Encrypting id fields of a model when serialized.

[Dam Hyung Kim]

Hi, I'm stuck in this situation.. so help me out please

I have few models and I don't want to show their own id and related model's id as plain integer when they are serialzied into JSON.

I made a module to encrypt and decrypt their id. But I can't find the right place to use it.

First of all, these are the my models/.

from django.db import models

from django.contrib.auth.models import User

class Image(models.Model):

    id = models.AutoField(primary_key=True)

    owner = models.ForeignKey(User)

    album = models.ForeignKey(Album, null=True)

    name = models.CharField(max_length=128, default='')

class Album(models.Model):

    id = models.AutoField(primary_key=True)

    owner = models.ForeignKey(User)

    name = models.CharField(max_length=128, default='')

class ImageSerializer(serializers.ModelSerializer):

    owner = serializers.Field(source='owner.id')

    album = serializers.Field(source='album.id')

    uploadDevice = serializers.Field(source='uploadDevice.id')

    class Meta:

        model = Image

        fields = ('id', 'owner', 'album', 'name')

class AlbumSerializer(serializers.ModelSerializer):

    owner = serializers.Field(source='owner.id')

    class Meta:

        model = Album

        fields = ('id', 'owner', 'name')

For example, if there's an Image model instance with values like this,

id = 12

owner = 425

album = 24

name = DSC2091.JPG

after serializing, the result will be something like this.

{

    id: '7VHXHIGMH4XWAKYMPSYYYENYA7NPZ7RGVY6GQJMG3BSIQXWZELNQ====',

    owner: 'J2M5BVZB2RCJQNXPN33G2LTMFSAXWPFVFHFTNQSHP56QO3OHFCNA====',

    album: 'HCMOMOEEA7YZEI5JJTTXN7LQHOEW3FCRQ7OB6ZMD7UEWISUG7PFA====',

    name: 'DSC2091.JPG'

}

It should work in the other way too.

So, I tried two ways to solve this situation.

First, transform_<field_name> with validate_<field_name>.

It serializes fine with the transform_<field_name> method. (Although I just saw a post below that this function might be dropped)

But the problem happens when deserialzing. In the example above, Type validation error raises before my validate_<field_name> method.

It says that int value was expected instead of string value for id, owner, album members.

Second, using CustomFields

I made CustomFields like this.

class ImageIdField(serializers.WritableField):

def to_native(self, value):

return AESCipher.encrypt32(value, EncryptKey.Image)

def from_native(self, value):

id = AESCipher.decrypt32(value, EncryptKey.Image)

return Image.objects.get(id=id)

And changing the serializers like this.

class ImageSerializer(serializers.ModelSerializer):

id = ImageIdField(required=False)

owner = UserIdField(required=False)

album = AlbumIdField(required=False)

uploadDevice = DeviceIdField(required=False)

class Meta:

model = Image

But, the "is_valid()" method will give me a "False" as a return value..

"errors" property will give me an object with "django.utils.functional.__proxy__" objects in it.

When using the unicode function to solve this objects, "This field is required." will show up.

I'm sure many of you guys went though this security situation.

Whats the best way to solve it?

Regards, 

Tom

[Carlton Gibson]

Hi 

On 27 Nov 2014, at 14:16, Dam Hyung Kim <eka...@gmail.com> wrote:

def from_native(self, value):

id = AESCipher.decrypt32(value, EncryptKey.Image)

return Image.objects.get(id=id)

This seems like the right approach — Have a Field subclass do the conversion in `from_native`. 

I’d guess your decrypt call is returning a byte string. If so you’d need to convert it to an int in order to pass to the ORM.

Hopefully that helps. 

Regards,

Carlton

[Dam Hyung Kim]

2014년 11월 27일 목요일 오후 10시 27분 5초 UTC+9, Carlton Gibson 님의 말:

You were right.. the problem was type mismatch :( 

A huge mistake. 

Thank you very much!