Job Encryption in Laravel

Updated: Feb 19, 2021 — 1 min Read#queues

Consider this job:

class VerifyUser implements ShouldQueue
{
    private $user;
    private $socialSecurityNumber;

    public function __construct($user, $socialSecurityNumber)
    {
        $this->user = $user;
        $this->socialSecurityNumber = $socialSecurityNumber;
    }
}

When you dispatch this job, Laravel is going to serialize it so that it can be persisted in the queue store. Let's take a look at how the final form will look like in the store:

VerifyUser::dispatch($user, '45678AB90');
{
   "uuid":"765434b3-8251-469f-8d9b-199c89407346",
   // ...
   "data":{
      "commandName":"App\\Jobs\\VerifyUser",
      "command":"O:16:\"App\\Jobs\\VerifyUser\":12:{s:22:\"\u0000App\\Jobs\\VerifyUser\u0000user\";N;s:38:\"\u0000App\\Jobs\\VerifyUser\u0000
socialSecurityNumber\";s:9:\"45678AB90\";s:3:\"job\";N;s:10:\"connection\";N;s:5:
\"queue\";N;s:15:\"chainConnection\";N;s:10:\"chainQueue\";N;s:19:\"chainCatchCallbacks\";N;s:5:\"delay\";N;s:11:\"afterCommit\";N;s:10:\"middleware\";a:0:{}s:7:\"chained\";a:0:{}}"
   }
}

Looking at the payload, you can see that the value of socialSecurityNumber is visible to the human eye. Any person—or program—that gains access to the queue store will be able to extract this value.

For most jobs this isn't a problem. But if the job stores critical information in the payload, it's better we encrypt it so that only our queue workers can read it while processing the job. To do that, we'll need to implement the ShouldBeEncrypted interface:

use Illuminate\Contracts\Queue\ShouldBeEncrypted;

class VerifyUser implements ShouldQueue, ShouldBeEncrypted
{
    private $user;
    private $socialSecurityNumber;

    public function __construct($user, $socialSecurityNumber)
    {
        $this->user = $user;
        $this->socialSecurityNumber = $socialSecurityNumber;
    }
}

This interface was introduced in Laravel v8.19.0 (Released on December 15, 2020)

Now the payload will look like this:

{
   "uuid":"765434b3-8251-469f-8d9b-199c89407346",
   // ...
   "data":{
      "commandName":"App\\Jobs\\VerifyUser",
      "command":"eyJpdiI6IjIyNWFQOXVNWn...OTJlYjBhYTFmZmQ4MjU1MDZiMDVhMjk0OTYwMTY3ZTgyYjEifQ=="
   }
}

Any person or program with access to the queue store will not be able to decrypt the job payload.

You can use the ShouldBeEncrypted interface with queued jobs, mailables, notifications, and event listeners.

If you want to learn more about Laravel's queue system, make sure to check Laravel Queues in Action! I've put everything I know about the queue system in an eBook format along with several real-life uses cases. Check it out for a crash course, a cookbook, a guide, and a reference.

Hey! 👋 If you want to receive updates on what I'm up to, I host a newsletter on my website themsaid.com and would love to have you.

You can also follow me on Twitter, I regularly post about all things Laravel including my latest video tutorials and blog posts.

By Mohamed Said

Hello! I'm a full-stack web developer working at Laravel. In this publication, I share everything I know about Laravel's core, packages, and tools.

You can find me on Twitter and Github.

This site was built using Wink. Follow the RSS Feed.