Masking the id with random string in url

Hello,

in CakePHP 4 What is the best way to hide with routers or mask the ID in the url to stop manipulation

so when editing the following becomes
/path/edit/sdfdsf23423sdf45efert34 or path/edit/
instead of path/edit/1 path/edit/2

Regards

Mal

You can hash value of id column -> md5, example: 1 -> C4CA4238A0B923820DCC509A6F75849B; and save it to database.
Then, path/edit/1 -> path/edit/C4CA4238A0B923820DCC509A6F75849B. You can also use simpler algorithms.
Goodluck

how does that work on auto increment?

Keep id column and add id_hash column with value is md5(id).

Is there a way of doing it on the fly without having to add a new column?

If your concern is securing access to those edit pages, you should ideally do it by writing code that checks whether the current user is allowed to edit, not by making it unlikely that they’ll be able to find it.

If you do need to use something like this, then using GUIDs instead of auto increment for your ID column might be an option.

And if you can’t do that, and don’t want to be bothered with a new column, then put the bare ID in the URL, and include the hash as a separate parameter. And PLEASE PLEASE PLEASE include something other than just the ID in the hash, because otherwise it’s pretty trivial for someone to break your “security”.

The cake-4.x branch is for CakePHP 4.

Yep that is something i am looking for however I got the following when I tried to install via composer??

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for muffin/obfuscate ^1.0 -> satisfiable by muffin/obfuscate[1.0.0].
    - Conclusion: remove cakephp/cakephp 4.0.4
    - Conclusion: don't install cakephp/cakephp 4.0.4
    - muffin/obfuscate 1.0.0 requires cakephp/orm ^3.5 -> satisfiable by cakephp/orm[3.5.0, 3.5.0-RC1, 3.5.0-RC2, 3.5.1, 3.5.10, 3.5.11, 3.5.12, 3.5.13, 3.5.14, 3.5.15, 3.5.17, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.5.6, 3.5.7, 3.5.8, 3.5.9, 3.5.x-dev, 3.6.0, 3.6.0-RC1, 3.6.0-RC2, 3.6.0-beta1, 3.6.0-beta2, 3.6.0-beta3, 3.6.1, 3.6.10, 3.6.11, 3.6.12, 3.6.13, 3.6.14, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.7.0, 3.7.0-RC1, 3.7.0-RC2, 3.7.0-RC3, 3.7.0-beta1, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.7.9, 3.8.0, 3.8.0-RC1, 3.8.0-RC2, 3.8.0-RC3, 3.8.0-beta1, 3.8.1, 3.8.10, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.x-dev].
    - don't install cakephp/orm 3.5.0|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.0-RC1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.0-RC2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.10|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.11|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.12|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.13|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.14|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.15|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.17|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.3|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.4|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.5|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.6|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.7|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.8|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.9|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.5.x-dev|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.0|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.0-RC1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.0-RC2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.0-beta1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.0-beta2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.0-beta3|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.10|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.11|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.12|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.13|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.14|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.3|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.4|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.5|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.6|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.7|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.8|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.6.9|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.0|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.0-RC1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.0-RC2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.0-RC3|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.0-beta1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.3|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.4|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.5|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.6|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.7|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.8|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.7.9|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.0|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.0-RC1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.0-RC2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.0-RC3|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.0-beta1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.1|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.10|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.2|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.3|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.4|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.5|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.6|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.7|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.8|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.8.9|don't install cakephp/cakephp 4.0.4
    - don't install cakephp/orm 3.x-dev|don't install cakephp/cakephp 4.0.4
    - Installation request for cakephp/cakephp (locked at 4.0.4, required as ^4.0) -> satisfiable by cakephp/cakephp[4.0.4].

what is the correct action I need for ‘composer require …’ to get it to install and update accordingly, both Master and Cake-4.x are the same line of code so can’t get it to install with composer on cake 4?

composer require muffin/obfuscate:dev-cake-4.x

Hi @ADmad

Thanks managed to get it installed, but can’t get it to mask the ID I have generated the code in CakePHP so in the controller I have the basic Index, VIew, Add, Edit, Delete functions all I need it for is the view, and edit public function.

1. where do I place the following code in my table file

   $this->addBehavior(‘Muffin/Obfuscate.Obfuscate’, [
   ‘strategy’ => new HashIdStrategy(‘5SX0TEjkR1mLOw8Gvq2VyJxIFhgCAYidrclDWaM3so9bfzZpuUenKtP74QNH6B’, 10, ‘abcdefghijklmnopqrstuvwxyz’)
   ]);

2. with the public function edit() how do I write the following to mask the ID
   public function edit($id = null)
   {
   $user = $this->Users->get($id, [
   ‘contain’ => [],
   ]);
   if ($this->request->is([‘patch’, ‘post’, ‘put’])) {
   $user = $this->Users->patchEntity($user, $this->request->getData());
   if ($this->Users->save($user)) {
   $this->Flash->success(__(‘The user has been saved.’));

                return $this->redirect(['action' => 'index']);
            }
            $this->Flash->error(__('The user could not be saved. Please, try again.'));
        }
        $tfnUserRoles = $this->Users->TfnUserRoles->find('list', ['limit' => 200]);
        $this->set(compact('user', 'tfnUserRoles'));
    } 
   

and public function view()

public function view($id = null)

    {

        $user = $this->Users->get($id, [

            'contain' => ['TfnUserRoles'],

        ]);

        $this->set('user', $user);

    }

Finally I have copied the Authentication from the tutorials for the CMS
[https://book.cakephp.org/4/en/tutorials-and-examples/cms/authentication.html]

where do I add the following code to get that working??

'authenticate' => [
     'ADmad/JwtAuth.Jwt' => [
        'finder' => 'obfuscated', // will use passed id `S` to search for record id 1
        'userModel' => 'Users',
        'fields' => [
            'username' => 'id'
        ],
        'parameter' => 'token'
    ]
]

Thanks in advance