Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message

Api Platform Toolkit Bundle Laravel Package

cyberspectrum/api-platform-toolkit-bundle

Symfony bundle adding API Platform toolkit features: enable custom ExpressionLanguage providers via tagged services, and optional LexikJWT helpers including Swagger/OpenAPI login endpoint docs and configurable default token TTL and login URL.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Modularity: The bundle aligns well with API Platform’s extensibility model, offering tagged-service-based integration for custom expression language providers and JWT handling. This avoids monolithic modifications, adhering to SOLID principles (Open/Closed).
  • Core Alignment: Leverages Symfony ExpressionLanguage and LexikJWTBundle, ensuring compatibility with API Platform’s built-in security and serialization layers.
  • Use Case Fit:
    • Custom Business Logic: Ideal for adding domain-specific expression functions (e.g., role-based access, dynamic field filtering).
    • JWT Customization: Provides granular control over token TTL and Swagger documentation, reducing boilerplate for auth endpoints.

Integration Feasibility

  • Low Friction: Composer-based installation with minimal config (api_platform_toolkit YAML) simplifies adoption.
  • Dependency Risks:
    • LexikJWTBundle: Requires existing JWT setup (or willingness to adopt it). Conflicts possible if using alternative auth (e.g., OAuth2).
    • ExpressionLanguage: Assumes familiarity with Symfony’s expression system; custom providers may need debugging for edge cases (e.g., circular references).
  • API Platform Versioning: No explicit version constraints in README; risk of breaking changes if core API Platform evolves (e.g., expression language API shifts).

Technical Risk

Risk Area Severity Mitigation Strategy
JWT Configuration Medium Test TTL overrides with default_ttl; validate against LexikJWTBundle docs.
Expression Safety High Audit custom providers for injection attacks (e.g., $user->roles$user->getRoles()).
Bundle Maturity Medium Implement feature flags for new functionality (e.g., TTL min/max) to isolate issues.
Documentation Gaps High Create internal runbooks for:
  • Debugging expression provider failures.
  • JWT token revocation workflows (not covered in README). |

Key Questions

  1. Auth Strategy:
    • Is JWT the primary auth mechanism, or is this bundle being adopted alongside other providers (e.g., OAuth2)?
    • How will token revocation be handled (not addressed in the bundle)?
  2. Expression Language:
    • Are there existing custom expressions in the codebase that could conflict or need migration?
    • What’s the performance impact of adding multiple expression providers?
  3. Testing:
    • Does the team have end-to-end tests for JWT flows and expression evaluations?
    • Are there security audits planned for custom expression logic?
  4. Roadmap:
    • Will the bundle’s TODO items (e.g., TTL min/max) block critical features? If so, prioritize forking or contributing upstream.
  5. Monitoring:
    • How will failed JWT logins or malformed expressions be logged/alerted?

Integration Approach

Stack Fit

  • PHP/Laravel Compatibility:
    • API Platform: Native fit (Symfony-based).
    • Laravel: Partial fit—requires API Platform bridge (e.g., api-platform-laravel). JWT/LexikJWTBundle may need Laravel-specific tweaks (e.g., kernel boot order).
    • Alternatives: If not using API Platform, this bundle offers no direct value; consider Symfony ExpressionLanguage or LexikJWTBundle standalone.
  • Tooling:
    • Docker: Test in multi-container environments to validate JWT token persistence (e.g., Redis for TTL storage).
    • CI/CD: Add security scanning for expression providers (e.g., phpstan for type safety).

Migration Path

  1. Assessment Phase:
    • Audit existing auth (JWT/OAuth2) and expression logic (e.g., @security("is_granted('ROLE_ADMIN')")).
    • Identify gaps (e.g., missing TTL validation) to justify bundle adoption.
  2. Pilot Integration:
    • Start with non-critical endpoints (e.g., /api/health).
    • Enable enable_expression_language: true and test one custom provider in isolation.
  3. JWT Rollout:
    • Configure lexik_jwt in config/packages/security.yaml before enabling the bundle.
    • Gradually replace hardcoded TTLs with default_ttl from the bundle.
  4. Expression Migration:
    • Replace inline security checks (e.g., @security("...")) with tagged providers for maintainability.
    • Example:
      # Before (inline)
      App\Entity\Product:
        attributes:
          security: "is_granted('ROLE_STAFF') and object.getStock() > 0"
      
      # After (custom provider)
      App\ExpressionLanguage\StockExpressionProvider:
        tags: [csap_toolkit.security.expression_language]
      
  5. Deprecation:
    • Phase out legacy auth logic post-migration (e.g., old OAuth2 endpoints).

Compatibility

Component Compatibility Notes
API Platform Tested with core but may lag behind minor versions (e.g., 3.1 vs. 3.2).
LexikJWTBundle Requires v2.16+ (check composer.json).
Symfony Expression Assumes Symfony 5.4+ (for newer expression language features).
Laravel No native support; requires API Platform Laravel adapter + manual config.
Redis/Memcached JWT TTL relies on token storage backend; validate config for your setup.

Sequencing

  1. Pre-requisites:
    • Install lexik/jwt-auth-bundle (if not present).
    • Configure Symfony’s security.yaml for JWT.
  2. Bundle Installation:
    • composer require cyberspectrum/api-platform-toolkit-bundle.
  3. Core Config:
    • Add api_platform_toolkit to config/packages/api_platform_toolkit.yaml.
  4. Expression Providers:
    • Implement one provider (e.g., StockExpressionProvider).
    • Tag it with csap_toolkit.security.expression_language.
  5. JWT Tweaks:
    • Set default_ttl and test token expiration.
    • Enable Swagger docs (add_documentation: true).
  6. Validation:
    • Run load tests on JWT endpoints.
    • Audit all expressions for safety.

Operational Impact

Maintenance

  • Pros:
    • Reduced Boilerplate: Centralized JWT and expression logic.
    • Consistent Security: Tagged providers enforce single-source-of-truth for access rules.
  • Cons:
    • Vendor Lock-in: Bundle is unmaintained (0 stars, no dependents). Forking may be needed for critical fixes.
    • Debugging Complexity: Custom expression errors may require deep stack traces (e.g., ExpressionLanguage internals).
  • Tasks:
    • Monthly: Scan for new API Platform/LexikJWTBundle versions requiring updates.
    • Quarterly: Review custom providers for deprecated Symfony features.

Support

  • Internal:
    • Onboarding: Document expression provider patterns (e.g., input validation, error handling).
    • Runbooks:
      • "JWT Token Not Refreshing" → Check Redis connection, TTL config.
      • "Expression Evaluation Fails" → Enable ExpressionLanguage debug mode.
  • External:
    • No Community Support: Prepare for self-service troubleshooting (e.g., GitHub issues may go unanswered).
    • Fallback Plan: Maintain legacy auth/expression logic as backup.

Scaling

  • Performance:
    • Expression Providers: Each provider adds minor overhead to request processing. Benchmark with 10+ providers.
    • JWT: Token generation/validation scales with LexikJWTBundle’s Redis backend. Monitor memory usage under load.
  • Horizontal Scaling:
    • Stateless: JWT tokens are stateless; no session affinity needed.
    • Caching: Cache frequently used expressions (e.g., @is_authenticated()) if performance is critical.
  • Database:
    • No Direct Impact: Bundle doesn’t modify DB schema, but JWT blacklists (if used) require storage.

Failure Modes

Failure Scenario Impact Mitigation
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
bugban/symfony
beyonder-capi/workflow-extensions-bundle
beyonder-capi/job-queue-bundle
capell-app/block-library
axium/identity
cetria/laravel-dummy-models
cetria/reflection-helper
agropredict/sso-auth-bundle
evolvestudio/spam-protection
datacore/hub-sdk
develia/commons
cuci/prototurk-sdk
cuci/prototurk-sdk-symfony
develia/geo-bundle
dreamzy/livewire-charts
touchestate-sdk/php-sdk
22h/doctrine-garbage-collection-bundle
agtp/agtp-php
agtp/mod-php
splash/sonata-admin