elocryptfive icon indicating copy to clipboard operation
elocryptfive copied to clipboard

Published 20 hours ago verified publisher icon delatbabel

Laravel 5.5 - data is stored as decrypted after model update

Open bjauy opened this issue 7 years ago • 16 comments

I have been testing this package for few days on Laravel 5.5. Recently, I've checked table content and some of the rows weren't encrypted at all.

After few tests in artisan tinker I've nailed the issue to updates that make the data unencrypted. Model creation works as expected.

The problem happens also in default L5.5 installation, using MySQL (MariaDB 10.1.26 exactly):

  1. Database and package setup:
composer create-project --prefer-dist laravel/laravel laravel55
cd laravel55
composer require delatbabel/elocryptfive
php artisan make:auth
php artisan migrate:fresh

(if there is an error with key length, change encoding values in config/database.php to 'utf8' and 'utf8_general_ci' accordingly)

  1. Add below to app/User.php:
use Delatbabel\Elocrypt\Elocrypt;

class User extends Authenticatable
{
    use Elocrypt;

   [...]

   protected $encrypts = [ 'name', ];

   [...]
  • add provider to ```config/app.php`
  1. Test in tinker:
>>> User::create(['name' => 'test', 'email' => '[email protected]', 'password' => Hash::make('test')]);

The value for name is encrypted.

>>> User::find(1)->update(['email' => '[email protected]']);

After the update table preview shows data as unecrypted.

bjauy avatar Sep 15 '17 09:09 bjauy

Hey, I have the same problem did you found any solutions?

dokicro avatar Sep 20 '17 12:09 dokicro

Yes, you need to override getDirty() method in your models which depend on Elocrypt trait:

public function getDirty()
{
    $dirty = [];

    foreach ($this->attributes as $key => $value) {
        if (! $this->originalIsEquivalent($key, $value)) {
                    $dirty[$key] = $value;
        }
    }

    return $dirty;
}

bjauy avatar Sep 21 '17 22:09 bjauy

Thanks 👍

dokicro avatar Sep 23 '17 15:09 dokicro

Hrm, interesting. I wonder if it can be over-ridden in the trait and if doing so will cause breakages on prior versions of Laravel? I haven't started migrating any projects to L5.5 yet although it's a planned change with the new LTS release. I will keep this ticket open for monitoring and if anyone has any further information.

delatbabel avatar Sep 25 '17 05:09 delatbabel

IIRC originalIsNumericallyEquivalent method was renamed (and refactored) to originalIsEquivalent in L5.5, so simply adding getDirty would break the trait for users of older versions.

Maybe we could just add second, optional trait with just getDirty() overriden? This, and an information in the readme should be enough IMHO.

Users of older Laravel versions wouldn't be affected by the changes.

I can prepare pull request if you don't mind and if the change is ok for you.

bjauy avatar Sep 27 '17 22:09 bjauy

I just want to chime in that I am also looking to migrate from Laravel 5.1 to 5.5. I use this package to encrypt data in my database so I welcome any ideas on how to make it work on 5.5.

schonhose avatar Oct 16 '17 20:10 schonhose

There is also an other bug with Laravel 5.5: If an attribute is casted, the getDirty will fail as well in certain cases. Essentially Laravel is casting the encrypted values which will result in different encrypted values being regarded as the same. E.g. object, array or json will be tried to be read from JSON. However, since the provided input is encrypted, the casted value evaluates to false no matter what.

Our solution is to overwrite the castAttribute method


    /**
     * Decrypt encrypted data before it is processed by cast attribute
     * @param $key
     * @param $value
     *
     * @return mixed
     */
    protected function castAttribute($key, $value)
    {
        return parent::castAttribute($key, $this->doDecryptAttribute($key, $value));
    }

mrgrain avatar Nov 03 '17 01:11 mrgrain

Thanks for the information. I'm continuing to track this. I'm about to migrate one project from 5.1 LTS to 5.5 LTS so I will try to build something that works for both LTS versions.

delatbabel avatar Nov 10 '17 07:11 delatbabel

Instead of trying to fix it for both versions at the same time (or forks or whatever), @delatbabel you could just release a new version which requires Laravel 5.5

mrgrain avatar Dec 03 '17 23:12 mrgrain

@delatbabel any update on this?

mbardelmeijer avatar Dec 05 '17 21:12 mbardelmeijer

I ended up 1) forking this, 2) fixing all the Laravel 5.5 issues, 3) dropping support for Laravel below 5.5, and 4) a bunch of random cleanup & unit tests. Available below:

austinheap avatar Dec 14 '17 03:12 austinheap

@mrgrain where should one override the castAttribute method? thanks

ITwrx avatar Feb 20 '18 15:02 ITwrx

@ITwrx Overwrite it in the model that needs to be encrypted. We have a base model for all encrypted models which uses Elocrypt's trait and overrides the castAttribute method (amongst other things).

Or you could simply create your own EncryptedModel trait which extends the original Elocrypt one.

mrgrain avatar Feb 21 '18 02:02 mrgrain

@mrgrain cool, thanks.

ITwrx avatar Feb 21 '18 02:02 ITwrx

Hi all, firstly sorry about the delay. I have had a long period of illness, just getting back to health now. I'll certainly look at integrating the patches into a Laravel 5.5 branch shortly.

delatbabel avatar Feb 21 '18 08:02 delatbabel

glad you're back. stay well.

ITwrx avatar Feb 21 '18 16:02 ITwrx