Relay Authorization Bundle Laravel Package

Product Decisions This Supports

• Build vs. Buy: Accelerates development of fine-grained RBAC (Role-Based Access Control) for Symfony/Laravel-based API gateways, reducing custom implementation time by 60-80%.
• Roadmap Alignment: Enables rapid rollout of multi-tenant authorization or resource-specific permissions (e.g., "Edit Project X" vs. "View All Projects") without reinventing core logic.
• Use Cases:
  • API Gateways: Plugs into Relay API Server to enforce authorization at the route/method level.
  • Admin Panels: Centralizes user/group/grant management for complex permission hierarchies.
  • Compliance: AGPL-3.0 license may suit open-core strategies (consult legal for proprietary use).
• Tech Stack Fit: Ideal for teams already using Symfony/Laravel + PHP 8.1+ with a need for database-backed authorization (vs. in-memory or external services like Auth0).

When to Consider This Package

• Adopt if:
  • Your API gateway needs dynamic, granular permissions (e.g., row-level security, nested resource access).
  • You’re using Relay API Server or a Symfony/Laravel backend and want to avoid building RBAC from scratch.
  • Your team lacks authorization experts but requires production-grade permission logic.
  • You prioritize developer velocity over customization (e.g., for MVPs or internal tools).
• Look elsewhere if:
  • You need OAuth2/OpenID Connect (this is RBAC-focused; pair with League/OAuth2-Client).
  • Your permissions are static (e.g., simple role-based like "Admin/User").
  • You’re not using Symfony/Laravel (e.g., Node.js, Go, or monolithic PHP).
  • AGPL-3.0 conflicts with your licensing model (consider commercial alternatives like Spatie’s Laravel-Permission).
  • You require real-time sync (e.g., WebSockets for live permission updates; this is DB-centric).

How to Pitch It (Stakeholders)

For Executives: "This bundle lets us ship secure, scalable API authorization in weeks instead of months by leveraging open-source RBAC logic. It integrates with our existing Relay API gateway, reducing dev overhead while supporting complex permission rules—critical for [compliance/feature X]. The AGPL license aligns with our open-core strategy, but we’ll need to validate with legal. ROI: Faster time-to-market for [use case Y] with minimal ongoing maintenance."

For Engineering: *"DbpRelayAuthorizationBundle gives us a batteries-included RBAC system for Symfony/Laravel:

• Plug-and-play: Works with Relay API Server; adds user/group/grant management via DB.
• Flexible: Supports arbitrary resources (e.g., projects/{id}/edit) and nested permissions.
• Low risk: Well-documented, tested, and PHP 8.1+ compliant. Tradeoff: AGPL license (check compliance) and limited community (but active maintainers per changelog). Next steps: Spike integration with our [existing auth flow] and compare to [alternative Z] for [specific requirement]."*

For Developers: *"This saves us from writing:

• CRUD for user groups/grants.
• Permission validation logic for API routes.
• Database schemas for RBAC tables. How it works:

1. Install via Composer (dbp/relay-authorization-bundle).
2. Configure grants in config/packages/relay_authorization.yaml.
3. Use @RelayAuthorize annotations or services to enforce rules. Example:

#[RelayAuthorize('projects.edit', subject: 'project_id')]
public function update(Project $project) { ... }

Gotchas: AGPL license; no built-in audit logs (we’d need to extend)."*