Weave Code
Code Weaver
Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.
Feedback
Share your thoughts, report bugs, or suggest improvements.
Subject
Message
Log in Register
Home
Packages
Laravel Spy
Assessments

Laravel Spy Laravel Package

farayaz/laravel-spy

Zero-config Laravel package to spy on outgoing HTTP calls. Automatically logs Laravel Http facade and Guzzle requests with URL, method, headers, payload, response/status, and duration. Includes configurable logging and obfuscation for sensitive data.

View on GitHub
Deep Wiki
Context7

Technical Evaluation

Architecture Fit

  • Pros:

    • Observability Alignment: Directly addresses debugging, security, and performance use cases by providing granular HTTP request/response visibility without custom instrumentation.
    • Middleware-Based Design: Leverages Laravel’s service container and HTTP client middleware, ensuring minimal code changes for adoption. Auto-discovery reduces setup friction.
    • Configurable Granularity: Supports URL exclusion, field obfuscation, and log retention, making it adaptable to compliance and performance needs.
    • Database-Backed: Structured storage in http_logs enables querying (e.g., "Find all failed Stripe API calls last week") and integration with Laravel’s query builder.
    • Extensibility: Hooks for custom logging drivers (via events) and dashboard integration allow for future enhancements (e.g., real-time monitoring).
    • Lightweight: Minimal runtime overhead (~500 LOC) and no blocking operations by default, suitable for most Laravel applications.

  • Cons:

    • Laravel Dependency: Tight coupling to Laravel’s HTTP facade and Guzzle limits use in non-Laravel PHP environments or mixed-stack applications.
    • Storage Overhead: Requires a database table (http_logs), adding schema management and potential storage costs for high-volume applications.
    • Guzzle-Specific: Auto-mode relies on container-bound Guzzle clients; manual mode required for standalone Guzzle instances, which may not be intuitive for all teams.
    • No Native Async Logging: Synchronous storage could become a bottleneck for high-throughput APIs (mitigated by SPY_FIELD_MAX_LENGTH but not ideal for large payloads).
    • Limited Analytics: Focuses on logging rather than real-time monitoring or alerting, requiring integration with other tools (e.g., Laravel Horizon) for proactive use cases.

Integration Feasibility

  • Stack Fit:

    • HTTP Clients: Seamlessly integrates with Laravel’s Http:: facade and Guzzle, covering 90%+ of HTTP use cases in Laravel applications. Works alongside existing middleware (e.g., retry, timeout).
    • Logging Systems: Logs can be extended to support Monolog handlers or custom storage (e.g., Elasticsearch) via event listeners, though this requires additional development.
    • Testing: Compatible with Laravel’s testing tools (Pest/PHPUnit); logs can be asserted or mocked for test validation.
    • CI/CD: Low-risk addition to existing pipelines; no breaking changes expected during installation.

  • Migration Path:

    1. Pilot Phase:
      • Install in a staging environment with SPY_ENABLED=false to verify compatibility.
      • Enable for a single high-impact integration (e.g., payment processing) to validate log quality and performance.
      • Test obfuscation rules with sensitive data (e.g., API keys, tokens).
    2. Gradual Rollout:
      • Use SPY_EXCLUDE_URLS to whitelist critical APIs while excluding non-essential endpoints.
      • Monitor database growth and adjust SPY_CLEAN_DAYS (default: 7 days).
      • Implement manual Guzzle mode for legacy codebases or non-containerized clients.
    3. Production:
      • Schedule spy:clean via Laravel’s task scheduler (app/Console/Kernel.php).
      • Integrate with existing monitoring (e.g., Laravel Telescope or Datadog) to alert on anomalies (e.g., high latency, failed requests).
      • Document obfuscation rules and log retention policies for compliance.

  • Compatibility:

    • Laravel Versions: Officially supports 10.x–13.x; test for edge cases in minor versions (e.g., Guzzle 7.x vs. 6.x dependencies).
    • PHP Extensions: No additional extensions required beyond Laravel’s defaults (e.g., pdo, mbstring).
    • Third-Party Conflicts: Potential middleware collisions with other Guzzle plugins (e.g., retry libraries). Resolve via Http::macro() or explicit middleware ordering.
    • Legacy Code: Manual mode required for non-containerized Guzzle clients (e.g., in older services or custom libraries). Document this requirement for the team.

Technical Risk

  • Data Privacy and Compliance:

    • Risk: Logs may inadvertently store sensitive data (e.g., API keys, PII) if obfuscation rules are misconfigured or incomplete.
    • Mitigation:
      • Start with conservative obfuscation patterns (e.g., *:password,token,secret,key,api_*).
      • Audit logs regularly using the dashboard (SPY_DASHBOARD_ENABLED) or custom queries.
      • Restrict dashboard access via middleware (e.g., SPY_DASHBOARD_MIDDLEWARE = ['auth:admin']).
      • For regulated industries, consider masking all fields by default and whitelisting only non-sensitive data.
    • Compliance: Ensure alignment with GDPR, HIPAA, or PCI-DSS if handling regulated data. Logs may need to be treated as sensitive data under these frameworks.

  • Performance Impact:

    • Risk: High-volume APIs (e.g., >1,000 RPS) may experience latency due to synchronous logging of request/response bodies.
    • Mitigation:
      • Benchmark with realistic load tests (e.g., artisan spy:load-test or custom scripts).
      • For high-throughput applications, offload logging to a queue (e.g., dispatch a LogHttpRequest job) by extending the package’s event system.
      • Exclude non-critical endpoints using SPY_EXCLUDE_URLS (e.g., static asset APIs).
      • Monitor response times via Laravel Telescope or APM tools (e.g., Blackfire).

  • Operational Overhead:

    • Risk: Database bloat from unmanaged logs, especially in high-traffic applications.
    • Mitigation:
      • Set SPY_CLEAN_DAYS=7 initially and adjust based on retention needs (e.g., 30 days for compliance).
      • Monitor http_logs table size via Laravel Telescope or custom health checks.
      • For large-scale applications, consider partitioning the table or archiving old logs to cold storage (e.g., S3).
    • Storage Costs: Estimate storage requirements based on log volume (e.g., 100 requests/minute × 30 days × ~1KB/request = ~46GB/year).

  • Debugging Complexity:

    • Risk: Logs may become noisy or hard to parse if not filtered properly (e.g., nested JSON payloads truncated by SPY_FIELD_MAX_LENGTH).
    • Mitigation:
      • Use SPY_FIELD_MAX_LENGTH judiciously (default: 255) to balance detail and storage.
      • Implement custom log formatting via the LoggedRequest model’s accessors.
      • Integrate with Laravel Telescope for a more user-friendly interface to query logs.
    • False Positives: Exclude health checks or internal APIs (e.g., /up) from logging to reduce noise.

  • Maintenance and Updates:

    • Risk: Package updates may introduce breaking changes, especially as Laravel evolves.
    • Mitigation:
      • Pin the package version in composer.json during initial adoption (e.g., ^1.5.0).
      • Test updates in staging before deploying to production.
      • Monitor the GitHub repository for deprecations or major version releases.
    • Vendor Lock-in: Limited risk, as the package is lightweight and follows Laravel conventions. However, custom extensions (e.g., queue-based logging) may reduce portability.

Integration Approach

Stack Fit

  • Laravel Ecosystem:

    • HTTP Layer: Native integration with Laravel’s Http facade and Guzzle clients, covering 90%+ of HTTP use cases. Works alongside existing middleware (e.g., RetryMiddleware, TimeoutMiddleware).
    • Logging: Compatible with Laravel’s logging drivers (e.g., Monolog) via custom event listeners, though storage is database-centric by default.
    • Testing: Supports Laravel’s testing tools (Pest/PHPUnit) for validating HTTP interactions. Logs can be asserted or mocked in tests.
    • Task Scheduling: Cleanup command (spy:clean) integrates with Laravel’s scheduler for automated log retention.

  • Non-Laravel Components:

    • Guzzle Standalone: Manual mode required for non-containerized Guzzle clients (e.g., in legacy code or custom libraries). Document this requirement for the team.
    • Alternative HTTP Clients: No support for other PHP HTTP clients (e.g., Symfony’s HttpClient, cURL). Workaround: Wrap calls in Laravel’s Http facade.
    • Database: Requires a supported database (MySQL, PostgreSQL, SQLite). No support for NoSQL or external storage (e.g., Redis) by default.

  • Third-Party Integrations:

    • Monitoring Tools: Logs can be exported to external systems (e.g., ELK, Datadog) via custom event listeners or post-processing scripts.
    • APM Tools: Pair with Laravel Telescope, Blackfire, or New Relic to correlate HTTP logs with performance metrics.
    • Security Tools: Integrate with SIEM systems (e.g., Splunk) for anomaly detection in
Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.
Prompt
Add packages to context
No packages found.
elnasnato/laraliveui
labrodev/rest-sdk
sampaui/sampaui
babelqueue/php-sdk
facebook/capi-param-builder-php
babelqueue/symfony
hamzi/corewatch
minionfactory/raw-hydrator
hexters/coinpayment
rjcodes/rjcms
act-training/laravel-permissions-manager
alimarchal/laravel-chart-of-accounts
babenkoivan/elastic-scout-driver
mkwebdesign/filament-watchdog-v5
renatomarinho/laravel-page-speed
zedmagdy/filament-business-hours
renatovdemoura/blade-elements-ui
devgeek/beacon-admin
benjamin-rqt/data-watcher-bundle
atriumphp/atrium