Use encrypted Page IDs

[Macrura]

Using Hashids you can accept encrypted page IDs in a querystring, decode them for use in selectors.

Why would you want to do this? In my case I have a private calendar feed where each calendar is a page, but i don't want people seeing the page IDs and then possibly guessing another person's calendar id.

1.)

include the hashids class, either with the composer or in my case i'm using the old version which is 1 php file (you can find this in the wordpress plugin version).

2.)

Depending on which version you use, the method is different; read the docs to see which version you need; my code is relevant to the old 0.1.3 version which is good enough for this application.

include('./classes/hashids.php');
$hashids = new hashids('your_unique_salt_here');

if($input->get->cal_id) {

	// the cal id coming in is a text hash ID:
	$cal_id = $sanitizer->text($input->get->cal_id);
	
	// decrypt the hash ID to the integer
	$cal_id = $hashids->decrypt($cal_id);

	// Look up the calendar:
	$calendar = $pages->get($cal_id[0]);
	if( !$calendar->id ) exit('Calendar not found.');

	// at this point you would execute your actions, e.g. render your calendar feed etc..

	exit();
}

You would also need a way to generate your links wherever you are sending or displaying them, with the hashed ID.

$calId = $hashids->encrypt($calendar->id);

[teppo]

Why would you want to do this? In my case I have a private calendar feed where each calendar is a page, but i don't want people seeing the page IDs and then possibly guessing another person's calendar id.

First of all, thanks for sharing this. Hash ID's have their benefits, and your method is a nice example of getting started the easy way

A hashed ID is essentially password authentication, though without the need to type in a username. For use cases that require more security, one should consider not using this method alone, but, for an example, combining it with another GET param (which would be a username, constant API key, or something similar) and perhaps making the salt unique on a per-user / per-calendar basis.

Additionally detecting multiple attempts for different ID's from one client and issuing a cooldown period (a ban) automatically would make sense, to prevent malicious attempts to gain access to calendars, which might contain very private data.

Just my five cents

[Macrura]

yep - in my case we also hash the client ID:

$client_key = $calendar->client_select->id;
$ak_hashed = $sanitizer->text($input->get->access_key);
$access_key = $hashids->decrypt($ak_hashed);

if($client_key != $access_key[0]) exit('Invalid Access Key');

As Teppo points out, using 2 hash IDs, one for the the page and one for the user and then seeing if the user has access to that page is an additional security.

In my case these are not users, but simple pages storing contact info;

You could also get real PW users and then use ACL to check for access...

[adrianmak]

How to publish a cal page or a pw's page with a hashed id to public ?

[Macrura]

if you were going to use them on a particular template with url segments, that would be pretty easy to setup.

the template itself would parse the hashid and deliver the page content.

there would be some options for generating the hashed URL, it depends on how you are using it;

you could use Kongondo's new module and create a link on the page editor to the hashedID URL of the page.

or you could replace all of the page urls for a particular template something like this (untested):

wire()->addHookBefore('Page::path', function($event) {

	include('./classes/hashids.php');
	$hashids = new hashids('your_unique_salt');
  	$page = $event->object;

  if($page->template == 'some-template') {
    $event->replace = true;
    $hashedID =  $hashids->encrypt($page->id);
    $event->return = "/$hashedID/";

  }

});

on the template you would need to decrypt the id and render the content