Acuity Secure Link is the first beta of a generic secure-link engine for: create a link, deliver the URL, and the recipient, no account
required, gets exactly the access the link grants, until it expires, is revoked, or reaches its open limit.
The module does nothing user-facing by itself. Consumer modules register link types via a hook and provide the page shown when a valid token resolves. The companion Acuity Secure Message module is the first consumer; site-specific consumers (e.g. document-portal share links) plug into the same engine.
Highlights
- Tokens are never stored - each link is a 256-bit random token (43-char base64url); only its SHA-256 hash is stored, so a database dump cannot mint or reconstruct working links.
- Uniform 404s - unknown, expired, revoked, spent, and open-limit-reached tokens are indistinguishable; nothing reveals whether a link ever existed.
- Flood control - the public
s/{token}endpoint applies per-IP limits before any database lookup; repeated bad tokens lock the requester out. Thresholds are configurable. - Optional zero-knowledge payloads - a link's payload can be encrypted with a key derived from the token itself (HKDF); because the token isn't stored, the server cannot decrypt it at rest.
- Consumer plugin architecture - register link types with
hook_acuity_secure_link_type_info(); clean up per-link artifacts with
hook_acuity_secure_link_delete(), invoked on manual delete and cron purge. - Expiry, open limits, revocation - arbitrary expiry timestamps, an optional maximum number of opens, and idempotent revocation with the audit row kept.
- Opens counted, not consumed - each link visit counts once; follow-on actions don't add to the count. Burn-on-read consumers can mark a link spent (stops resolving, audit row retained as Used).
- Admin listing - every link with label, type, payload summary, dates, open count, status, and Revoke / Delete at Configuration → Acuity Utils → Secure Links.
- Leak-resistant by default - resolution responses send
Referrer-Policy: no-referrerandX-Robots-Tag: noindex, nofollow, and are
excluded from the anonymous page cache. - Automatic hygiene - cron purges links expired or revoked beyond a configurable grace period, invoking consumer cleanup for each.
- Full audit trail - watchdog entries for create, resolve (success/fail), revoke, delete, and purge.
Requirements
- Backdrop CMS 1.x
- PHP 8.0+
- Companion module: Acuity Encrypt (AES-256-GCM primitive for token-derived payload encryption)
- A consumer module that registers at least one link type (e.g. Acuity Secure Message)
Notes for this beta
- The token engine, resolution endpoint, admin listing, and cron purge are functional and verified by CLI test harnesses and live HTTPS checks (uniform 404s, flood lockout and recovery, security headers, burn-on-read cleanup).
- After installation, clear caches to register the resolution route and admin menu items.
- Being an engine, it has no standalone UI - install a consumer module to do anything visible.