A small Java project: Create simple opaque (random-looking) strings from clear text strings. The opaquified strings can be deopaquified.
This is much like simple Base64-encoding, but the endcoded strings generated by Opaquify look more random.
This is to be regarded as a toy project. Not available on maven central. It is very similar to Hashids, which you should check out. They have a proper website! Also, check out FriendlyID, etc etc.
Example usage:
Opaquifyer opaquifyer = new Opaquifyer(); // (1)
String opaquified = opaquifyer.opaquify("Opaquify me!"); // (2)
System.out.println(opaquified); // "mek7mop9k49kv9njd5manbsugw" (3)
// ... (4)
String deopaquified = opaquifyer.deopaquify(opaquified); // (5)
System.out.println(deopaquified); // "Opaquify me!" (6)-
Create an Opaquifyer instance
-
Opaquify a string that you feel might need some.. umm "opaquification".
-
Behold the result.
-
Other stuff happens, your opaquified token is perhaps passed around here and there
-
Your opaquified token is now deopaquified back to the original
-
Indeed, it is back.
Warning: Do not opaquify anything that is even remotely secret. Even though the strings generated by this library may look opaque and scrambled, they should be regarded as fully reversible. As such they offer no security over using the raw input. For some analysis of the Hashids project, see: https://carnage.github.io/2015/08/cryptanalysis-of-hashids. Much of that probably applies here too.
Some notes:
-
The result is encoded using the 36 character alphabet
0-9a-z(0123456789abcdefghijklmnopqrstuvwxyz). There is no way to customize that. -
Repeated opaquification of the same string yields the same result.
-
But if you need the opaque strings generated by your project to be unique for your project, you can instantiate the Opaquifyer using a.. umm.. "uniquifyer":
Opaquifyer opaquifyer = new Opaquifyer("My project rocks!"); // (1)
String opaquified = opaquifyer.opaquify("Opaquify me!"); // (2)
System.out.println(opaquified); // 1fyhmk7imayvhtmomnsnxy255z2 (3)-
The Opaquifyer is instantiated with a "uniquifier": My project rocks!
-
Opaquify me!
-
Behold the result - it is different from the result retrieved if no uniquifyer was used.
-
Your project exposes a list method, where pagination is implemented using page tokens. Your initial idea was to use some raw DB-table ids as page tokens. But then you felt that while these ids are in no way secret, the usage of these ids expose too much internals. You don’t want users of your API to write code that depends on the page tokens being raw ids. You might want to change your code later, right? Better to opaquify the ids, and thus "help" the developers writing client code for your API to not do anything stupid.
-
So you try to opaquify the ids using Base64. But that is just ugly. And the tokens don’t really look very opaque. Anybody can see that they are Base64 encoded strings. There is always going to be some developer that decides to decode your tokens to implement something that they shouldn’t.
-
Therefore, you Googled and landed here. Good! (But this is a toy project, so go checkout Hashids, which will do the job for you.)
-
As little code as possible - use whatever JDK features we can find. (At the time of this writing, we have had limited success - we have about 150 lines of code including comments.)
-
No dependencies on external (non-JDK) libraries
-
Use Java 8. Even though it is old, it is still not end of life (at the time of this writing)
-
Base64 is ugly, don’t generate strings looking like Base64. (Base62 would have been perfect. But to keep the code very compact, we have settled for a 36 character alphabet.)
Original String |
Base64 encoded (URL-style) |
Opaquified |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Base64 encoding might sometimes be too unopaque, right?