Obfuscated-IDs

Undisclose IDs with Obfuscated-IDs

Obfuscated-IDs is a java open-source library that allows you to easily avoid to expose the internal IDs of your database at web level.

Obfuscated-IDs is based on:

• hashids
• hashids.java

Overview

With a Spring Framework and Obfuscated-IDs i's possible to write a @Controller that automatically allows the code to use the real numeric ID while it is always shown in its disguised form at the outside. For instance, look at this @RestController.

    @RestController
    public class EchoController {

        @RequestMapping("/user/{obfuscatedUserId}/{message}")
        public String getCode(@PathVariable AutoObfuscatedId obfuscatedUserId, @PathVariable String message) {
            
            long id = obfuscatedId.id();
            
            // ...access the database with the numeric id
            User user = userRepo.findOne(id);
            
            return "User " + obfuscatedId + " says '" + message + "'";
        }

    }

It exposes a service that can be invoked like that...

    /user/2BHah7n8ziI/HelloWorld

But obfuscatedId.id() will return the corresponding numeric ID.

Quick Start

Add the following Maven dependency

<dependency>
    <groupId>com.danidemi.obfuscatedids</groupId>
    <artifactId>obfuscatedids-spring</artifactId>
    <version>0.0.1</version>
</dependency>

[!] Please, check on Maven Central the latest version.

Configure an IdObfuscator.

@Bean
public static IdObfuscator idObfuscator() {
    return new HashIdObfuscator();
}

Add a @RestControllerAdvice that enables the conversion of parameters of type AutoObfuscatedId.

@RestControllerAdvice
public static class Advice {

    @Autowired IdObfuscator obfuscator;

    @InitBinder
    public void addSupportForObfuscatedId(WebDataBinder binder) {
        binder.registerCustomEditor(AutoObfuscatedId.class, new AutoObfuscatedIdSupport(obfuscator));
    }

}

Write your controller.

@Autowired @Autowired IdObfuscator obfuscator;

@RequestMapping("/users")
public List<String> getUsers() {
    return asList(
        obfuscator.disguise( user1.getId() ),
        obfuscator.disguise( user2.getId() )
    );
}

@RequestMapping("/user/{obfuscatedDbId}")
public String getUser(@PathVariable AutoObfuscatedId obfuscatedDbId) {
    ...
}

Deploy

Maven GPG Plugin

Make sure GPG is correctly set up executing the following commnad.

mvn gpg:sign

If that returns this error...

gpg: no default secret key: unusable secret key
gpg: signing failed: unusable secret key

...then A GPG key is needed. If one is available you can import it with...

gpg --import ~/mygpgkey_pub.gpg
gpg --allow-secret-key-import --import ~/mygpgkey_sec.gpg

Rerun again mvn gpg:sign to check all is in place.

Sonatype OSS Repository Hosting

Make sure the Sonatype OSS Repository Hosting is properly set up checking that the Maven's settings.xml contains a reference to it.

cat ${user.home}/.m2/settings.xml

You should see something like that...

<server>
    <id>ossrh</id>
    <username>YOUR-OSSRH-USERNAME-HERE</username>
    <password>YOUR-OSSRH-PASSWORD-HERE</password>
</server>

Deploy A New Release

To deploy it should be enough to issue the following commands.

mvn clean release:clean 
mvn release:prepare
mvn release:perform

References

Projects

• hashids
• hashids.java
• Optimus

Manuals

• Maven GPG Plugin

Posts

• Import GPG Key Pair