Showing a steadily increasing sequence of integer IDs leaks information to customers, competitors, or malicious entities about the number and frequency of customers, orders, etc. Some URL examples include:

/customer/123
/order/308

This module implements routing variable converters in Flask and Jinja2 filters to obscure sequential integer IDs using the Obscure python module.

• Automatically obscures sequential integer IDs in the variable part of a URL when using :pyflask.url_for
• Provides five different converters and filters.
• Automatically converts obscured IDs back to your sequential integer IDs in the parameter of the function bound to the URL.
• Jinja filters automatically available.
• Use a 32-bit number to salt the transformation.

There are five converters and filters. They are num, hex, b32, b64, and tame. Assume you are using :pyflask.url_for to create the URLs for two sequential customer IDs. Let's take a look and the obscured numbers for 1-9 with a salt of 4049.

A symmetic feistel cipher which when used with a salt, or 32 bit number unique to you, transforms a sequential series of numbers into a seamingly sequence of random numbers. All of the following are just different presentations of this basic transformation.

Display the transformed number as an eight character hexadecimal number.

Display the transformed number in seven character base32 using upper-case letters and numbers.

Display the transformed number in six character base64 using upper-case, lower-case, and numbers.

This is a variation of b32 with a rotated, alternate alphabet. The vowels 'I', 'O', and 'U' are replaced with the number '8', '9', and '0' to avoid common offensive words. Otherwise, it performs just like base32.

Pip is our friend. It will also install the Obscure module as well. :

$ pip install flask_obscure

The Obscure class needs a salt or random number to make your obscured number sequence unique. Pick any 32-bit number or use the following snippet to generate one for you:

python -c "import uuid; print(hex(uuid.uuid1().int >> 96))"

Obscure uses the value OBSCURE_SALT in the flask configuration file if not given as the second parameter to either the constructor or Obscure.init_app.

Import the class Obscure and initialize the flask.Flask application by either using the constructor

from flask import Flask
from flask.ext.obscure import Obscure

app = Flask(app)
app.config['OBSCURE_SALT'] = 4049
obscure = Obscure(app)

or by using delayed initialization with Obscure.init_app

obscure = Obscure()
...
obscure.init_app(app, salt=4940)

When creating your routes with variables, you have five converters. The converter is similar to any of the other built-in coverters. It takes the obscured ID given in the variable portion of the URL and converts it to your sequential ID in the callable bound to the URL.

Here is an example using num as the converter in the url route.

# flask.request.url is '/customers/3303953358'
@app.route('/customers/<num:cust_id>', endpoint='get-cust')
def get(cust_id):
    # cust_id is the sequential ID of 1
    customer = get_customer_by_id(cust_it)

    url = flask.url_for('get-cust', cust_id=customer.customer_id)
    # when you create the URL, it is automatically obscured
    # /customers/3303953358

The URL is not the only place you can have leaking integer IDs. It can also happen in the data returned from your routing function. If you are using Jinja2 for templating, those same converters are available as filters.

<h1>Invoice #{{ invoice_number|tame }}</h1>

To obscure numbers within your code, use the methods of the flask_obscure.Obscure instance object, which in turn is inherited from the python module Obscure. Assuming we used one of the code blocks from configure

visible_customer_id = obscure.encode_tame(customer_id)