication plugin properly handles obfuscated ids, specify the obfuscated
finder
using the finder
key in your identifier's resolver config.
- Fork
- Mod, fix
- Test - this is important, so it's not unintentionally broken
- Commit - do not mess with license, todo, version, etc. (if you do change any, bump them into commits of their own that I can ignore when I pull)
- Pull request - bonus point for topic branches
To ensure your PRs are considered for upstream, you MUST follow the CakePHP coding standards.
http://github.com/usemuffin/obfuscate/issues
Copyright (c) 2015-Present, Use Muffin and licensed under The MIT License.