Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Params Codec Bundle
Assessments

Params Codec Bundle Laravel Package

aaugustyniak/params-codec-bundle

Symfony 2/3 bundle that AES-encrypts route parameters. Adds a param_codec service and Twig helpers to generate encrypted URLs, plus a @DecryptParams annotation to automatically decrypt controller arguments using a secret passphrase.

View on GitHub
Deep Wiki
Context7

Product Decisions This Supports

  • Security Hardening: Enables obfuscation/encryption of sensitive route parameters (e.g., user IDs, tokens, or internal identifiers) to prevent exposure in URLs, logs, or browser history. Aligns with compliance requirements (e.g., GDPR, HIPAA) for handling PII.
  • API/URL Design: Supports "clean" public-facing URLs (e.g., /profile/abc123) while securely mapping to internal identifiers (e.g., user_id=42). Reduces risk of reverse-engineering or parameter tampering.
  • Build vs. Buy: Avoids reinventing encryption logic for route parameters, leveraging a lightweight, MIT-licensed solution instead of custom development. Low maintenance overhead for a niche but critical use case.
  • Roadmap Prioritization: Justifies investment in Symfony-based projects where route parameter security is a blocking issue (e.g., e-commerce, healthcare, or SaaS platforms with shared-tenancy models).
  • Performance Trade-offs: Evaluates whether encryption/decryption latency (AES overhead) is acceptable for the target use case (e.g., non-critical vs. high-frequency routes).

When to Consider This Package

  • Adopt When:

    • Your Symfony app exposes sensitive data in route parameters (e.g., /user/123 where 123 is a database ID or token).
    • You need to comply with regulations requiring data obfuscation in URLs (e.g., PCI DSS, GDPR).
    • Your team lacks cryptographic expertise to implement secure parameter encoding in-house.
    • The package’s MIT license and minimal dependencies align with your project’s governance policies.
    • You’re using Symfony 2/3 (Symfony 4+ may require compatibility checks or forks).

  • Look Elsewhere If:

    • You need bidirectional hashing (e.g., password-like storage) instead of reversible encryption.
    • Your parameters are extremely large (AES may add significant overhead; consider base64 encoding + hashing instead).
    • You require multi-tenant key management (this bundle uses a static parameters.yml key; consider AWS KMS or HashiCorp Vault for dynamic keys).
    • You’re using Symfony 5+ without a maintained fork (risk of compatibility issues).
    • Your team prefers alternative approaches like:
      • URL rewriting (e.g., /profile/{slug} with a slug service).
      • Query string encryption (e.g., ?id=encrypted_123).
      • Existing bundles like FOSJsRoutingBundle for client-side URL generation.

How to Pitch It (Stakeholders)

For Executives:

"This bundle lets us securely hide sensitive data in URLs—like user IDs or tokens—without exposing them in logs, browser history, or referrer headers. For example, instead of /account/42, we’d show /account/abc123, where abc123 is encrypted. This reduces compliance risk (e.g., GDPR) and prevents attackers from scraping internal identifiers. The MIT license and minimal overhead make it a low-risk, high-reward addition for [target use case, e.g., patient records or payment links]."

For Engineering:

*"The ParamsCodecBundle provides a drop-in solution for AES-encrypting Symfony route parameters using a static key from parameters.yml. Key benefits:

  • Security: Obfuscates PII in URLs (e.g., /order/encrypted_123 instead of /order/550e8400-e29b-41d4-a716-446655440000).
  • Integration: Works with Twig’s path()/url() functions via a Twig extension and annotations (@DecryptParams).
  • Performance: Minimal latency for most use cases (AES-128/256).
  • Trade-offs: Not for hashing (use password_hash() instead) or dynamic key rotation (consider Vault/KMS for that).

Proposal:

  1. Add to composer.json and AppKernel.php.
  2. Configure secret_passphrase in parameters.yml.
  3. Annotate controllers (e.g., @DecryptParams) or use Twig functions for encrypted URLs. Risk: Low—MIT license, no dependents, but test with Symfony 2/3 only. For Symfony 4+, we’d need to validate or fork."*

For Security Teams:

*"This addresses URL-based data leakage by encrypting route parameters with AES-128/256. Key considerations:

  • Key Management: The static parameters.yml key is not ideal for production—recommend rotating it via CI/CD or integrating with a secrets manager (e.g., HashiCorp Vault).
  • Scope: Only encrypts route parameters, not query strings or POST data.
  • Alternatives: If you need tamper-proofing (not just obfuscation), pair with HMAC or use a bundle like stof/doctrine-extensions for signed URLs. Approval Ask: Sign off on the static key approach for MVP, with a plan to migrate to dynamic keys in v2."*
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
emuniq/filament-browser-notifications
syriable/filament-translator
hungnm28/livewire-form
wenprise/eloquent
crudly/encrypted
fadion/bouncy
cuci/prototurk-sdk
gos/pubsub-router-bundle
cuci/prototurk-sdk-symfony
clementtalleu/easyadmin-markdown-bundle
codeflextech/permission-manager
karnoweb/livewire-datepicker
sayedenam/sayed-dashboard
milito/query-filter
apiboxsym/user-bundle
apiboxsym/health-check-bundle
jayeshmepani/jpl-moshier-ephemeris-php
elnasnato/laraliveui
labrodev/rest-sdk
sampaui/sampaui