Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Laravel Hashids
Assessments

Laravel Hashids Laravel Package

cirlmcesc/laravel-hashids

Laravel package to obfuscate model IDs and route parameters using Hashids. Adds a model trait that automatically encodes ID and *_id fields on serialization, decodes for route model binding, and provides helper methods plus Artisan install/test commands.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Use Case Alignment: The package provides a lightweight solution for generating Hashids-based short, non-sequential IDs for Eloquent models, replacing auto-incremented primary keys with human-readable, URL-friendly identifiers (e.g., abc123 instead of 123456). This aligns well with:
    • User-facing identifiers (e.g., product SKUs, short URLs, or shareable links).
    • Security-sensitive contexts where exposing sequential IDs is undesirable (e.g., API endpoints, public-facing routes).
    • Legacy system migration where database constraints (e.g., AUTO_INCREMENT) must be bypassed.
  • Laravel Ecosystem Fit: Leverages Laravel’s Service Provider and Eloquent Model Binding patterns, ensuring seamless integration with existing Laravel applications. The package’s reliance on the hashids/hashids library (a PHP port of Hashids) ensures compatibility with PHP’s type system and Laravel’s dependency injection.

Integration Feasibility

  • Low-Coupling Design: The package injects Hashids generation logic via Eloquent Observers or Model Events, minimizing invasive changes to existing models. Key integration points:
    • Model Booting: Automatically attaches to Eloquent models via boot() method (Laravel’s model booting mechanism).
    • Query Scoping: Provides a HashidScope to filter models by their Hashid values (e.g., Model::whereHashid('abc123')).
    • Route Model Binding: Supports implicit binding of Hashids in routes (e.g., Route::get('/product/{product}', ...)).
  • Database Agnostic: Works with any database backend (MySQL, PostgreSQL, SQLite) as long as the primary key is numeric (Hashids encode numbers). No schema migrations required for the package itself, though applications may need to:
    • Add a hashid column (if storing generated IDs separately from the primary key).
    • Update queries to handle dual-key lookups (e.g., WHERE id = Hashids::decode('abc123')).

Technical Risk

Risk Area Description Mitigation Strategy
Performance Overhead Hashids generation/decoding adds CPU overhead (~10–50µs per operation, depending on salt length and ID length). For high-throughput systems (e.g., 10K+ requests/sec), this may introduce latency. Benchmark under load; consider caching decoded IDs (e.g., Redis) or using shorter Hashids (e.g., 6 chars instead of 10).
Collision Risk While statistically rare, Hashids collisions can occur if the salt is weak or IDs are excessively long. The package uses a random salt by default, but custom salts must be managed carefully. Validate salt uniqueness across environments; monitor for collisions in production (log decode failures).
Route Binding Complexity Implicit route binding (e.g., /product/{product}) requires the primary key to be numeric. If the primary key is a UUID or string, additional logic (e.g., a custom resolver) is needed. Document edge cases; provide fallback resolvers for non-numeric primary keys.
Migration Complexity Retrofitting Hashids to existing models may require: 1. Adding a hashid column (if not using the primary key). 2. Backfilling existing records. 3. Updating queries, routes, and APIs. Offer a migration helper (e.g., php artisan hashids:migrate) to automate backfilling. Provide clear deprecation paths for sequential IDs.
Security Implications Hashids are not cryptographically secure. They are reversible with the salt, so: - Avoid using them for sensitive data (e.g., passwords, tokens). - Ensure salts are stored securely. Enforce salt management (e.g., environment variables); pair with other security measures (e.g., rate limiting on decode endpoints).
Versioning Risks Last release is 2026-02-24 (future date as of writing). If the package is abandoned, forks or alternative solutions (e.g., Laravel’s built-in Str::orderedUuid()) may be needed. Evaluate fork activity; maintain a local fork with critical fixes. Monitor for Laravel version compatibility (e.g., 10.x, 11.x).

Key Questions

  1. Primary Key Strategy:

    • Will Hashids replace the primary key entirely, or will the application maintain a separate hashid column?
    • If replacing the primary key, how will foreign key relationships be handled (e.g., ON DELETE CASCADE on numeric IDs)?

  2. Performance Requirements:

    • What is the expected throughput for ID generation/decoding? Are there SLA targets for API responses?
    • Are there hot paths (e.g., checkout flows) where Hashids decoding could introduce latency?

  3. Security and Compliance:

    • Are there regulatory requirements (e.g., GDPR, HIPAA) that restrict reversible ID schemes?
    • How will salt management be handled across environments (dev/stage/prod)?

  4. Migration Path:

    • What is the deployment strategy for rolling out Hashids (big bang vs. gradual)?
    • How will legacy URLs/APIs (using sequential IDs) be deprecated or redirected?

  5. Monitoring and Observability:

    • Will collision rates or decode failures be monitored?
    • How will performance metrics (e.g., Hashids generation time) be tracked?

Integration Approach

Stack Fit

  • Laravel Version Compatibility: The package targets Laravel 10.x/11.x (based on the 2026 release date). Verify compatibility with:
    • PHP 8.1+ (required by Hashids library).
    • Eloquent Model Events (used for automatic Hashid generation).
    • Route Model Binding (for implicit Hashid resolution).
  • Database Support:
    • Primary Key: Must be numeric (int/bigint). UUIDs or string primary keys require custom resolvers.
    • Indexing: Ensure the primary key (or hashid column) is indexed for performance.
  • Dependencies:
    • hashids/hashids (PHP port of Hashids).
    • Laravel’s Service Container (for configuration).
    • Optional: Redis or cache driver for decoded ID caching.

Migration Path

Phase Steps Tools/Commands
Preparation 1. Assess models requiring Hashids (prioritize user-facing entities). 2. Backup database. 3. Test Hashids generation in a staging environment. composer require cirlmcesc/laravel-hashids
Configuration 1. Publish the package config (php artisan vendor:publish --tag=hashids-config). 2. Set salt (e.g., APP_HASHIDS_SALT). 3. Configure id_length (default: 10). Config file: config/hashids.php
Model Integration 1. Use the HasHashid trait or extend HashidModel (if provided). 2. Add hashid column to the database (if not using primary key). 3. Update model casts/accessors. Trait: use \Cirlmcesc\Hashids\Traits\HasHashid;
Backfilling 1. Write a migration to generate Hashids for existing records. 2. Update foreign keys to reference Hashids if needed. Custom migration or php artisan hashids:migrate (if provided)
Route/Query Updates 1. Update routes to bind Hashids (e.g., Route::get('/product/{product}', ProductController::class)). 2. Update queries to support whereHashid(). Route model binding, Eloquent scopes
API/Client Updates 1. Update API responses to include Hashids. 2. Deprecate sequential ID endpoints (add redirects or rate-limited fallbacks). OpenAPI/Swagger docs, deprecation headers
Testing 1. Test Hashid generation/decoding edge cases (e.g., max int, collisions). 2. Validate route binding and query scopes. 3. Load test under production-like conditions. PHPUnit, Laravel Dusk, k6/locust for performance
Deployment 1. Roll out in stages (e.g., non-c
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
nasirkhan/laravel-sharekit
directorytree/privacy-filter-classifier
directorytree/privacy-filter
datacore/hub-sdk
develia/commons
cuci/prototurk-sdk
cuci/prototurk-sdk-symfony
develia/geo-bundle
dreamzy/livewire-charts
touchestate-sdk/php-sdk
22h/doctrine-garbage-collection-bundle
agtp/agtp-php
agtp/mod-php
splash/sonata-admin
splash/metadata
splash/openapi
splash/scopes
splash/toolkit
testo/output-teamcity
testo/bridge-symfony