2017 © Pedro Peláez

cakephp-plugin obfuscate

CakePHP 3 support for ID obfuscation



CakePHP 3 support for ID obfuscation

  • Friday, March 30, 2018
  • by jadb
  • Repository
  • 5 Watchers
  • 27 Stars
  • 956 Installations
  • PHP
  • 0 Dependents
  • 0 Suggesters
  • 7 Forks
  • 0 Open issues
  • 1 Versions
  • 2 % Grown



Build Status Coverage Status Total Downloads License, (*1)

Primary key obfuscation for CakePHP using HashIds, Optimus, Tiny and/or custom obfuscation strategies., (*2)


Install the plugin using Composer:, (*3)

composer require muffin/obfuscate

Load the plugin by either running this console command:, (*4)

bin/cake plugin load Muffin/Obfuscate

or by manually adding the following line to src/Application.php:, (*5)


Lastly, composer install (any combination of) the obfuscation libraries you want to use in your application:, (*6)

composer require hashids/hashids
composer require jenssegers/optimus
composer require zackkitzmiller/tiny

Built-in obfuscation strategies

Use the HashIdStrategy if you want to:, (*7)

  • obfuscate your primary keys with short, unique, non-sequential ids
  • present record ids like 347 as strings like “yr8”

Use the OptimusStrategy if you want to:, (*8)

  • obfuscate your primary keys with integers based on Knuth's integer hash
  • present record ids like 347 as integers like 372555994

Use the TinyStrategy if you want to:, (*9)

  • obfuscate your primary keys with base62 strings and integers
  • present record ids like 347 as strings like "vk"

You may also choose to create your own custom strategies, feel free to PR., (*10)


1. Attaching the behavior

Prepare for obfuscation by attaching the Obfuscate behavior to your table(s) and specifying which strategy you want to use as shown in the following examples., (*11)

use Muffin\Obfuscate\Model\Behavior\Strategy\HashIdStrategy;

$this->addBehavior('Muffin/Obfuscate.Obfuscate', [
    // Strategy constructor parameter:
    // $salt - Random alpha numeric string. You can also set "Obfuscate.salt"
    // $minLength (optional) - The minimum hash length. Default: 0
    // $alphabet (optional) - Custom alphabet to generate hash from. Default: 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'
    // config instead of passing salt to construction.
    // DO NOT USE same salt as set for "Security.salt" config.
    'strategy' => new HashIdStrategy('5SX0TEjkR1mLOw8Gvq2VyJxIFhgCAYidrclDWaM3so9bfzZpuUenKtP74QNH6B', 10, 'abcdefghijklmnopqrstuvwxyz')
use Muffin\Obfuscate\Model\Behavior\Strategy\OptimusStrategy;

$this->addBehavior('Muffin/Obfuscate.Obfuscate', [
    // Strategy constructor parameters:
    // $prime - Large prime number lower than 2147483647
    // $inverse - The inverse prime so that (PRIME * INVERSE) & MAXID == 1
    // $random - A large random integer lower than 2147483647
    // You can use vendor/bin/optimus spark to generate these set of numbers.
    'strategy' => new OptimusStrategy(2123809381, 1885413229, 146808189)
use Muffin\Obfuscate\Model\Behavior\Strategy\TinyStrategy;

$this->addBehavior('Muffin/Obfuscate.Obfuscate', [
    // Strategy constructor parameters:
    // $set - Random alpha-numeric set where each character must only be used exactly once
    'strategy' => new TinyStrategy('5SX0TEjkR1mLOw8Gvq2VyJxIFhgCAYidrclDWaM3so9bfzZpuUenKtP74QNH6B')

Please note that attaching the behavior is totally unobtrusive and will do absolutely nothing until you use one of the custom finders., (*12)

2. Using the custom finders

This plugin comes with the following two custom finders that are responsible for the actual obfuscation (cloaking) and elucidation (uncloaking) process:, (*13)

  • findObfuscated: used to find records using an obfuscated (cloaked) primary key
  • findObfuscate: used to obfuscate (cloak) all primary keys in a find result set


Use this finder if you want to look up a record using an obfuscated id. The plugin will elucidate (uncloak) the obfuscated id and will execute the find using the "normal" primary key as it is used inside your database., (*14)

CakePHP example:, (*15)

public function view($id)
    $article = $this->Articles->find('obfuscated')
        ->where(['id' => $id]) // For e.g. if value for $id is 'S' it will search for actual id 1

Crud plugin example:, (*16)

public function view()
    $this->Crud->on('beforeFind', function (EventInterface $event) {


Use this finder if you want the plugin to obfuscate all "normal" primary keys found in a find result set., (*17)

CakePHP example:, (*18)

public function index()
    $articles = $this->Articles->find('obfuscate');

Crud plugin example:, (*19)

public function index()
    $this->Crud->on('beforePaginate', function (EventInterface $event) {


Attaching the behavior also makes the following two methods available on the table:, (*20)

  • obfuscate(string $str)
  • elucidate(string $str)

Pro tips


A fairly common use case is applying obfuscation to user ids. To ensure AuthComponent properly handles obfuscated ids specify the obfuscated finder in your authenticate configuration settings like shown below:, (*21)

'authenticate' => [
     'ADmad/JwtAuth.Jwt' => [
        'finder' => 'obfuscated', // will use passed id `S` to search for record id 1
        'userModel' => 'Users',
        'fields' => [
            'username' => 'id'
        'parameter' => 'token'

Patches & Features

  • Fork
  • Mod, fix
  • Test - this is important, so it's not unintentionally broken
  • Commit - do not mess with license, todo, version, etc. (if you do change any, bump them into commits of their own that I can ignore when I pull)
  • Pull request - bonus point for topic branches

To ensure your PRs are considered for upstream, you MUST follow the CakePHP coding standards., (*22)

Bugs & Feedback

http://github.com/usemuffin/obfuscate/issues, (*23)


Copyright (c) 2015, Use Muffin and licensed under The MIT License., (*24)

The Versions

30/03 2018