/cakephp-expose

CakePHP Expose plugin to expose entities through additional UUIDs instead of their AIID primary keys

Primary LanguagePHPMIT LicenseMIT

CakePHP Expose plugin

CI Codecov Latest Stable Version Minimum PHP Version License Total Downloads Coding Standards

Exposes UUIDs as public identifiers for your entities instead of numeric AIID (Auto Increment ID) primary keys.

This branch is for use with CakePHP 5.0+. For details see version map.

Key Goals

Cloaking/Obfuscation

  • True randomness, so you cannot determine order or count of records per time-frame.

Security

  • Mass assignment and marshalling does not allow setting this exposed field - it are hidden by default just as the primary key.

Robustness

  • Must work with also more complex queries and use cases, including the atomic updateAll(), deleteAll().
  • Speed should be similar to default approach.

Simplicity

  • Code changes from AIID exposure to UUID lookup should be minimal for all public endpoints.
  • The default shortener provided makes the UUIDs also only 22 chars long concise strings.

Why AIID and UUID as combination?

See Motivation for details.

Demo

See sandbox examples.

Installation

You can install this plugin into your CakePHP application using Composer.

The recommended way to install is:

composer require dereuromark/cakephp-expose

Then load the plugin with the following command:

bin/cake plugin load Expose

Usage

See Docs for details.

Quick Start for adding to existing records

Faster than the speed of light:

  • Add the behavior and run bin/cake add_exposed_field PluginName.ModelName {MigrationName} to generate a migration for adding the field.
  • Execute the migration and then populate existing records using bin/cake populate_exposed_field PluginName.ModelName
  • Re-run bin/cake add_exposed_field PluginName.ModelName {MigrationName} to get a non-nullable field migration for your new field.
  • After also executing that migration all new records will automatically have their exposed field stored as well.

You are done and can now adjust your public actions to query by exposed field only and hide the primary key completely. Using Superimpose behavior on top of Expose means that you actually might not even have to modify any code. Should work out of the box.

More migration tips in Migrating section.