Auth Common Bundle Laravel Package

Product Decisions This Supports

• Legacy System Modernization: If maintaining or extending an older Symfony2-based OAuth/API authentication system (e.g., DaOAuth* or DaApi* bundles), this package provides a low-risk way to consolidate shared authentication logic without rewriting from scratch.
• Cost-Effective Technical Debt Mitigation: For teams with limited resources, leveraging this bundle avoids reinventing authentication utilities (e.g., token handling, request validation) while adhering to MIT licensing.
• Roadmap for Deprecation: If the dependent bundles (DaOAuth*, DaApi*) are being phased out, this package could serve as a temporary bridge to migrate to modern alternatives (e.g., Symfony’s built-in security components or OAuth2 libraries like league/oauth2-server).
• Build vs. Buy: A "buy" decision for internal teams needing shared auth utilities but lacking the bandwidth to build/maintain them. Not a "buy" for new projects (see When to Consider This Package).

When to Consider This Package

• Adopt if:

  • You’re maintaining Symfony2 (not Symfony 3+) and rely on DaOAuth*/DaApi* bundles.
  • Your team needs quick, minimal shared auth utilities (e.g., token parsing, request signing) without long-term commitment.
  • You’re in a low-risk environment (e.g., internal tools, legacy systems) where technical debt is acceptable short-term.

• Avoid if:

  • You’re building a new project (Symfony 5/6+ or non-Symfony). Modern alternatives (e.g., Symfony’s SecurityBundle, lexik/jwt-authentication-bundle) are better supported.
  • You need active maintenance (last release: 2014). Use only if willing to fork/extend.
  • Your stack uses PHP 7.4+ or requires OAuth2/OpenID Connect compliance (this bundle is pre-2015 standards).
  • You prioritize security audits (abandoned projects may have unpatched vulnerabilities).

How to Pitch It (Stakeholders)

For Executives: "This bundle lets us reuse existing authentication logic for our legacy Symfony2 OAuth/API services without rewriting from scratch. It’s a low-cost way to maintain functionality while we plan a longer-term migration. The MIT license avoids legal risks, and the minimal setup (2 steps) reduces dev overhead. Tradeoff: We’ll need to monitor for security updates ourselves, but the risk is mitigated by its isolated scope."

For Engineering: *"Pros:

• Fast integration: 2-step setup for shared auth utilities (e.g., token validation).
• Symfony2 compatibility: Works with our existing DaOAuth*/DaApi* bundles.
• No vendor lock-in: MIT license allows forks/modifications.

*Cons:

• Abandoned: Last release in 2014—assume no future updates. Plan to replace with modern libraries (e.g., symfony/security) post-migration.
• Limited features: Only covers basic auth commons; extend or replace for advanced needs.
• Security: Self-audit for vulnerabilities (e.g., CVE checks).

Recommendation: Use as a temporary stopgap for legacy systems. Pair with a roadmap to decommission by [date] and adopt [modern alternative]."*

For Developers: *"If you’re stuck maintaining DaOAuth*/DaApi*, this bundle saves you from duplicating token/validation logic. Example use case:

// Hypothetical: Reusing a shared token parser
$token = $this->get('da_auth_common.token_parser')->parse($request->headers);

But:

• Fork it if you need changes (no upstream support).
• Log issues if you find bugs—treat as a private repo.
• Document dependencies clearly for future maintainers."*