String.scrambleId
Description
This function takes a plain numeric ID (e.g. a primary key from a database), and converts it to a string of scrambled characters.
The output can be unscrambled back to its original number, so there is no need to store it in the database.
This does not provide any real security benefits, but it is useful for hiding the actual number of users, etc. you have in your app.
String.scrambleId(1)
//= '7chh5j9'
String.scrambleId(2)
//= 'dg97kx8'
String.scrambleId(123456)
//= '6dbrsdk'
String.unscrambleId('6dbrsdk')
//= 123456
Features
- Sequential numbers are highly dissimilar from each other.
- Low numbers are the same length as large numbers.
- It uses a base-26 alphabet that will not inadvertantly spell English words.
- The scrambled ID is short enough to look good in a URL.
Example Usage
Create a URL that contains a scrambled ID:
$link = html'<a href="/user/{userId}>{userName}</>"'
$link.fill({
userId: String.scrambleId($user.userId)
userName: $user.userName
})
Unscramble it back automatically with the unscramble validation rule:
$userId = Input.getRoute('userId', 'unscramble')
Note on Security
This does not provide any real security against attacks. However, it does make it harder for outsiders to infer business metrics, such as how many records have been created and their rate of growth.
For example, say a competitor visits your app and creates a new user account. They note that their userID is 10000. At the end of the day, they create another account and and note that the new userId is 10200.
From this, they can infer two things about your app: You have about 10,200 users, and you are gaining about 200 users per day.
Secret Key
When your app is created, the config key scrambleIdSecretKey in app.local.jcon is automatically filled with a unique random 8-digit hex number.
This key is required in order to generate scrambled IDs that are unique to your app.