Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhance URL security by supporting opaque IDs for bookings #1638

Open
mnofresno opened this issue Dec 16, 2024 · 1 comment
Open

Enhance URL security by supporting opaque IDs for bookings #1638

mnofresno opened this issue Dec 16, 2024 · 1 comment

Comments

@mnofresno
Copy link

The Problem

The current URL structure for booking services in EasyAppointments exposes provider and service IDs directly in the query parameters. For instance:

https://example.com/index.php/?provider=5&service=2

This makes it straightforward for unauthorized users to manually alter the IDs (provider=6, service=3, etc.) and enumerate all available providers and services. Such enumeration leads to information disclosure, which can compromise the security and privacy of businesses relying on EasyAppointments.


Proposed Solution

To mitigate this, I propose replacing sequential integer-based IDs with opaque IDs (e.g., UUIDs, hashed identifiers, or similar). This approach would obscure the actual provider and service identifiers, making enumeration significantly harder.

For example:
Instead of:

https://example.com/index.php/?provider=5&service=2

It could be:

https://example.com/index.php/?provider=ab1234-xyz789&service=cd5678-lmn123

Benefits

  1. Improved security by preventing easy enumeration of providers and services.
  2. Enhanced privacy for businesses and users.
  3. Maintains backward compatibility if implemented with a fallback mechanism.

Questions for the Maintainers

  1. Do you agree that this is a valid security concern worth addressing?
  2. Would you be open to implementing opaque IDs for provider and service parameters?
  3. If this aligns with your vision for the project, would you like me to contribute a solution via a pull request, or do you prefer to implement it internally?

Additional Notes

  • Possible approaches could include generating UUIDs or hashing existing database IDs (e.g., using HMAC with a secret key).
  • If backward compatibility is a concern, legacy sequential IDs can still be supported temporarily.

Thank you for maintaining this excellent project. I look forward to hearing your thoughts and would be happy to assist in implementing this feature if needed!

@alextselegidis
Copy link
Owner

Hello!

Good idea. Actually, I would even prefer to use some sort of slug to make the URLs look better.

Will keep this open for a future release.

Alex Tselegidis, Easy!Appointments Creator
Need a customization? Get a free quote!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants