Mask Eloquent Attributes on Retrieval

A Laravel package that automatically masks sensitive model attributes on retrieval. Supports email, phone, and text masking with highly configurable rules.

Features

• Automatic attribute masking on retrieval
• Email, phone, and text masking support
• Configurable mask character and visibility
• Global or per-attribute masking rules
• Auto-detection of phone fields by column name

Installation

composer require irabbi360/laravel-attribute-mask

Publish the config file:

php artisan vendor:publish --tag="attribute-mask-config"

Configuration

The default configuration (config/attribute-mask.php):

return [
    'enabled' => true,
    'mask_char' => '*',
    
    'email_masking' => [
        'show_domain' => true,
        'show_start' => 1,
        'show_end' => 1,
    ],
    
    'phone_masking' => [
        'show_start' => 3,
        'show_end' => 2,
        'patterns' => ['phone', 'phone_number', 'mobile', 'mobile_number', ...],
    ],
    
    'text_masking' => [
        'show_start' => 3,
        'show_end' => 3,
    ],
];

Usage

Define Maskable Attributes

Add the HasMaskedAttributes trait and define maskable attributes using the maskables() method:

use Irabbi360\LaravelAttributeMask\Concern\HasMaskedAttributes;
use Illuminate\Database\Eloquent\Model;

class User extends Model
{
    use HasMaskedAttributes;
    
    /**
     * Get the attributes that should be masked.
     */
    protected function maskables(): array
    {
        return ['email', 'phone', 'phone_number', 'ssn'];
    }
}

Alternatively, use the $maskable property:

class User extends Model
{
    use HasMaskedAttributes;
    
    protected array $maskable = ['email', 'phone', 'ssn'];
}

Masking Behavior

Attributes are automatically masked on retrieval:

$user = User::find(1);

$user->email;       // t**t@example.com
$user->phone;       // 123****90
$user->ssn;         // 123***789

Retrieving Original Values

Get the unmasked value using getOriginal():

$user->getOriginal('email');  // test@example.com

Or temporarily disable masking:

config(['attribute-mask.enabled' => false]);
$original = $user->email;
config(['attribute-mask.enabled' => true]);

Email Masking

Configure email masking behavior:

'email_masking' => [
    'show_domain' => true,      // Show domain part
    'show_start' => 2,          // Show first 2 characters
    'show_end' => 2,            // Show last 2 characters
],

Examples:

• test@example.com → te**t@example.com
• john.doe@example.com → jo**oe@example.com

Phone Masking

Phone fields are auto-detected by column name. Configure visibility:

'phone_masking' => [
    'show_start' => 3,
    'show_end' => 2,
],

Examples:

• 1234567890 → 123****90
• +1-555-123-4567 → +15-***-67

Add custom phone patterns:

'phone_masking' => [
    'patterns' => ['phone', 'mobile', 'whatsapp', 'fax'],
],

Text Masking

For other text attributes:

'text_masking' => [
    'show_start' => 3,
    'show_end' => 3,
],

Examples:

• secretpassword → sec********rd
• API_KEY_12345 → API***345

Custom Mask Character

Change the mask character globally:

'mask_char' => '#',

// Result: test@example.com → t##t@example.com

Disable Masking

Disable globally:

'enabled' => false,

Or temporarily:

config(['attribute-mask.enabled' => false]);
$user->email;  // Returns unmasked value

Testing

composer test

Changelog

See CHANGELOG.md for details on updates.

Contributing

See CONTRIBUTING.md for contribution guidelines.

Security

Report security vulnerabilities via Security Policy.

Credits

• Fazle Rabbi
• All Contributors

License

The MIT License. See LICENSE.md for details.