A type-based ID obfuscation library to prevent insecure direct object references (IDOR)
The Idor constructor accepts an unsigned int, unsigned BigInt, or UUID string
identifier, and a model type name that identifies the model class the identifier
references.
The .toString() method returns a string that is safe to expose to the client side
(the "public id").
The .valueOf() method returns the original value (the "private id").
Idor.fromString() can be used to create a new Idor instance from a "public id"
string.
The .typename getter can be used to get the model class the identifier references.
var Idor = require("idor").default({ salt: "secret" });
new Idor(1, "User").toString();
// 'FLN1a5AnVsGFmVXQYabHxA'
new Idor(1, "Post").toString();
// 'Dw3BiVRByuvYjKUKA4MjwQ'
Idor.fromString("FLN1a5AnVsGFmVXQYabHxA").valueOf();
// 1
Idor.fromString("FLN1a5AnVsGFmVXQYabHxA").typename;
// 'User'
The constructor will also accept BigInt and UUID values.
new Idor(1n, "User").toString()
// 'SpSYCHJFD4XD+L4c1OIRUQ'
Idor.fromString("SpSYCHJFD4XD+L4c1OIRUQ").valueOf()
// 1n
Idor.fromString("SpSYCHJFD4XD+L4c1OIRUQ").typename
// 'User'
new Idor("123e4567-e89b-12d3-a456-426655440000", "User").toString();
// 'xhmWUgGswnl87h2bvkoB2LNy/QtjTfg9Cbp7dABDkrc'
Idor.fromString("xhmWUgGswnl87h2bvkoB2LNy/QtjTfg9Cbp7dABDkrc").valueOf();
// '123e4567-e89b-12d3-a456-426655440000'
Idor.fromString("xhmWUgGswnl87h2bvkoB2LNy/QtjTfg9Cbp7dABDkrc").typename;
// 'User'
Scoping Idor IDs allows adding an additional layer of abstraction on identifiers exposed to the client-side.
new Idor(1, "User", "private").toString();
// 'FqPuJ4ohXd2UvRvl+bvRvg'
Idor.fromString("FqPuJ4ohXd2UvRvl+bvRvg").valueOf();
// null (wrong scope)
Idor.fromString("FqPuJ4ohXd2UvRvl+bvRvg", "private").valueOf();
// 1
Idor.fromString("FqPuJ4ohXd2UvRvl+bvRvg", "private").typename;
// 'User'
The default scope is 'public'.
new Idor(1, "User", "public").toString();
// 'FLN1a5AnVsGFmVXQYabHxA'
The .scope setter allows setting the scope after object initialisation
const a = new Idor(1, "User");
a.scope = "private";
a.toString();
// "FqPuJ4ohXd2UvRvl+bvRvg"
const b = Idor.fromString("FqPuJ4ohXd2UvRvl+bvRvg");
b.scope = "private";
b.valueOf();
// 1
The application SHOULD set a unique salt to ensure identifiers cannot be computed from exposed Idor values, or generated externally.
var Idor = require("idor").default({ salt: "S3cr3t" });
new Idor(1, "User").toString();
// 'TCfNIEMg4cKgTS5cLsLXzg'
new Idor(1, "User", "private").toString();
// 'HURdRJrGSiIz0/rnvO1s+g'
Idor.fromString("HURdRJrGSiIz0/rnvO1s+g").valueOf();
// null (wrong salt)
Idor.fromString("TCfNIEMg4cKgTS5cLsLXzg").valueOf();
// 1
FAQs
A type-based ID obfuscation library to prevent insecure direct object references (IDOR)
The npm package idor receives a total of 92 weekly downloads. As such, idor popularity was classified as not popular.
We found that idor demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Four npm packages disguised as cryptographic tools steal developer credentials and send them to attacker-controlled Telegram infrastructure.
Security News
Ruby maintainers from Bundler and rbenv teams are building rv to bring Python uv's speed and unified tooling approach to Ruby development.
Security News
Following last week’s supply chain attack, Nx published findings on the GitHub Actions exploit and moved npm publishing to Trusted Publishers.