Secure ID Serialization¶
By default, Graphinate uses a fast and simple ID serialization mechanism based on Python's repr() and base64 decoded
via ast.literal_eval(). To secure public-facing APIs against ID tampering and potential literal_eval DoS vectors,
Graphinate supports Signed ID Serialization using HMAC-SHA256.
1. Native Configuration (Preferred)¶
Graphinate has built-in support for HMAC-SHA256 ID signatures. You do not need to write any custom wrapping code. Simply
set the GRAPHINATE_SECRET_KEY environment variable in your production environment:
Once set, all node and edge IDs will automatically be signed during encoding and cryptographically verified during
decoding. If a client attempts to supply a modified or unsigned ID, a ValueError is raised, preventing the untrusted
payload from reaching ast.literal_eval().
2. Custom Customization (Monkey-Patching)¶
If you require a completely custom ID format, serialization method, or alternative encryption algorithms, you can monkey-patch the encoding/decoding converters.
How it Works¶
- Serialization: The object is converted to a string using
repr(). - Signing: An HMAC-SHA256 hash is calculated for that string using your secret key.
- Packing: The signature (32 bytes) is prepended to the payload.
- Encoding: The combined packet is Base64 encoded to make it URL-safe.
Verification¶
When decoding:
- The Base64 string is decoded back to bytes.
- The signature is extracted.
- The signature is re-calculated based on the payload.
- If the calculated signature matches the extracted one, the payload is trusted and passed to
ast.literal_eval().
Performance Impact¶
- Size: Adds ~44 characters to the ID string.
- CPU: Negligible overhead for HMAC calculation.