In Drupal, many a time we come across a situation where we want to hide certain URL part from end users.

To achieve this we often use Drupal modules like Pathauto to hide node IDs, taxonomy IDs from URL and replacing them with some patterns (eg. Titles).

The above scenario can not be achieved for Drupal commerce checkout flow(URLs) as the Drupal modules like PathAuto do not support this. To achieve this in Drupal 7 we often used one of the following ways mentioned below:

In Drupal 8, At the point of writing this blog Commerce checkout paths module is yet to be ported and URL bounding hooks have been replaced by a certain way which will help us to achieve e-commerce security by hiding sensitive information from URL.

Let’s demonstrate how to achieve e-commerce security in Drupal Commerce module by the following method: 

  • Create a custom module. In my case, I will be creating a module name Example.

  • Create a example.info.yml file.

  • Create a example.services.yml file. In this file, we will be creating tagged service with tags ‘path_processor_outbound’ and ‘path_processor_inbound’. This tags will help Drupal to call this service automatically which defines the purpose of tagged services. In our case, I have created below services.yml file. 

  • Create the service class ExamplePathProcessor as mentioned in service definition and this class file is located at /modules/custom/example/src/PathProcessor/ExamplePathProcessor.php.

    • This class will implements interfaces, ‘InboundPathProcessorInterface’ and ‘OutboundPathProcessorInterface’.

    • These interfaces are located at namespace 'Drupal\Core\PathProcessor\OutboundPathProcessorInterface’ and 'Drupal\Core\PathProcessor\InboundPathProcessorInterface’, so we must use this interfaces in our class file.

    • Our class file should look like below:

  • Please note that we have used other namespace like 'Drupal\Core\Render\BubbleableMetadata’ and 'Symfony\Component\HttpFoundation\Request’ which are required by our interface functions.

  • In the class definition the functions:

    • processOutbound is provided by OutboundPathProcessorInterface  interface and this function behaves exactly same as hook_url_outbound_alter of Drupal 7.

    • processInbound is provided by InboundPathProcessorInterface  interface and this function behaves exactly same as hook_url_inbound_alter of Drupal 7.

So, we are ready with our module and file structure. Now in Drupal commerce, there are various checkout steps where Order ID can be seen in the URLs. Our goal is to hide this Order ID from the end user. 

Let’s understand how the Order ID encryption/decryption process will work. 

Step - 1:  Let’s say user will come to the checkout page. This checkout page URL will be pass to Drupal.

Step - 2:  Drupal will find all the tagged services in it’s database and will come across our path processor service called example.path_processor_example.

Step - 3:  This service class will receive the path URL in the $path variable of the processOutbound function. This function will help us in encrypting/hiding our order id.

Screen Shot 2017-06-13 at 7.10.22 PM.png

Please note,

  • We can use any of the encryption algorithm/business rules to encrypt our order ID in the $path variable and return it as the function output.

  • Example, The URL '/checkout/123/order_information’  will become ‘/checkout/###/order_information’.

  • The ‘###’ is the encrypted hash.

Step - 4: As the URL '/checkout/123/order_information’  has become ‘/checkout/###/order_information’, the service will also execute it’s inbound function where we can decrypt/unhide the ‘###’ and find out it’s original value(Order ID).

Screen Shot 2017-06-13 at 7.09.51 PM.png

So, this is how we can use interfaces ‘OutboundPathProcessorInterface' & ‘InboundPathProcessorInterface’ along with their functions ‘processOutbound' & ‘processInbound’ to encrypt/decrypt the URL in checkout process of Drupal Commerce module.

Hope this helps you, Please feel free to reach out to me in the case of any queries and improvements.

 

comments powered by Disqus