Last year, we introduced a simple but surprisingly useful feature to Laravel Forge: the ability to add notes to servers.
While checking the uptake of this feature, we noticed that customers were often storing sensitive data in the field. We hadn’t designed notes to store sensitive information, so we found ourselves in a situation where we now needed to encrypt existing unencrypted data, while also allowing for new data to be inserted as encrypted data - at the same time, the dashboard needed to be able to show the notes correctly whether they had been encrypted or not.
Our migration process looked like this:
- Run a command that encrypts all existing unencrypted server notes.
- Update our model to cast the
notes
field, encrypting or decrypting as required.
To do this, we leaned on Laravel’s custom casts feature to handle this “sometimes encrypted” data. We created a new cast SometimesEncrypted
that allowed us to gracefully decrypt the encrypted notes, or simply return the plaintext version which may have been available during the migration:
<?php
namespace App\Casts;
use Illuminate\Contracts\Database\Eloquent\CastsAttributes;
use Illuminate\Contracts\Encryption\DecryptException;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Support\Facades\Crypt;
class SometimesEncrypted implements CastsAttributes
{
/**
* Cast the given value.
*
* @param array<string, mixed> $attributes
*/
public function get(Model $model, string $key, mixed $value, array $attributes): mixed
{
if ($value === null || $value === '') {
return $value;
}
try {
return Crypt::decryptString($value);
} catch (DecryptException $e) {
return $value;
}
}
/**
* Prepare the given value for storage.
*
* @param array<string, mixed> $attributes
*/
public function set(Model $model, string $key, mixed $value, array $attributes): mixed
{
return ($value === null || $value === '') ? null : Crypt::encryptString($value);
}
}
Using this cast meant that we could also ship this change in two parts:
- Cast the notes field, encrypting newly saved server notes as we go.
- Migrate the plaintext server notes, by storing them back into the model, and allowing the
SometimesEncrypted
cast to do its job.
Laravel's custom casts allowed us to implement a seamless transition for our users, encrypting sensitive data without disrupting the user experience or existing functionality. What interesting ways have you found to use Laravel's custom casts?