DEV Community: Olamilekan Lamidi The latest articles on DEV Community by Olamilekan Lamidi (@oluwatosinolamilekan). https://dev.to/oluwatosinolamilekan https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2039735%2F7cb1423a-8628-4719-b464-1172ab07c630.jpg DEV Community: Olamilekan Lamidi https://dev.to/oluwatosinolamilekan en Laravel Google Sheets v1.1.0: Diff Previews, Sync Methods, Dry Runs, and Retry Backoff Olamilekan Lamidi Mon, 01 Jun 2026 11:31:23 +0000 https://dev.to/oluwatosinolamilekan/laravel-google-sheets-v110-diff-previews-sync-methods-dry-runs-and-retry-backoff-1oo9 https://dev.to/oluwatosinolamilekan/laravel-google-sheets-v110-diff-previews-sync-methods-dry-runs-and-retry-backoff-1oo9 <p>Google Sheets is often where business workflows begin.</p> <p>For Laravel apps, that usually means imports, exports, internal dashboards, user-managed spreadsheets, and the occasional "can we sync this automatically?" request.</p> <p><code>olamilekan/laravel-google-sheets</code> <code>v1.1.0</code> adds several features for those real-world workflows:</p> <ul> <li>Laravel 13 support</li> <li>Import diff previews</li> <li>Model, CSV, API, and two-way sync methods</li> <li>Dry-run sync command</li> <li>Human-friendly validation error sheets</li> <li>Retry and exponential backoff for temporary API failures</li> <li>Better testing fakes</li> <li>A GitHub Actions test matrix</li> </ul> <p>This is a backward-compatible feature release with 17 commits since <code>v1.0.0</code>.</p> <h2> Install </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer require olamilekan/laravel-google-sheets </code></pre> </div> <p>Publish the config:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>php artisan vendor:publish <span class="nt">--tag</span><span class="o">=</span>google-sheets-config </code></pre> </div> <h2> Laravel 13 support </h2> <p>The package now supports:</p> <ul> <li>Laravel 10</li> <li>Laravel 11</li> <li>Laravel 12</li> <li>Laravel 13</li> </ul> <p>That should make it easier to use the same package across older and newer Laravel applications.</p> <h2> Import diff previews </h2> <p>You can now preview an import before writing anything.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">App\Models\User</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Olamilekan\GoogleSheets\Facades\GoogleSheets</span><span class="p">;</span> <span class="nv">$preview</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">diffAgainst</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="nf">query</span><span class="p">(),</span> <span class="n">key</span><span class="o">:</span> <span class="s1">'email'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">rules</span><span class="p">([</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'string'</span><span class="p">],</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">],</span> <span class="p">])</span> <span class="o">-&gt;</span><span class="nf">preview</span><span class="p">();</span> <span class="nv">$preview</span><span class="o">-&gt;</span><span class="nf">counts</span><span class="p">();</span> </code></pre> </div> <p>The preview separates rows into:</p> <ul> <li>new</li> <li>changed</li> <li>deleted</li> <li>invalid</li> <li>conflicts</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="p">[</span> <span class="s1">'new'</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span> <span class="s1">'changed'</span> <span class="o">=&gt;</span> <span class="mi">2</span><span class="p">,</span> <span class="s1">'deleted'</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="s1">'invalid'</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">,</span> <span class="s1">'conflicts'</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="p">]</span> </code></pre> </div> <p>You can also control which fields are compared:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$preview</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">diffAgainst</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="nf">query</span><span class="p">(),</span> <span class="n">key</span><span class="o">:</span> <span class="s1">'email'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">only</span><span class="p">([</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'role'</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">except</span><span class="p">([</span><span class="s1">'updated_at'</span><span class="p">])</span> <span class="o">-&gt;</span><span class="nf">preview</span><span class="p">();</span> </code></pre> </div> <p>This is useful when building admin import screens or approval flows.</p> <h2> Sync methods </h2> <p><code>v1.1.0</code> adds sync helpers for moving data between Google Sheets and common data sources.</p> <p>Sync from Eloquent to Google Sheets:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">App\Models\User</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Olamilekan\GoogleSheets\Facades\GoogleSheets</span><span class="p">;</span> <span class="nv">$report</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">syncFromModel</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="n">keyColumn</span><span class="o">:</span> <span class="s1">'email'</span><span class="p">,</span> <span class="n">options</span><span class="o">:</span> <span class="p">[</span> <span class="s1">'columns'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">,</span> <span class="s1">'role'</span><span class="p">],</span> <span class="s1">'conflict'</span> <span class="o">=&gt;</span> <span class="s1">'app_wins'</span><span class="p">,</span> <span class="p">]);</span> </code></pre> </div> <p>Sync from Google Sheets to Eloquent:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$report</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">syncToModel</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="n">keyColumn</span><span class="o">:</span> <span class="s1">'email'</span><span class="p">);</span> </code></pre> </div> <p>Import and export CSV files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$report</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">importCsv</span><span class="p">(</span><span class="nf">storage_path</span><span class="p">(</span><span class="s1">'app/users.csv'</span><span class="p">),</span> <span class="n">keyColumn</span><span class="o">:</span> <span class="s1">'email'</span><span class="p">);</span> <span class="nv">$report</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">exportCsv</span><span class="p">(</span><span class="nf">storage_path</span><span class="p">(</span><span class="s1">'app/users-export.csv'</span><span class="p">));</span> </code></pre> </div> <p>Sync API data into a sheet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$report</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'orders'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">syncFromApi</span><span class="p">(</span><span class="s1">'https://api.example.com/orders'</span><span class="p">,</span> <span class="n">keyColumn</span><span class="o">:</span> <span class="s1">'order_id'</span><span class="p">,</span> <span class="n">options</span><span class="o">:</span> <span class="p">[</span> <span class="s1">'data_key'</span> <span class="o">=&gt;</span> <span class="s1">'data'</span><span class="p">,</span> <span class="s1">'headers'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'Authorization'</span> <span class="o">=&gt;</span> <span class="s1">'Bearer '</span><span class="mf">.</span><span class="nv">$token</span><span class="p">],</span> <span class="p">]);</span> </code></pre> </div> <p>Push sheet data to an API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$report</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'orders'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">syncToApi</span><span class="p">(</span><span class="s1">'https://api.example.com/orders/bulk'</span><span class="p">);</span> </code></pre> </div> <p>Each sync returns a report:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$report</span><span class="o">-&gt;</span><span class="nf">counts</span><span class="p">();</span> <span class="nv">$report</span><span class="o">-&gt;</span><span class="nf">created</span><span class="p">();</span> <span class="nv">$report</span><span class="o">-&gt;</span><span class="nf">updated</span><span class="p">();</span> <span class="nv">$report</span><span class="o">-&gt;</span><span class="nf">conflicts</span><span class="p">();</span> <span class="nv">$report</span><span class="o">-&gt;</span><span class="nf">errors</span><span class="p">();</span> </code></pre> </div> <h2> Two-way sync with conflict handling </h2> <p>Two-way sync needs clear conflict behavior.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$report</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">syncTwoWay</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="n">keyColumn</span><span class="o">:</span> <span class="s1">'email'</span><span class="p">,</span> <span class="n">options</span><span class="o">:</span> <span class="p">[</span> <span class="s1">'conflict'</span> <span class="o">=&gt;</span> <span class="s1">'fail'</span><span class="p">,</span> <span class="p">]);</span> </code></pre> </div> <p>Supported strategies:</p> <ul> <li><code>app_wins</code></li> <li><code>sheet_wins</code></li> <li><code>skip</code></li> <li><code>fail</code></li> </ul> <h2> Dry-run sync command </h2> <p>You can preview command-line imports without writing rows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>php artisan google-sheets:sync <span class="s2">"App</span><span class="se">\\</span><span class="s2">Imports</span><span class="se">\\</span><span class="s2">UsersImport"</span> <span class="nb">users</span> <span class="nt">--dry-run</span> </code></pre> </div> <p>Dry runs compare rows using the import class target and key, then apply validation rules when available.</p> <h2> Validation error sheets </h2> <p>Instead of only throwing validation errors, the package can write row-level issues into an error sheet.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$validRows</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">validateWithErrorSheet</span><span class="p">([</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'string'</span><span class="p">],</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">],</span> <span class="p">]);</span> </code></pre> </div> <p>That gives spreadsheet users a clearer place to fix bad rows.</p> <h2> Queue sync jobs </h2> <p>Longer syncs can be queued:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">queueSync</span><span class="p">(</span><span class="s1">'syncFromModel'</span><span class="p">,</span> <span class="p">[</span><span class="nc">User</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">],</span> <span class="n">queue</span><span class="o">:</span> <span class="s1">'imports'</span><span class="p">);</span> </code></pre> </div> <h2> Audit logs and notifications </h2> <p>Sync activity is logged through Laravel's logger and kept in an in-process audit log:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$records</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">syncAuditLog</span><span class="p">();</span> </code></pre> </div> <p>You can also send notifications:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">syncFromModel</span><span class="p">(</span><span class="nc">User</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'notify'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'slack_webhook'</span> <span class="o">=&gt;</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'services.slack.sync_webhook'</span><span class="p">),</span> <span class="s1">'mail_to'</span> <span class="o">=&gt;</span> <span class="s1">'ops@example.com'</span><span class="p">,</span> <span class="p">],</span> <span class="p">]);</span> </code></pre> </div> <h2> Retry and backoff </h2> <p>Temporary Google Sheets API failures are retried with exponential backoff and jitter.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// config/google-sheets.php</span> <span class="s1">'retry'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'enabled'</span> <span class="o">=&gt;</span> <span class="kc">true</span><span class="p">,</span> <span class="s1">'attempts'</span> <span class="o">=&gt;</span> <span class="mi">3</span><span class="p">,</span> <span class="s1">'delay'</span> <span class="o">=&gt;</span> <span class="mi">250</span><span class="p">,</span> <span class="s1">'max_delay'</span> <span class="o">=&gt;</span> <span class="mi">5000</span><span class="p">,</span> <span class="p">],</span> </code></pre> </div> <p>Runtime control:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$rows</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">withRetries</span><span class="p">(</span><span class="n">attempts</span><span class="o">:</span> <span class="mi">5</span><span class="p">,</span> <span class="n">delay</span><span class="o">:</span> <span class="mi">500</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">();</span> <span class="nv">$rows</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">withoutRetries</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">();</span> </code></pre> </div> <p>This helps with rate limits, quota throttling, backend errors, and other temporary failures.</p> <h2> Testing fakes </h2> <p>You can test spreadsheet behavior without hitting the real API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">Olamilekan\GoogleSheets\Facades\GoogleSheets</span><span class="p">;</span> <span class="nv">$fake</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">fake</span><span class="p">([</span> <span class="s1">'users'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Alice'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'alice@example.com'</span><span class="p">],</span> <span class="p">],</span> <span class="p">]);</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">appendAssoc</span><span class="p">([</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Bob'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'bob@example.com'</span><span class="p">],</span> <span class="p">]);</span> <span class="nv">$fake</span><span class="o">-&gt;</span><span class="nf">assertAppended</span><span class="p">(</span><span class="s1">'users'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Bob'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'bob@example.com'</span><span class="p">,</span> <span class="p">]);</span> </code></pre> </div> <h2> Upgrade </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer update olamilekan/laravel-google-sheets </code></pre> </div> <p>If you need the new config options:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>php artisan vendor:publish <span class="nt">--tag</span><span class="o">=</span>google-sheets-config </code></pre> </div> <h2> Links </h2> <p>GitHub: <a href="https://github.com/oluwatosinolamilekan/laravel-google-sheets" rel="noopener noreferrer">github.com/oluwatosinolamilekan/laravel-google-sheets</a></p> <p>Package:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer require olamilekan/laravel-google-sheets </code></pre> </div> <p>Release:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer update olamilekan/laravel-google-sheets </code></pre> </div> laravel php opensource googlesheet Building A Laravel Google Sheets Package That Imports, Exports, Caches, Formats, And Tests Cleanly Olamilekan Lamidi Wed, 20 May 2026 15:09:45 +0000 https://dev.to/oluwatosinolamilekan/building-a-laravel-google-sheets-package-that-imports-exports-caches-formats-and-tests-cleanly-2e31 https://dev.to/oluwatosinolamilekan/building-a-laravel-google-sheets-package-that-imports-exports-caches-formats-and-tests-cleanly-2e31 <p>Google Sheets often starts as a quick operational tool. A support team tracks users in a sheet, finance exports monthly reports, or an internal dashboard needs a simple spreadsheet backend. The challenge is keeping that workflow Laravel-friendly once it grows beyond a few API calls.</p> <p>This package wraps the Google Sheets API with a fluent Laravel API for common application tasks: importing rows, exporting reports, managing multiple spreadsheet connections, caching reads, formatting tabs, and testing without hitting Google.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>composer require olamilekan/laravel-google-sheets php artisan vendor:publish <span class="nt">--tag</span><span class="o">=</span>google-sheets-config </code></pre> </div> <p>Add your service account credentials path:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GOOGLE_SHEETS_CREDENTIALS_PATH=/path/to/service-account.json </code></pre> </div> <p>Then configure named spreadsheet connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="s1">'sheets'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'users'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'spreadsheet_id'</span> <span class="o">=&gt;</span> <span class="nf">env</span><span class="p">(</span><span class="s1">'GOOGLE_SHEETS_USERS_SPREADSHEET_ID'</span><span class="p">),</span> <span class="s1">'sheet'</span> <span class="o">=&gt;</span> <span class="s1">'Users'</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'reports'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'spreadsheet_id'</span> <span class="o">=&gt;</span> <span class="nf">env</span><span class="p">(</span><span class="s1">'GOOGLE_SHEETS_REPORTS_SPREADSHEET_ID'</span><span class="p">),</span> <span class="s1">'sheet'</span> <span class="o">=&gt;</span> <span class="s1">'Monthly'</span><span class="p">,</span> <span class="p">],</span> <span class="p">],</span> </code></pre> </div> <h2> Import Users From Google Sheets </h2> <p>For a simple import, read rows from a named connection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$rows</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">();</span> </code></pre> </div> <p>For a reusable import, create an import class:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">App\Models\User</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Olamilekan\GoogleSheets\Imports\SheetImport</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">UsersImport</span> <span class="kd">extends</span> <span class="nc">SheetImport</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">rules</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span><span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">]];</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">model</span><span class="p">(</span><span class="kt">array</span> <span class="nv">$row</span><span class="p">):</span> <span class="kt">User</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">User</span><span class="o">::</span><span class="nf">updateOrCreate</span><span class="p">(</span> <span class="p">[</span><span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nv">$row</span><span class="p">[</span><span class="s1">'email'</span><span class="p">]],</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$row</span><span class="p">[</span><span class="s1">'name'</span><span class="p">]]</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Run it from code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">import</span><span class="p">(</span><span class="k">new</span> <span class="nc">UsersImport</span><span class="p">(),</span> <span class="s1">'users'</span><span class="p">);</span> </code></pre> </div> <p>Or from Artisan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>php artisan google-sheets:sync <span class="s2">"App</span><span class="se">\\</span><span class="s2">Imports</span><span class="se">\\</span><span class="s2">UsersImport"</span> <span class="nb">users</span> </code></pre> </div> <h2> Export Reports To Google Sheets </h2> <p>Export classes keep reporting logic out of controllers and commands:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">use</span> <span class="nc">App\Models\Report</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Olamilekan\GoogleSheets\Exports\SheetExport</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">ReportsExport</span> <span class="kd">extends</span> <span class="nc">SheetExport</span> <span class="p">{</span> <span class="k">public</span> <span class="kt">bool</span> <span class="nv">$replace</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">headings</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span><span class="s1">'Date'</span><span class="p">,</span> <span class="s1">'Name'</span><span class="p">,</span> <span class="s1">'Total'</span><span class="p">];</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">collection</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Report</span><span class="o">::</span><span class="nf">query</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">latest</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">map</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="kt">Report</span> <span class="nv">$report</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="nv">$report</span><span class="o">-&gt;</span><span class="n">created_at</span><span class="o">-&gt;</span><span class="nf">toDateString</span><span class="p">(),</span> <span class="nv">$report</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="nv">$report</span><span class="o">-&gt;</span><span class="n">total</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Then export:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">export</span><span class="p">(</span><span class="k">new</span> <span class="nc">ReportsExport</span><span class="p">(),</span> <span class="s1">'reports'</span><span class="p">);</span> </code></pre> </div> <h2> Header-Aware Appends And Upserts </h2> <p>Sheets usually have headers. Instead of manually ordering every cell, append associative arrays:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">appendAssoc</span><span class="p">([</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Alice'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'alice@example.com'</span><span class="p">,</span> <span class="s1">'role'</span> <span class="o">=&gt;</span> <span class="s1">'admin'</span><span class="p">],</span> <span class="p">]);</span> </code></pre> </div> <p>Upsert rows by a key column:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">upsert</span><span class="p">(</span><span class="s1">'email'</span><span class="p">,</span> <span class="p">[</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Alice Updated'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'alice@example.com'</span><span class="p">,</span> <span class="s1">'role'</span> <span class="o">=&gt;</span> <span class="s1">'owner'</span><span class="p">],</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Bob'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'bob@example.com'</span><span class="p">,</span> <span class="s1">'role'</span> <span class="o">=&gt;</span> <span class="s1">'user'</span><span class="p">],</span> <span class="p">]);</span> </code></pre> </div> <h2> Validation And Required Headers </h2> <p>Catch bad spreadsheet data before it reaches your app:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">requireHeaders</span><span class="p">([</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">,</span> <span class="s1">'role'</span><span class="p">]);</span> <span class="nv">$rows</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">validate</span><span class="p">([</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'string'</span><span class="p">],</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'required'</span><span class="p">,</span> <span class="s1">'email'</span><span class="p">],</span> <span class="p">]);</span> </code></pre> </div> <h2> Multi-Connection Workflows </h2> <p>Named connections make it easy to separate workflows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$users</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">();</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'reports'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">append</span><span class="p">([</span> <span class="p">[</span><span class="s1">'2026-05-17'</span><span class="p">,</span> <span class="s1">'Monthly Revenue'</span><span class="p">,</span> <span class="mi">15000</span><span class="p">],</span> <span class="p">]);</span> </code></pre> </div> <h2> Caching </h2> <p>Enable caching with Laravel's cache system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GOOGLE_SHEETS_CACHE_ENABLED=true GOOGLE_SHEETS_CACHE_STORE=redis GOOGLE_SHEETS_CACHE_TTL=600 </code></pre> </div> <p>Or turn it on per call:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$rows</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">enableCache</span><span class="p">(</span><span class="mi">300</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">();</span> </code></pre> </div> <p>When writes happen, the package clears remembered read cache keys for that spreadsheet so later reads can refresh.</p> <h2> Formatting, Formulas, And Named Ranges </h2> <p>Reports often need more than raw data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'reports'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">sheet</span><span class="p">(</span><span class="s1">'Monthly'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">boldHeader</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">freezeRows</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">autoResizeColumns</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">4</span><span class="p">);</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'reports'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">append</span><span class="p">([</span> <span class="p">[</span><span class="s1">'Total'</span><span class="p">,</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">formula</span><span class="p">(</span><span class="s1">'SUM(C2:C100)'</span><span class="p">)],</span> <span class="p">]);</span> <span class="nv">$summary</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'reports'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">namedRange</span><span class="p">(</span><span class="s1">'MonthlySummary'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> </code></pre> </div> <h2> Testing </h2> <p>You can fake Google Sheets in tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nv">$fake</span> <span class="o">=</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">fake</span><span class="p">([</span> <span class="s1">'users'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Alice'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'alice@example.com'</span><span class="p">],</span> <span class="p">],</span> <span class="p">]);</span> <span class="nc">GoogleSheets</span><span class="o">::</span><span class="nf">connection</span><span class="p">(</span><span class="s1">'users'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">appendAssoc</span><span class="p">([</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Bob'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'bob@example.com'</span><span class="p">],</span> <span class="p">]);</span> <span class="nv">$fake</span><span class="o">-&gt;</span><span class="nf">assertAppended</span><span class="p">(</span><span class="s1">'users'</span><span class="p">,</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="s1">'Bob'</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="s1">'bob@example.com'</span><span class="p">]);</span> </code></pre> </div> <h2> Useful Commands </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>php artisan google-sheets:list <span class="nb">users </span>php artisan google-sheets:clear reports <span class="nt">--sheet</span><span class="o">=</span>Monthly <span class="nt">--range</span><span class="o">=</span>A2:D100 php artisan google-sheets:sync <span class="s2">"App</span><span class="se">\\</span><span class="s2">Exports</span><span class="se">\\</span><span class="s2">ReportsExport"</span> reports </code></pre> </div> <h2> Closing </h2> <p>The goal is to make Google Sheets feel like a natural Laravel integration: fluent for simple reads and writes, structured for import and export classes, cache-aware for production use, and fakeable in tests.</p> <p>Read more on GitHub: <a href="https://github.com/oluwatosinolamilekan/laravel-google-sheets" rel="noopener noreferrer">github.com/oluwatosinolamilekan/laravel-google-sheets</a></p> laravel php developertools opensource I Built fintech-fraud-sim: A TypeScript CLI for Synthetic Fraud Testing Data Olamilekan Lamidi Wed, 13 May 2026 20:40:02 +0000 https://dev.to/oluwatosinolamilekan/i-built-fintech-fraud-sim-a-typescript-cli-for-synthetic-fraud-testing-data-34kj https://dev.to/oluwatosinolamilekan/i-built-fintech-fraud-sim-a-typescript-cli-for-synthetic-fraud-testing-data-34kj <p>Fraud systems are hard to test well.</p> <p>Not because engineers cannot write tests, but because the data needs to tell a story. A suspicious transaction is rarely suspicious because of one field. It is usually suspicious because of patterns:</p> <ul> <li>a new account with too many beneficiaries</li> <li>many transactions in a short window</li> <li>failed logins followed by a device change</li> <li>KYC failures mixed with country mismatches</li> <li>transaction amounts far above normal behavior</li> </ul> <p>Using production customer data for this is risky and often unacceptable. Basic mock data is usually too flat.</p> <p>So I built <code>fintech-fraud-sim</code>, a TypeScript CLI that generates synthetic fintech users and transactions with configurable fraud patterns.</p> <p>NPM package: <a href="https://www.npmjs.com/package/fintech-fraud-sim" rel="noopener noreferrer">https://www.npmjs.com/package/fintech-fraud-sim</a></p> <h2> Quick Start </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx fintech-fraud-sim generate <span class="nt">--users</span> 1000 <span class="nt">--fraud-rate</span> 0.08 </code></pre> </div> <p>That command generates:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>users.csv transactions.csv users.json transactions.json summary.json </code></pre> </div> <p>You can also choose a format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx fintech-fraud-sim generate <span class="nt">--users</span> 5000 <span class="nt">--fraud-rate</span> 0.12 <span class="nt">--format</span> csv </code></pre> </div> <p>Or send output to a folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx fintech-fraud-sim generate <span class="nt">--users</span> 2000 <span class="nt">--fraud-rate</span> 0.05 <span class="nt">--format</span> json <span class="nt">--out</span> ./data </code></pre> </div> <h2> Why I Built It </h2> <p>Fraud detection products need test data in many places:</p> <ul> <li>dashboards</li> <li>QA fixtures</li> <li>rules engines</li> <li>risk scoring services</li> <li>transaction monitoring demos</li> <li>analytics pipelines</li> <li>prototype fraud models</li> </ul> <p>But realistic fraud test data is not just random rows. It needs consistent signals across users and transactions.</p> <p>For example, an account takeover scenario should not only mark a transaction as suspicious. The user should also show supporting signals such as failed logins, device changes, and country mismatch.</p> <p>That is the idea behind this CLI.</p> <h2> What the Data Looks Like </h2> <p>Generated users include fields like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>user_id country account_age_days kyc_status failed_kyc_attempts device_count ip_country declared_country failed_login_attempts_24h beneficiary_count_24h chargeback_count is_fraud fraud_pattern risk_label reason_codes </code></pre> </div> <p>Generated transactions include:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>transaction_id user_id timestamp amount currency channel beneficiary_id beneficiary_country device_id ip_country status is_suspicious fraud_pattern reason_codes </code></pre> </div> <p>The package does not generate real names, emails, phone numbers, BVNs, NINs, or bank account numbers.</p> <h2> Supported Fraud Patterns </h2> <p>The CLI currently supports:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Pattern</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>mule_account</code></td> <td>New account, high beneficiary count, rapid funds movement</td> </tr> <tr> <td><code>account_takeover</code></td> <td>Device change, country mismatch, failed login spike</td> </tr> <tr> <td><code>velocity_abuse</code></td> <td>Many transactions in a short period</td> </tr> <tr> <td><code>kyc_abuse</code></td> <td>Multiple failed KYC attempts and inconsistent country data</td> </tr> <tr> <td><code>chargeback_risk</code></td> <td>Prior chargebacks and high-value transactions</td> </tr> <tr> <td><code>transaction_spike</code></td> <td>Amount far above user baseline</td> </tr> <tr> <td><code>cross_border_anomaly</code></td> <td>IP or beneficiary country mismatch</td> </tr> <tr> <td><code>beneficiary_burst</code></td> <td>Many new beneficiaries within 24 hours</td> </tr> </tbody> </table></div> <p>You can select specific patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx fintech-fraud-sim generate <span class="se">\</span> <span class="nt">--users</span> 1000 <span class="se">\</span> <span class="nt">--fraud-rate</span> 0.08 <span class="se">\</span> <span class="nt">--patterns</span> mule,account_takeover,velocity_abuse </code></pre> </div> <p><code>mule</code> is accepted as an alias for <code>mule_account</code>.</p> <h2> Deterministic Generation </h2> <p>For tests and demos, deterministic output is important.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx fintech-fraud-sim generate <span class="nt">--users</span> 1000 <span class="nt">--fraud-rate</span> 0.08 <span class="nt">--seed</span> demo </code></pre> </div> <p>The same seed produces the same dataset, which makes the CLI useful in CI and repeatable test suites.</p> <h2> Testing </h2> <p>The project includes tests for:</p> <ul> <li>generating users and transactions</li> <li>fraud rate handling</li> <li>seeded deterministic output</li> <li>zero fraud rate behavior</li> <li>fraud pattern logic</li> <li>CSV and JSON writers</li> <li>CLI execution</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">test</span> </code></pre> </div> <p>The test suite uses Node's built-in test runner with <code>tsx</code>, so TypeScript tests can run directly.</p> <h2> Example Use Cases </h2> <p>You can use the generated data to:</p> <ul> <li>demo fraud dashboards</li> <li>test transaction monitoring rules</li> <li>validate CSV import workflows</li> <li>build realistic QA fixtures</li> <li>prototype risk scoring logic</li> <li>test data pipelines without exposing customer records</li> </ul> <h2> Safety Disclaimer </h2> <p><code>fintech-fraud-sim</code> is for testing, education, and fraud-model prototyping only. It generates synthetic data and should not be treated as real customer data or used as a production fraud decisioning system.</p> <h2> Final Thoughts </h2> <p>Good fraud testing needs more than random transactions. It needs plausible behavior.</p> <p>This CLI is my attempt to make that easier for fintech builders, QA teams, and engineers working on risk systems.</p> <p>NPM: <a href="https://www.npmjs.com/package/fintech-fraud-sim" rel="noopener noreferrer">https://www.npmjs.com/package/fintech-fraud-sim</a></p> fintech typescript cli testing PerfLens: Web Performance Audits Beyond Lighthouse Olamilekan Lamidi Fri, 08 May 2026 12:20:55 +0000 https://dev.to/oluwatosinolamilekan/perflens-web-performance-audits-beyond-lighthouse-2ne4 https://dev.to/oluwatosinolamilekan/perflens-web-performance-audits-beyond-lighthouse-2ne4 <p>Lighthouse is great. I use it, and I still think it is one of the most useful performance tools available to web developers.</p> <p>But I wanted something closer to the way I actually debug and ship web products, so I built <strong>PerfLens</strong>.</p> <p>PerfLens is a browser-first performance auditing extension that gives you live Core Web Vitals, Lighthouse-style scoring, resource diagnostics, root cause summaries, performance history, and launch evidence directly inside your browser workflow.</p> <p>Install it here: <a href="https://chromewebstore.google.com/detail/perflens/gkogamlpcnneeficmcdcnnnhobnbebdc" rel="noopener noreferrer">https://chromewebstore.google.com/detail/perflens/gkogamlpcnneeficmcdcnnnhobnbebdc</a></p> <h2> Why I Built It </h2> <p>A Lighthouse report is a strong snapshot, but performance work rarely ends with one snapshot.</p> <p>During real development, I usually want to know:</p> <ul> <li>What is slowing this page down right now?</li> <li>Which resources are heavy?</li> <li>Are my Core Web Vitals healthy?</li> <li>What should I fix first?</li> </ul> <p>PerfLens is built for that loop.</p> <h2> What It Includes </h2> <p>PerfLens currently supports:</p> <ul> <li>Core Web Vitals: LCP, FID, CLS, INP, FCP, and TTFB.</li> <li>0-100 performance scoring.</li> <li>Resource breakdowns by type and size.</li> <li>Audits for oversized images, missing lazy loading, render-blocking scripts, large bundles, weak caching, compression gaps, and heavy CSS.</li> <li>Accessibility checks for alt text, language attributes, viewport setup, headings, and form labels.</li> <li>Suggestions ranked by impact, effort, and confidence.</li> <li>Root cause summaries.</li> <li>Framework and build detection.</li> <li>Local history per URL.</li> <li>Launch evidence packs with desktop/mobile audits, screenshots, videos, JSON reports, prioritized issues, and readiness status.</li> </ul> <h2> PerfLens vs Lighthouse </h2> <p>PerfLens is not trying to replace Lighthouse. Lighthouse is still excellent for standardized lab audits.</p> <p>PerfLens is focused on the browser-side workflow around the audit.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Lighthouse</th> <th>PerfLens</th> </tr> </thead> <tbody> <tr> <td>One-time baseline report</td> <td>Live browser-context auditing</td> </tr> <tr> <td>Standard lab diagnostics</td> <td>Page-level history and trend signals</td> </tr> <tr> <td>General recommendations</td> <td>Suggestions ranked by impact, effort, and confidence</td> </tr> <tr> <td>Separate report flow</td> <td>Popup and DevTools workflow</td> </tr> <tr> <td>Audit categories</td> <td>Framework/build detection and root cause stories</td> </tr> <tr> <td>Report export</td> <td>Launch evidence packs with screenshots, videos, JSON, and readiness status</td> </tr> </tbody> </table></div> <p>For me, the biggest difference is that PerfLens tries to move you from "this is slow" to "this is probably why, and this is what to fix next."</p> <h2> Fix It With AI </h2> <p>When an issue appears on a localhost URL, PerfLens can identify it and generate a focused prompt for Cursor, Claude, Codex, or a custom coding agent. That makes it easier to pass local audit findings directly into your coding workflow.</p> <h2> Final </h2> <p>PerfLens came from a simple idea:</p> <blockquote> <p>Performance auditing should be closer to the browser, closer to the product, and closer to the next fix.</p> </blockquote> <p>If you already use Lighthouse, PerfLens can sit next to it as a practical debugging and launch-readiness companion.</p> webdev performance chromeextension javascript Multi-Tenant Security in SaaS: Data Isolation Patterns That Actually Work Olamilekan Lamidi Mon, 04 May 2026 12:20:59 +0000 https://dev.to/oluwatosinolamilekan/multi-tenant-security-in-saas-data-isolation-patterns-that-actually-work-fk https://dev.to/oluwatosinolamilekan/multi-tenant-security-in-saas-data-isolation-patterns-that-actually-work-fk <p>Multi-tenancy is the economic engine of SaaS. Sharing infrastructure across customers reduces cost and simplifies operations. But it introduces a risk that can end your business overnight: tenant data leakage.</p> <p>When one customer can see another customer's data — even accidentally — the consequences are severe. Regulatory fines, contract termination, public disclosure requirements, and irreparable trust damage. I have worked on multi-tenant platforms serving hundreds of organisations, and I have learned that data isolation is not something you bolt on later. It is a foundational architectural decision that shapes everything from database design to query patterns to testing strategy.</p> <p>This article covers the three main tenancy models, practical implementation patterns in Laravel and Node.js, and the security controls that prevent data leakage in production.</p> <h2> The Three Tenancy Models </h2> <h3> 1. Database-per-Tenant </h3> <p>Each tenant gets a completely separate database. Maximum isolation, maximum operational complexity.</p> <p><strong>Pros:</strong> Strongest isolation. Easy compliance with data residency requirements. Independent backup and restore per tenant.</p> <p><strong>Cons:</strong> Connection management overhead. Schema migrations must run across all databases. Does not scale well beyond a few hundred tenants.</p> <p><strong>Best for:</strong> Regulated industries (healthcare, finance), enterprise customers with strict data sovereignty requirements.</p> <h3> 2. Schema-per-Tenant </h3> <p>All tenants share a database server, but each gets a separate schema (or namespace). Moderate isolation with lower overhead than separate databases.</p> <p><strong>Pros:</strong> Good isolation without connection management complexity. PostgreSQL handles this natively with schemas.</p> <p><strong>Cons:</strong> Not supported equally across all databases. MySQL schema separation is effectively database separation. Migrations still need to run per schema.</p> <p><strong>Best for:</strong> Mid-market SaaS with tens to low hundreds of tenants.</p> <h3> 3. Shared Database with Row-Level Isolation </h3> <p>All tenants share the same tables. Every row includes a <code>tenant_id</code> column. Isolation is enforced at the application and query level.</p> <p><strong>Pros:</strong> Simplest to operate. Migrations run once. Scales to thousands of tenants. Lowest infrastructure cost.</p> <p><strong>Cons:</strong> One missed WHERE clause leaks data. Requires rigorous enforcement at every layer.</p> <p><strong>Best for:</strong> High-volume SaaS, platforms with many small tenants, startups optimising for speed.</p> <p>For most SaaS applications, <strong>shared database with row-level isolation</strong> is the right starting point. It is also the hardest to get right, because isolation depends entirely on your code never forgetting to filter by tenant. The rest of this article focuses on making that bulletproof.</p> <h2> Tenant Context Management </h2> <p>The foundation of row-level tenancy is a reliable tenant context — a mechanism that ensures every database query automatically includes the correct tenant filter.</p> <h3> Laravel: Global Scopes and Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Http\Middleware</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Services\TenantContext</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Closure</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Http\Request</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">ResolveTenant</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__construct</span><span class="p">(</span><span class="k">private</span> <span class="kt">TenantContext</span> <span class="nv">$tenantContext</span><span class="p">)</span> <span class="p">{}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$tenantId</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">resolveTenantId</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$tenantId</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'error'</span> <span class="o">=&gt;</span> <span class="s1">'Tenant could not be resolved.'</span><span class="p">],</span> <span class="mi">403</span><span class="p">);</span> <span class="p">}</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenantContext</span><span class="o">-&gt;</span><span class="nf">set</span><span class="p">(</span><span class="nv">$tenantId</span><span class="p">);</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenantContext</span><span class="o">-&gt;</span><span class="nf">clear</span><span class="p">();</span> <span class="k">return</span> <span class="nv">$response</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">resolveTenantId</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">?string</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">hasHeader</span><span class="p">(</span><span class="s1">'X-Tenant-ID'</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">validateTenantAccess</span><span class="p">(</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">(),</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nb">header</span><span class="p">(</span><span class="s1">'X-Tenant-ID'</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="nv">$host</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">getHost</span><span class="p">();</span> <span class="nv">$subdomain</span> <span class="o">=</span> <span class="nb">explode</span><span class="p">(</span><span class="s1">'.'</span><span class="p">,</span> <span class="nv">$host</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$subdomain</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">resolveTenantBySubdomain</span><span class="p">(</span><span class="nv">$subdomain</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">?-&gt;</span><span class="n">default_tenant_id</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">validateTenantAccess</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$tenantId</span><span class="p">):</span> <span class="kt">?string</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$user</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="nv">$hasAccess</span> <span class="o">=</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">tenants</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'tenant_id'</span><span class="p">,</span> <span class="nv">$tenantId</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">exists</span><span class="p">();</span> <span class="k">return</span> <span class="nv">$hasAccess</span> <span class="o">?</span> <span class="nv">$tenantId</span> <span class="o">:</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">resolveTenantBySubdomain</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$subdomain</span><span class="p">):</span> <span class="kt">?string</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">cache</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">remember</span><span class="p">(</span> <span class="s2">"tenant:subdomain:</span><span class="si">{</span><span class="nv">$subdomain</span><span class="si">}</span><span class="s2">"</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addHours</span><span class="p">(</span><span class="mi">1</span><span class="p">),</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nc">\App\Models\Tenant</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'subdomain'</span><span class="p">,</span> <span class="nv">$subdomain</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">value</span><span class="p">(</span><span class="s1">'id'</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Services</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">TenantContext</span> <span class="p">{</span> <span class="k">private</span> <span class="kt">?string</span> <span class="nv">$tenantId</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">set</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$tenantId</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenantId</span> <span class="o">=</span> <span class="nv">$tenantId</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">get</span><span class="p">():</span> <span class="kt">string</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenantId</span> <span class="o">===</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">\RuntimeException</span><span class="p">(</span><span class="s1">'Tenant context not set. This is a critical isolation failure.'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenantId</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">clear</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenantId</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">isSet</span><span class="p">():</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenantId</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Automatic Query Scoping with Eloquent </h3> <p>The most dangerous aspect of row-level tenancy is forgetting to add <code>WHERE tenant_id = ?</code> to a query. Eloquent global scopes eliminate this risk:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Models\Traits</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Models\Scopes\TenantScope</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Services\TenantContext</span><span class="p">;</span> <span class="kd">trait</span> <span class="nc">BelongsToTenant</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">static</span> <span class="k">function</span> <span class="n">bootBelongsToTenant</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="k">static</span><span class="o">::</span><span class="nf">addGlobalScope</span><span class="p">(</span><span class="k">new</span> <span class="nc">TenantScope</span><span class="p">());</span> <span class="k">static</span><span class="o">::</span><span class="nf">creating</span><span class="p">(</span><span class="k">function</span> <span class="p">(</span><span class="nv">$model</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$model</span><span class="o">-&gt;</span><span class="n">tenant_id</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$model</span><span class="o">-&gt;</span><span class="n">tenant_id</span> <span class="o">=</span> <span class="nf">app</span><span class="p">(</span><span class="nc">TenantContext</span><span class="o">::</span><span class="n">class</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Models\Scopes</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Services\TenantContext</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Database\Eloquent\Builder</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Database\Eloquent\Model</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Database\Eloquent\Scope</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">TenantScope</span> <span class="kd">implements</span> <span class="nc">Scope</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">apply</span><span class="p">(</span><span class="kt">Builder</span> <span class="nv">$builder</span><span class="p">,</span> <span class="kt">Model</span> <span class="nv">$model</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$tenantContext</span> <span class="o">=</span> <span class="nf">app</span><span class="p">(</span><span class="nc">TenantContext</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$tenantContext</span><span class="o">-&gt;</span><span class="k">isSet</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$builder</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="nv">$model</span><span class="o">-&gt;</span><span class="nf">getTable</span><span class="p">()</span> <span class="mf">.</span> <span class="s1">'.tenant_id'</span><span class="p">,</span> <span class="nv">$tenantContext</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now every model that uses the <code>BelongsToTenant</code> trait automatically filters by tenant:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">Invoice</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="kn">use</span> <span class="nc">BelongsToTenant</span><span class="p">;</span> <span class="k">protected</span> <span class="nv">$fillable</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'tenant_id'</span><span class="p">,</span> <span class="s1">'number'</span><span class="p">,</span> <span class="s1">'amount'</span><span class="p">,</span> <span class="s1">'status'</span><span class="p">];</span> <span class="p">}</span> <span class="c1">// These queries automatically include WHERE tenant_id = ?</span> <span class="nv">$invoices</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'status'</span><span class="p">,</span> <span class="s1">'pending'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="nv">$invoice</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">findOrFail</span><span class="p">(</span><span class="nv">$id</span><span class="p">);</span> <span class="nv">$count</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nb">count</span><span class="p">();</span> </code></pre> </div> <h3> Node.js: Middleware and Query Builder Integration </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">NextFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AsyncLocalStorage</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">async_hooks</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">TenantContextData</span> <span class="p">{</span> <span class="nl">tenantId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">tenantStorage</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AsyncLocalStorage</span><span class="o">&lt;</span><span class="nx">TenantContextData</span><span class="o">&gt;</span><span class="p">();</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">getTenantId</span><span class="p">():</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="nx">tenantStorage</span><span class="p">.</span><span class="nf">getStore</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">context</span><span class="p">?.</span><span class="nx">tenantId</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Tenant context not set. This is a critical isolation failure.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">context</span><span class="p">.</span><span class="nx">tenantId</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">tenantMiddleware</span><span class="p">(</span> <span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span> <span class="p">):</span> <span class="k">void</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tenantId</span> <span class="o">=</span> <span class="nf">resolveTenantId</span><span class="p">(</span><span class="nx">req</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">tenantId</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Tenant could not be resolved.</span><span class="dl">'</span> <span class="p">});</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="nx">tenantStorage</span><span class="p">.</span><span class="nf">run</span><span class="p">({</span> <span class="nx">tenantId</span> <span class="p">},</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">next</span><span class="p">());</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">resolveTenantId</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">):</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">headerTenant</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-tenant-id</span><span class="dl">'</span><span class="p">]</span> <span class="k">as</span> <span class="kr">string</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">headerTenant</span><span class="p">)</span> <span class="k">return</span> <span class="nx">headerTenant</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">host</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">hostname</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">subdomain</span> <span class="o">=</span> <span class="nx">host</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">subdomain</span><span class="p">)</span> <span class="k">return</span> <span class="nx">subdomain</span><span class="p">;</span> <span class="k">return </span><span class="p">(</span><span class="nx">req</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">user</span><span class="p">?.</span><span class="nx">defaultTenantId</span> <span class="o">??</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Prisma Extension for Automatic Tenant Filtering </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span><span class="p">,</span> <span class="nx">Prisma</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">createTenantPrisma</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">();</span> <span class="k">return</span> <span class="nx">prisma</span><span class="p">.</span><span class="nf">$extends</span><span class="p">({</span> <span class="na">query</span><span class="p">:</span> <span class="p">{</span> <span class="nf">$allOperations</span><span class="p">({</span> <span class="nx">model</span><span class="p">,</span> <span class="nx">operation</span><span class="p">,</span> <span class="nx">args</span><span class="p">,</span> <span class="nx">query</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tenantModels</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Invoice</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Payment</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Project</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Document</span><span class="dl">'</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">model</span> <span class="o">||</span> <span class="o">!</span><span class="nx">tenantModels</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">model</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">query</span><span class="p">(</span><span class="nx">args</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">tenantId</span> <span class="o">=</span> <span class="nf">getTenantId</span><span class="p">();</span> <span class="k">if </span><span class="p">([</span><span class="dl">'</span><span class="s1">findMany</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">findFirst</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">findUnique</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">count</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">aggregate</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">operation</span><span class="p">))</span> <span class="p">{</span> <span class="nx">args</span><span class="p">.</span><span class="nx">where</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">where</span><span class="p">,</span> <span class="nx">tenantId</span> <span class="p">};</span> <span class="p">}</span> <span class="k">if </span><span class="p">([</span><span class="dl">'</span><span class="s1">create</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">createMany</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">operation</span><span class="p">))</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">operation</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">create</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="nx">args</span><span class="p">.</span><span class="nx">data</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">data</span><span class="p">,</span> <span class="nx">tenantId</span> <span class="p">};</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if </span><span class="p">([</span><span class="dl">'</span><span class="s1">update</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">updateMany</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">delete</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">deleteMany</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">operation</span><span class="p">))</span> <span class="p">{</span> <span class="nx">args</span><span class="p">.</span><span class="nx">where</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">args</span><span class="p">.</span><span class="nx">where</span><span class="p">,</span> <span class="nx">tenantId</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">query</span><span class="p">(</span><span class="nx">args</span><span class="p">);</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="nf">createTenantPrisma</span><span class="p">();</span> </code></pre> </div> <h2> Row-Level Security in PostgreSQL </h2> <p>For an additional layer of defence, PostgreSQL's Row-Level Security (RLS) enforces tenant isolation at the database level — even if the application code has a bug:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">invoices</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="n">tenant_isolation</span> <span class="k">ON</span> <span class="n">invoices</span> <span class="k">USING</span> <span class="p">(</span><span class="n">tenant_id</span> <span class="o">=</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_tenant_id'</span><span class="p">)::</span><span class="n">uuid</span><span class="p">);</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">invoices</span> <span class="k">FORCE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> </code></pre> </div> <p>Set the tenant context at the beginning of each database connection:</p> <h3> Laravel with RLS </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">SetTenantOnConnection</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$tenantId</span> <span class="o">=</span> <span class="nf">app</span><span class="p">(</span><span class="nc">TenantContext</span><span class="o">::</span><span class="n">class</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="no">DB</span><span class="o">::</span><span class="nf">statement</span><span class="p">(</span><span class="s2">"SET app.current_tenant_id = '</span><span class="si">{</span><span class="nv">$tenantId</span><span class="si">}</span><span class="s2">'"</span><span class="p">);</span> <span class="k">return</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Node.js with RLS </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">withTenantRLS</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span><span class="p">(</span> <span class="nx">callback</span><span class="p">:</span> <span class="p">(</span><span class="nx">tx</span><span class="p">:</span> <span class="nx">PrismaClient</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">T</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tenantId</span> <span class="o">=</span> <span class="nf">getTenantId</span><span class="p">();</span> <span class="k">return</span> <span class="nx">prisma</span><span class="p">.</span><span class="nf">$transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nf">$executeRawUnsafe</span><span class="p">(</span> <span class="s2">`SET LOCAL app.current_tenant_id = '</span><span class="p">${</span><span class="nx">tenantId</span><span class="p">}</span><span class="s2">'`</span> <span class="p">);</span> <span class="k">return</span> <span class="nf">callback</span><span class="p">(</span><span class="nx">tx</span> <span class="k">as</span> <span class="kr">any</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>RLS acts as a safety net. Even if a developer writes a raw query that omits the tenant filter, PostgreSQL rejects rows that do not belong to the current tenant.</p> <h2> Testing for Tenant Leakage </h2> <p>The most critical test you can write for a multi-tenant system verifies that Tenant A cannot access Tenant B's data:</p> <h3> Laravel Test </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">TenantIsolationTest</span> <span class="kd">extends</span> <span class="nc">TestCase</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">test_tenant_cannot_access_other_tenant_data</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$tenantA</span> <span class="o">=</span> <span class="nc">Tenant</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nv">$tenantB</span> <span class="o">=</span> <span class="nc">Tenant</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nv">$invoiceA</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'tenant_id'</span> <span class="o">=&gt;</span> <span class="nv">$tenantA</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nv">$invoiceB</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'tenant_id'</span> <span class="o">=&gt;</span> <span class="nv">$tenantB</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nf">app</span><span class="p">(</span><span class="nc">TenantContext</span><span class="o">::</span><span class="n">class</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">set</span><span class="p">(</span><span class="nv">$tenantA</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">);</span> <span class="nv">$visibleInvoices</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">all</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">assertTrue</span><span class="p">(</span><span class="nv">$visibleInvoices</span><span class="o">-&gt;</span><span class="nf">contains</span><span class="p">(</span><span class="nv">$invoiceA</span><span class="p">));</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">assertFalse</span><span class="p">(</span><span class="nv">$visibleInvoices</span><span class="o">-&gt;</span><span class="nf">contains</span><span class="p">(</span><span class="nv">$invoiceB</span><span class="p">));</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">test_tenant_cannot_access_other_tenant_by_id</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$tenantA</span> <span class="o">=</span> <span class="nc">Tenant</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nv">$tenantB</span> <span class="o">=</span> <span class="nc">Tenant</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="nv">$invoiceB</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">([</span><span class="s1">'tenant_id'</span> <span class="o">=&gt;</span> <span class="nv">$tenantB</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">]);</span> <span class="nf">app</span><span class="p">(</span><span class="nc">TenantContext</span><span class="o">::</span><span class="n">class</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">set</span><span class="p">(</span><span class="nv">$tenantA</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">expectException</span><span class="p">(</span><span class="nc">ModelNotFoundException</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">findOrFail</span><span class="p">(</span><span class="nv">$invoiceB</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">test_queries_without_tenant_context_throw</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">expectException</span><span class="p">(</span><span class="nc">\RuntimeException</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">all</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Node.js Test </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nf">describe</span><span class="p">(</span><span class="dl">'</span><span class="s1">Tenant Isolation</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should not return data from another tenant</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">tenantA</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createTenant</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">tenantB</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">createTenant</span><span class="p">();</span> <span class="k">await</span> <span class="nf">createInvoice</span><span class="p">({</span> <span class="na">tenantId</span><span class="p">:</span> <span class="nx">tenantA</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">100</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">createInvoice</span><span class="p">({</span> <span class="na">tenantId</span><span class="p">:</span> <span class="nx">tenantB</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">amount</span><span class="p">:</span> <span class="mi">200</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">invoices</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tenantStorage</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="p">{</span> <span class="na">tenantId</span><span class="p">:</span> <span class="nx">tenantA</span><span class="p">.</span><span class="nx">id</span> <span class="p">},</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">invoice</span><span class="p">.</span><span class="nf">findMany</span><span class="p">()</span> <span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">invoices</span><span class="p">).</span><span class="nf">toHaveLength</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">invoices</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">tenantId</span><span class="p">).</span><span class="nf">toBe</span><span class="p">(</span><span class="nx">tenantA</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">});</span> <span class="nf">it</span><span class="p">(</span><span class="dl">'</span><span class="s1">should throw when tenant context is missing</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">expect</span><span class="p">(</span><span class="nx">prisma</span><span class="p">.</span><span class="nx">invoice</span><span class="p">.</span><span class="nf">findMany</span><span class="p">()).</span><span class="nx">rejects</span><span class="p">.</span><span class="nf">toThrow</span><span class="p">(</span> <span class="dl">'</span><span class="s1">Tenant context not set</span><span class="dl">'</span> <span class="p">);</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p>Run these tests on every deployment. A failing tenant isolation test should block the release.</p> <h2> Common Tenant Leakage Vectors </h2> <p>Even with global scopes and RLS, leakage can happen through:</p> <ol> <li><p><strong>Raw queries:</strong> Any <code>DB::select()</code> or <code>prisma.$queryRaw()</code> bypasses ORM scoping. Audit every raw query for tenant filtering.</p></li> <li><p><strong>Background jobs:</strong> Queue workers do not have HTTP request context. Tenant ID must be serialised into the job payload and restored before execution.</p></li> <li><p><strong>Cache keys:</strong> If cache keys do not include the tenant ID, one tenant's cached data can be served to another.</p></li> <li><p><strong>File storage paths:</strong> Uploaded files must be stored under tenant-specific prefixes. A flat storage structure risks cross-tenant file access.</p></li> <li><p><strong>Admin endpoints:</strong> Internal tools that query across tenants must be explicitly authorised and logged.</p></li> </ol> <h3> Laravel: Tenant-Aware Job Example </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ProcessInvoice</span> <span class="kd">implements</span> <span class="nc">ShouldQueue</span> <span class="p">{</span> <span class="kn">use</span> <span class="nc">Dispatchable</span><span class="p">,</span> <span class="nc">InteractsWithQueue</span><span class="p">,</span> <span class="nc">Queueable</span><span class="p">,</span> <span class="nc">SerializesModels</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__construct</span><span class="p">(</span> <span class="k">private</span> <span class="kt">string</span> <span class="nv">$tenantId</span><span class="p">,</span> <span class="k">private</span> <span class="kt">int</span> <span class="nv">$invoiceId</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">TenantContext</span> <span class="nv">$tenantContext</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$tenantContext</span><span class="o">-&gt;</span><span class="nf">set</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenantId</span><span class="p">);</span> <span class="nv">$invoice</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">findOrFail</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">invoiceId</span><span class="p">);</span> <span class="c1">// Process invoice within correct tenant context</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Production Results </h2> <p>After implementing comprehensive tenant isolation across multi-tenant platforms:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Tenant data leakage incidents</td> <td>2–3 per year</td> <td>0</td> </tr> <tr> <td>Security audit findings (critical)</td> <td>4</td> <td>0</td> </tr> <tr> <td>Time to onboard new tenant</td> <td>2 days</td> <td>15 minutes</td> </tr> <tr> <td>Cross-tenant query bugs caught in CI</td> <td>N/A</td> <td>12 (prevented from reaching production)</td> </tr> <tr> <td>Customer trust incidents</td> <td>1 per year</td> <td>0</td> </tr> </tbody> </table></div> <h2> Key Takeaways </h2> <ol> <li><p><strong>Start with shared database + row-level isolation.</strong> It scales to thousands of tenants and has the lowest operational overhead. Move to database-per-tenant only when regulation demands it.</p></li> <li><p><strong>Never rely on developers remembering to filter.</strong> Use global scopes (Laravel) or Prisma extensions (Node.js) to make tenant filtering automatic and invisible.</p></li> <li><p><strong>Add PostgreSQL RLS as a safety net.</strong> Application-level filtering is necessary. Database-level filtering is insurance against application bugs.</p></li> <li><p><strong>Test for leakage explicitly.</strong> Write tests that create data in Tenant A, set context to Tenant B, and verify the data is invisible. Run these tests on every deployment.</p></li> <li><p><strong>Audit raw queries, background jobs, cache keys, and file paths.</strong> These are the most common vectors for accidental cross-tenant data exposure.</p></li> <li><p><strong>Serialise tenant context into background jobs.</strong> Queue workers do not inherit HTTP request context. The tenant ID must travel with the job.</p></li> </ol> <h2> Conclusion </h2> <p>Multi-tenant security is not a feature you add — it is a design constraint that shapes your entire architecture. The patterns in this article are not theoretical. They come from building platforms where a tenant leakage incident would mean regulatory consequences and broken customer relationships.</p> <p>Whether you build in Laravel or Node.js, the principles are the same: automatic query scoping, database-level enforcement, explicit testing, and paranoid attention to the edge cases where isolation breaks down. Get this right, and your multi-tenant platform can scale with confidence.</p> multitenancy laravel node dataisolation Security by Design in Healthcare Data Platforms Olamilekan Lamidi Wed, 29 Apr 2026 10:15:46 +0000 https://dev.to/oluwatosinolamilekan/security-by-design-in-healthcare-data-platforms-5dfh https://dev.to/oluwatosinolamilekan/security-by-design-in-healthcare-data-platforms-5dfh <p>Healthcare data is among the most sensitive information a system can hold. Patient records, diagnostic results, treatment histories, and genomic data are not just private — they are regulated by laws that carry serious penalties for mishandling. HIPAA in the United States, GDPR in Europe, and Nigeria's NDPR all impose strict requirements on how healthcare data must be collected, stored, processed, and shared.</p> <p>Security in healthcare is not something you add after the product works. It must be woven into every layer of the system from the first line of code. I have built health-tech platforms that handle sensitive patient data collection and clinical workflows, and the lessons from that work apply broadly to any system where data protection is not optional.</p> <p>This article covers the architecture patterns, implementation strategies, and operational practices for building healthcare data platforms that are secure by design — with examples in both Laravel and Node.js.</p> <h2> Why Healthcare Systems Are Different </h2> <p>Most web applications can tolerate a brief security lapse and recover. Healthcare systems cannot. The consequences of a breach are uniquely severe:</p> <ol> <li><p><strong>Patient harm:</strong> Leaked medical records can affect employment, insurance, and personal relationships. Unlike a leaked password, a disclosed medical condition cannot be reset.</p></li> <li><p><strong>Regulatory penalties:</strong> HIPAA violations can result in fines up to $1.5 million per violation category per year. GDPR fines can reach 4% of global annual revenue.</p></li> <li><p><strong>Operational shutdown:</strong> A breach in a healthcare system may require shutting down access to patient data while the investigation proceeds — directly affecting care delivery.</p></li> <li><p><strong>Trust destruction:</strong> Patients who learn their data was compromised may refuse to use digital health tools, undermining the entire digital health ecosystem.</p></li> </ol> <p>These consequences demand a security model that assumes breaches will be attempted and builds defences at every layer.</p> <h2> The Security Architecture </h2> <p>Healthcare data security operates on multiple layers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Client Layer] - End-to-end encryption for data in transit - Session management with short TTLs - Input validation and sanitisation [Application Layer] - Authentication (MFA required) - Role-Based Access Control (RBAC) - Audit logging of every data access - Field-level encryption for sensitive data [Data Layer] - Encryption at rest (AES-256) - Database access controls - Backup encryption - Data retention and purging policies [Infrastructure Layer] - Network segmentation - Intrusion detection - Vulnerability scanning - Access logging and monitoring </code></pre> </div> <h2> Authentication and Access Control </h2> <p>Healthcare systems require strong authentication and granular access control. Not every user should see every patient's data, and every access must be logged.</p> <h3> Laravel: Role-Based Access Control </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Models</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Database\Eloquent\Model</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">Permission</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$fillable</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'resource'</span><span class="p">,</span> <span class="s1">'action'</span><span class="p">,</span> <span class="s1">'conditions'</span><span class="p">];</span> <span class="k">protected</span> <span class="nv">$casts</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'conditions'</span> <span class="o">=&gt;</span> <span class="s1">'array'</span><span class="p">];</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">Role</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$fillable</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'name'</span><span class="p">,</span> <span class="s1">'description'</span><span class="p">,</span> <span class="s1">'level'</span><span class="p">];</span> <span class="k">public</span> <span class="k">function</span> <span class="n">permissions</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">belongsToMany</span><span class="p">(</span><span class="nc">Permission</span><span class="o">::</span><span class="n">class</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Services</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Models\User</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Support\Facades\Cache</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">AccessControlService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">canAccess</span><span class="p">(</span><span class="kt">User</span> <span class="nv">$user</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$resource</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$action</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$context</span> <span class="o">=</span> <span class="p">[]):</span> <span class="kt">bool</span> <span class="p">{</span> <span class="nv">$permissions</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getUserPermissions</span><span class="p">(</span><span class="nv">$user</span><span class="p">);</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$permissions</span> <span class="k">as</span> <span class="nv">$permission</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$permission</span><span class="o">-&gt;</span><span class="n">resource</span> <span class="o">!==</span> <span class="nv">$resource</span><span class="p">)</span> <span class="k">continue</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$permission</span><span class="o">-&gt;</span><span class="n">action</span> <span class="o">!==</span> <span class="nv">$action</span> <span class="o">&amp;&amp;</span> <span class="nv">$permission</span><span class="o">-&gt;</span><span class="n">action</span> <span class="o">!==</span> <span class="s1">'*'</span><span class="p">)</span> <span class="k">continue</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$permission</span><span class="o">-&gt;</span><span class="n">conditions</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">evaluateConditions</span><span class="p">(</span><span class="nv">$permission</span><span class="o">-&gt;</span><span class="n">conditions</span><span class="p">,</span> <span class="nv">$context</span><span class="p">,</span> <span class="nv">$user</span><span class="p">))</span> <span class="p">{</span> <span class="k">continue</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">logAccess</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$resource</span><span class="p">,</span> <span class="nv">$action</span><span class="p">,</span> <span class="nv">$context</span><span class="p">,</span> <span class="kc">true</span><span class="p">);</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">logAccess</span><span class="p">(</span><span class="nv">$user</span><span class="p">,</span> <span class="nv">$resource</span><span class="p">,</span> <span class="nv">$action</span><span class="p">,</span> <span class="nv">$context</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">evaluateConditions</span><span class="p">(</span><span class="kt">array</span> <span class="nv">$conditions</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$context</span><span class="p">,</span> <span class="kt">User</span> <span class="nv">$user</span><span class="p">):</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$conditions</span> <span class="k">as</span> <span class="nv">$condition</span><span class="p">)</span> <span class="p">{</span> <span class="k">switch</span> <span class="p">(</span><span class="nv">$condition</span><span class="p">[</span><span class="s1">'type'</span><span class="p">])</span> <span class="p">{</span> <span class="k">case</span> <span class="s1">'own_patients_only'</span><span class="o">:</span> <span class="k">if</span> <span class="p">((</span><span class="nv">$context</span><span class="p">[</span><span class="s1">'patient_id'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">patients</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'id'</span><span class="p">,</span> <span class="nv">$context</span><span class="p">[</span><span class="s1">'patient_id'</span><span class="p">])</span><span class="o">-&gt;</span><span class="nf">exists</span><span class="p">())</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="s1">'department_match'</span><span class="o">:</span> <span class="k">if</span> <span class="p">((</span><span class="nv">$context</span><span class="p">[</span><span class="s1">'department_id'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">)</span> <span class="o">!==</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">department_id</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">break</span><span class="p">;</span> <span class="k">case</span> <span class="s1">'time_restricted'</span><span class="o">:</span> <span class="nv">$now</span> <span class="o">=</span> <span class="nf">now</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$now</span><span class="o">-&gt;</span><span class="n">hour</span> <span class="o">&lt;</span> <span class="nv">$condition</span><span class="p">[</span><span class="s1">'start_hour'</span><span class="p">]</span> <span class="o">||</span> <span class="nv">$now</span><span class="o">-&gt;</span><span class="n">hour</span> <span class="o">&gt;</span> <span class="nv">$condition</span><span class="p">[</span><span class="s1">'end_hour'</span><span class="p">])</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">getUserPermissions</span><span class="p">(</span><span class="kt">User</span> <span class="nv">$user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Cache</span><span class="o">::</span><span class="nf">remember</span><span class="p">(</span> <span class="s2">"user_permissions:</span><span class="si">{</span><span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">"</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">addMinutes</span><span class="p">(</span><span class="mi">15</span><span class="p">),</span> <span class="k">fn</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="nf">roles</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">with</span><span class="p">(</span><span class="s1">'permissions'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">pluck</span><span class="p">(</span><span class="s1">'permissions'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">flatten</span><span class="p">()</span> <span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">logAccess</span><span class="p">(</span><span class="kt">User</span> <span class="nv">$user</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$resource</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$action</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$context</span><span class="p">,</span> <span class="kt">bool</span> <span class="nv">$granted</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nc">\App\Models\AccessLog</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$user</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'resource'</span> <span class="o">=&gt;</span> <span class="nv">$resource</span><span class="p">,</span> <span class="s1">'action'</span> <span class="o">=&gt;</span> <span class="nv">$action</span><span class="p">,</span> <span class="s1">'context'</span> <span class="o">=&gt;</span> <span class="nv">$context</span><span class="p">,</span> <span class="s1">'granted'</span> <span class="o">=&gt;</span> <span class="nv">$granted</span><span class="p">,</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">(),</span> <span class="s1">'user_agent'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">(),</span> <span class="s1">'accessed_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Node.js: Middleware-Based Access Control </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">NextFunction</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">AccessRule</span> <span class="p">{</span> <span class="nl">resource</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">action</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">conditions</span><span class="p">?:</span> <span class="nb">Array</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">[</span><span class="na">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="nx">unknown</span><span class="p">;</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">requireAccess</span><span class="p">(</span><span class="nx">resource</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">action</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">Request</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">Response</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">NextFunction</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span> <span class="k">as</span> <span class="kr">any</span><span class="p">).</span><span class="nx">user</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">401</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Authentication required</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="p">{</span> <span class="na">patient_id</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">patientId</span><span class="p">,</span> <span class="na">department_id</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">departmentId</span><span class="p">,</span> <span class="na">ip_address</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="p">,</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">granted</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">checkAccess</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">resource</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">context</span><span class="p">);</span> <span class="k">await</span> <span class="nf">logAccess</span><span class="p">({</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">resource</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="nx">granted</span><span class="p">,</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">ip</span><span class="o">!</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">user-agent</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">accessedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">granted</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Access denied</span><span class="dl">'</span><span class="p">,</span> <span class="nx">resource</span><span class="p">,</span> <span class="nx">action</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">checkAccess</span><span class="p">(</span> <span class="nx">user</span><span class="p">:</span> <span class="kr">any</span><span class="p">,</span> <span class="nx">resource</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">action</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">context</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">permissions</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getUserPermissions</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="k">return</span> <span class="nx">permissions</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="na">perm</span><span class="p">:</span> <span class="nx">AccessRule</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">perm</span><span class="p">.</span><span class="nx">resource</span> <span class="o">!==</span> <span class="nx">resource</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">perm</span><span class="p">.</span><span class="nx">action</span> <span class="o">!==</span> <span class="nx">action</span> <span class="o">&amp;&amp;</span> <span class="nx">perm</span><span class="p">.</span><span class="nx">action</span> <span class="o">!==</span> <span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">perm</span><span class="p">.</span><span class="nx">conditions</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">perm</span><span class="p">.</span><span class="nx">conditions</span><span class="p">.</span><span class="nf">every</span><span class="p">((</span><span class="nx">condition</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">evaluateCondition</span><span class="p">(</span><span class="nx">condition</span><span class="p">,</span> <span class="nx">context</span><span class="p">,</span> <span class="nx">user</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">evaluateCondition</span><span class="p">(</span> <span class="nx">condition</span><span class="p">:</span> <span class="p">{</span> <span class="nl">type</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">[</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="nx">unknown</span> <span class="p">},</span> <span class="nx">context</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">,</span> <span class="nx">user</span><span class="p">:</span> <span class="kr">any</span> <span class="p">):</span> <span class="nx">boolean</span> <span class="p">{</span> <span class="k">switch </span><span class="p">(</span><span class="nx">condition</span><span class="p">.</span><span class="kd">type</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">own_patients_only</span><span class="dl">'</span><span class="p">:</span> <span class="k">return</span> <span class="nx">user</span><span class="p">.</span><span class="nx">patientIds</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">context</span><span class="p">.</span><span class="nx">patient_id</span><span class="p">)</span> <span class="o">??</span> <span class="kc">false</span><span class="p">;</span> <span class="k">case</span> <span class="dl">'</span><span class="s1">department_match</span><span class="dl">'</span><span class="p">:</span> <span class="k">return</span> <span class="nx">user</span><span class="p">.</span><span class="nx">departmentId</span> <span class="o">===</span> <span class="nx">context</span><span class="p">.</span><span class="nx">department_id</span><span class="p">;</span> <span class="nl">default</span><span class="p">:</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Apply to routes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="dl">'</span><span class="s1">/patients/:patientId/records</span><span class="dl">'</span><span class="p">,</span> <span class="nf">requireAccess</span><span class="p">(</span><span class="dl">'</span><span class="s1">patient_records</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">read</span><span class="dl">'</span><span class="p">),</span> <span class="nx">patientRecordController</span><span class="p">.</span><span class="nx">list</span> <span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="dl">'</span><span class="s1">/patients/:patientId/records</span><span class="dl">'</span><span class="p">,</span> <span class="nf">requireAccess</span><span class="p">(</span><span class="dl">'</span><span class="s1">patient_records</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">write</span><span class="dl">'</span><span class="p">),</span> <span class="nx">patientRecordController</span><span class="p">.</span><span class="nx">create</span> <span class="p">);</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="dl">'</span><span class="s1">/patients/:patientId/records/:recordId</span><span class="dl">'</span><span class="p">,</span> <span class="nf">requireAccess</span><span class="p">(</span><span class="dl">'</span><span class="s1">patient_records</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">read</span><span class="dl">'</span><span class="p">),</span> <span class="nx">patientRecordController</span><span class="p">.</span><span class="nx">show</span> <span class="p">);</span> </code></pre> </div> <h2> Field-Level Encryption </h2> <p>Not all data in a patient record is equally sensitive. Name and date of birth require protection, but appointment times may not. Field-level encryption encrypts specific fields within a record rather than encrypting the entire database:</p> <h3> Laravel: Encrypted Attributes </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Models\Traits</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Support\Facades\Crypt</span><span class="p">;</span> <span class="kd">trait</span> <span class="nc">EncryptsHealthData</span> <span class="p">{</span> <span class="k">protected</span> <span class="k">static</span> <span class="kt">array</span> <span class="nv">$encryptedFields</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">public</span> <span class="k">function</span> <span class="n">getAttribute</span><span class="p">(</span><span class="nv">$key</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$value</span> <span class="o">=</span> <span class="k">parent</span><span class="o">::</span><span class="nf">getAttribute</span><span class="p">(</span><span class="nv">$key</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$key</span><span class="p">,</span> <span class="k">static</span><span class="o">::</span><span class="nv">$encryptedFields</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nv">$value</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">decryptString</span><span class="p">(</span><span class="nv">$value</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nc">\Exception</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nv">$value</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$value</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">setAttribute</span><span class="p">(</span><span class="nv">$key</span><span class="p">,</span> <span class="nv">$value</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$key</span><span class="p">,</span> <span class="k">static</span><span class="o">::</span><span class="nv">$encryptedFields</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nv">$value</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$value</span> <span class="o">=</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">encryptString</span><span class="p">(</span><span class="nv">$value</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">parent</span><span class="o">::</span><span class="nf">setAttribute</span><span class="p">(</span><span class="nv">$key</span><span class="p">,</span> <span class="nv">$value</span><span class="p">);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">searchEncrypted</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$field</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$value</span><span class="p">):</span> <span class="kt">?static</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$field</span><span class="p">,</span> <span class="k">static</span><span class="o">::</span><span class="nv">$encryptedFields</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="k">static</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="nv">$field</span><span class="p">,</span> <span class="nv">$value</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="p">}</span> <span class="nv">$blindIndex</span> <span class="o">=</span> <span class="nb">hash</span><span class="p">(</span><span class="s1">'sha256'</span><span class="p">,</span> <span class="nb">strtolower</span><span class="p">(</span><span class="nb">trim</span><span class="p">(</span><span class="nv">$value</span><span class="p">))</span> <span class="mf">.</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'app.encryption_salt'</span><span class="p">));</span> <span class="k">return</span> <span class="k">static</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s2">"</span><span class="si">{</span><span class="nv">$field</span><span class="si">}</span><span class="s2">_index"</span><span class="p">,</span> <span class="nv">$blindIndex</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">PatientRecord</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="kn">use</span> <span class="nc">EncryptsHealthData</span><span class="p">;</span> <span class="k">protected</span> <span class="k">static</span> <span class="kt">array</span> <span class="nv">$encryptedFields</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'diagnosis'</span><span class="p">,</span> <span class="s1">'treatment_notes'</span><span class="p">,</span> <span class="s1">'medication_details'</span><span class="p">,</span> <span class="s1">'lab_results'</span><span class="p">,</span> <span class="s1">'genetic_data'</span><span class="p">,</span> <span class="p">];</span> <span class="k">protected</span> <span class="nv">$fillable</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'patient_id'</span><span class="p">,</span> <span class="s1">'record_type'</span><span class="p">,</span> <span class="s1">'diagnosis'</span><span class="p">,</span> <span class="s1">'diagnosis_index'</span><span class="p">,</span> <span class="s1">'treatment_notes'</span><span class="p">,</span> <span class="s1">'medication_details'</span><span class="p">,</span> <span class="s1">'lab_results'</span><span class="p">,</span> <span class="s1">'genetic_data'</span><span class="p">,</span> <span class="s1">'provider_id'</span><span class="p">,</span> <span class="s1">'facility_id'</span><span class="p">,</span> <span class="s1">'recorded_at'</span><span class="p">,</span> <span class="p">];</span> <span class="p">}</span> </code></pre> </div> <h3> Node.js: Encryption Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ALGORITHM</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">aes-256-gcm</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">KEY</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ENCRYPTION_KEY</span><span class="o">!</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">encryptField</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">16</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">cipher</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createCipheriv</span><span class="p">(</span><span class="nx">ALGORITHM</span><span class="p">,</span> <span class="nx">KEY</span><span class="p">,</span> <span class="nx">iv</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">encrypted</span> <span class="o">=</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">plaintext</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="nx">encrypted</span> <span class="o">+=</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">final</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authTag</span> <span class="o">=</span> <span class="nx">cipher</span><span class="p">.</span><span class="nf">getAuthTag</span><span class="p">().</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">iv</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">)}</span><span class="s2">:</span><span class="p">${</span><span class="nx">authTag</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">encrypted</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">decryptField</span><span class="p">(</span><span class="nx">ciphertext</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">ivHex</span><span class="p">,</span> <span class="nx">authTagHex</span><span class="p">,</span> <span class="nx">encrypted</span><span class="p">]</span> <span class="o">=</span> <span class="nx">ciphertext</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">:</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">iv</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">ivHex</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">authTag</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">authTagHex</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">decipher</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">createDecipheriv</span><span class="p">(</span><span class="nx">ALGORITHM</span><span class="p">,</span> <span class="nx">KEY</span><span class="p">,</span> <span class="nx">iv</span><span class="p">);</span> <span class="nx">decipher</span><span class="p">.</span><span class="nf">setAuthTag</span><span class="p">(</span><span class="nx">authTag</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">decrypted</span> <span class="o">=</span> <span class="nx">decipher</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">encrypted</span><span class="p">,</span> <span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="nx">decrypted</span> <span class="o">+=</span> <span class="nx">decipher</span><span class="p">.</span><span class="nf">final</span><span class="p">(</span><span class="dl">'</span><span class="s1">utf8</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">decrypted</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createBlindIndex</span><span class="p">(</span><span class="nx">value</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHmac</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">INDEX_KEY</span><span class="o">!</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">value</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">trim</span><span class="p">())</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Prisma Middleware for Automatic Encryption </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">ENCRYPTED_FIELDS</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="kr">string</span><span class="p">[]</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{</span> <span class="na">PatientRecord</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">diagnosis</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">treatmentNotes</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">medicationDetails</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">labResults</span><span class="dl">'</span><span class="p">],</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">();</span> <span class="nx">prisma</span><span class="p">.</span><span class="nf">$use</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">params</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">model</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nx">model</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">model</span> <span class="o">||</span> <span class="o">!</span><span class="nx">ENCRYPTED_FIELDS</span><span class="p">[</span><span class="nx">model</span><span class="p">])</span> <span class="k">return</span> <span class="nf">next</span><span class="p">(</span><span class="nx">params</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">fields</span> <span class="o">=</span> <span class="nx">ENCRYPTED_FIELDS</span><span class="p">[</span><span class="nx">model</span><span class="p">];</span> <span class="k">if </span><span class="p">([</span><span class="dl">'</span><span class="s1">create</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">update</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">upsert</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">params</span><span class="p">.</span><span class="nx">action</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="nx">params</span><span class="p">.</span><span class="nx">args</span><span class="p">.</span><span class="nx">data</span> <span class="o">||</span> <span class="nx">params</span><span class="p">.</span><span class="nx">args</span><span class="p">.</span><span class="nx">create</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">field</span> <span class="k">of</span> <span class="nx">fields</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">data</span><span class="p">[</span><span class="nx">field</span><span class="p">]</span> <span class="o">!==</span> <span class="kc">undefined</span> <span class="o">&amp;&amp;</span> <span class="nx">data</span><span class="p">[</span><span class="nx">field</span><span class="p">]</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nx">data</span><span class="p">[</span><span class="nx">field</span><span class="p">]</span> <span class="o">=</span> <span class="nf">encryptField</span><span class="p">(</span><span class="nx">data</span><span class="p">[</span><span class="nx">field</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">next</span><span class="p">(</span><span class="nx">params</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">result</span> <span class="o">&amp;&amp;</span> <span class="p">[</span><span class="dl">'</span><span class="s1">findFirst</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">findUnique</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">findMany</span><span class="dl">'</span><span class="p">].</span><span class="nf">includes</span><span class="p">(</span><span class="nx">params</span><span class="p">.</span><span class="nx">action</span><span class="p">))</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">records</span> <span class="o">=</span> <span class="nb">Array</span><span class="p">.</span><span class="nf">isArray</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">?</span> <span class="nx">result</span> <span class="p">:</span> <span class="p">[</span><span class="nx">result</span><span class="p">];</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">record</span> <span class="k">of</span> <span class="nx">records</span><span class="p">)</span> <span class="p">{</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">field</span> <span class="k">of</span> <span class="nx">fields</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">record</span><span class="p">[</span><span class="nx">field</span><span class="p">])</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">record</span><span class="p">[</span><span class="nx">field</span><span class="p">]</span> <span class="o">=</span> <span class="nf">decryptField</span><span class="p">(</span><span class="nx">record</span><span class="p">[</span><span class="nx">field</span><span class="p">]);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="c1">// Field may not be encrypted (legacy data)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <h2> Comprehensive Audit Logging </h2> <p>Every access to patient data must be logged. This is not optional — it is a regulatory requirement. The audit log answers: who accessed what data, when, from where, and why.</p> <h3> Laravel Audit Middleware </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">AuditPatientAccess</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">,</span> <span class="kt">Closure</span> <span class="nv">$next</span><span class="p">):</span> <span class="kt">Response</span> <span class="p">{</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nv">$next</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="nv">$patientId</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">route</span><span class="p">(</span><span class="s1">'patientId'</span><span class="p">)</span> <span class="o">??</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">input</span><span class="p">(</span><span class="s1">'patient_id'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$patientId</span><span class="p">)</span> <span class="p">{</span> <span class="nc">AuditLog</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'user_role'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">primaryRole</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'action'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">method</span><span class="p">()</span> <span class="mf">.</span> <span class="s1">' '</span> <span class="mf">.</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">path</span><span class="p">(),</span> <span class="s1">'resource_type'</span> <span class="o">=&gt;</span> <span class="s1">'patient_data'</span><span class="p">,</span> <span class="s1">'resource_id'</span> <span class="o">=&gt;</span> <span class="nv">$patientId</span><span class="p">,</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">ip</span><span class="p">(),</span> <span class="s1">'user_agent'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">(),</span> <span class="s1">'response_code'</span> <span class="o">=&gt;</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">getStatusCode</span><span class="p">(),</span> <span class="s1">'request_params'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">sanitiseParams</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">()),</span> <span class="s1">'session_id'</span> <span class="o">=&gt;</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">session</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">getId</span><span class="p">(),</span> <span class="s1">'accessed_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$response</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">sanitiseParams</span><span class="p">(</span><span class="kt">array</span> <span class="nv">$params</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="nv">$sensitive</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'password'</span><span class="p">,</span> <span class="s1">'ssn'</span><span class="p">,</span> <span class="s1">'credit_card'</span><span class="p">,</span> <span class="s1">'diagnosis'</span><span class="p">];</span> <span class="k">return</span> <span class="nf">collect</span><span class="p">(</span><span class="nv">$params</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">map</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$value</span><span class="p">,</span> <span class="nv">$key</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">in_array</span><span class="p">(</span><span class="nv">$key</span><span class="p">,</span> <span class="nv">$sensitive</span><span class="p">)</span> <span class="o">?</span> <span class="s1">'[REDACTED]'</span> <span class="o">:</span> <span class="nv">$value</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">all</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Data Retention and Purging </h2> <p>Healthcare regulations specify minimum and maximum retention periods. Data must be available for the required period and securely destroyed afterward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">DataRetentionService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">const</span> <span class="no">RETENTION_POLICIES</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'patient_records'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'min_years'</span> <span class="o">=&gt;</span> <span class="mi">7</span><span class="p">,</span> <span class="s1">'max_years'</span> <span class="o">=&gt;</span> <span class="mi">10</span><span class="p">],</span> <span class="s1">'audit_logs'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'min_years'</span> <span class="o">=&gt;</span> <span class="mi">6</span><span class="p">,</span> <span class="s1">'max_years'</span> <span class="o">=&gt;</span> <span class="mi">7</span><span class="p">],</span> <span class="s1">'session_data'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'min_years'</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="s1">'max_years'</span> <span class="o">=&gt;</span> <span class="mi">1</span><span class="p">],</span> <span class="s1">'consent_records'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'min_years'</span> <span class="o">=&gt;</span> <span class="mi">10</span><span class="p">,</span> <span class="s1">'max_years'</span> <span class="o">=&gt;</span> <span class="mi">15</span><span class="p">],</span> <span class="p">];</span> <span class="k">public</span> <span class="k">function</span> <span class="n">enforceRetention</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="nv">$results</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">foreach</span> <span class="p">(</span><span class="k">self</span><span class="o">::</span><span class="no">RETENTION_POLICIES</span> <span class="k">as</span> <span class="nv">$dataType</span> <span class="o">=&gt;</span> <span class="nv">$policy</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$cutoff</span> <span class="o">=</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">subYears</span><span class="p">(</span><span class="nv">$policy</span><span class="p">[</span><span class="s1">'max_years'</span><span class="p">]);</span> <span class="nv">$count</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getModel</span><span class="p">(</span><span class="nv">$dataType</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'created_at'</span><span class="p">,</span> <span class="s1">'&lt;'</span><span class="p">,</span> <span class="nv">$cutoff</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nb">count</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$count</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">archiveAndPurge</span><span class="p">(</span><span class="nv">$dataType</span><span class="p">,</span> <span class="nv">$cutoff</span><span class="p">);</span> <span class="nv">$results</span><span class="p">[</span><span class="nv">$dataType</span><span class="p">]</span> <span class="o">=</span> <span class="p">[</span><span class="s1">'purged'</span> <span class="o">=&gt;</span> <span class="nv">$count</span><span class="p">,</span> <span class="s1">'cutoff'</span> <span class="o">=&gt;</span> <span class="nv">$cutoff</span><span class="o">-&gt;</span><span class="nf">toDateString</span><span class="p">()];</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$results</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">archiveAndPurge</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$dataType</span><span class="p">,</span> <span class="nv">$cutoff</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$model</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getModel</span><span class="p">(</span><span class="nv">$dataType</span><span class="p">);</span> <span class="nv">$records</span> <span class="o">=</span> <span class="nv">$model</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'created_at'</span><span class="p">,</span> <span class="s1">'&lt;'</span><span class="p">,</span> <span class="nv">$cutoff</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">cursor</span><span class="p">();</span> <span class="nv">$archivePath</span> <span class="o">=</span> <span class="nb">sprintf</span><span class="p">(</span> <span class="s1">'retention-archive/%s/%s'</span><span class="p">,</span> <span class="nv">$dataType</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'Y-m-d'</span><span class="p">)</span> <span class="p">);</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$records</span><span class="o">-&gt;</span><span class="nf">chunk</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="k">as</span> <span class="nv">$chunk</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Storage</span><span class="o">::</span><span class="nf">disk</span><span class="p">(</span><span class="s1">'s3'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">put</span><span class="p">(</span> <span class="s2">"</span><span class="si">{</span><span class="nv">$archivePath</span><span class="si">}</span><span class="s2">/batch-"</span> <span class="mf">.</span> <span class="nb">uniqid</span><span class="p">()</span> <span class="mf">.</span> <span class="s1">'.json.enc'</span><span class="p">,</span> <span class="nc">Crypt</span><span class="o">::</span><span class="nf">encryptString</span><span class="p">(</span><span class="nv">$chunk</span><span class="o">-&gt;</span><span class="nf">toJson</span><span class="p">())</span> <span class="p">);</span> <span class="p">}</span> <span class="nv">$model</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'created_at'</span><span class="p">,</span> <span class="s1">'&lt;'</span><span class="p">,</span> <span class="nv">$cutoff</span><span class="p">)</span><span class="o">-&gt;</span><span class="nb">delete</span><span class="p">();</span> <span class="nc">AuditLog</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'action'</span> <span class="o">=&gt;</span> <span class="s1">'data_retention_purge'</span><span class="p">,</span> <span class="s1">'resource_type'</span> <span class="o">=&gt;</span> <span class="nv">$dataType</span><span class="p">,</span> <span class="s1">'metadata'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'cutoff'</span> <span class="o">=&gt;</span> <span class="nv">$cutoff</span><span class="o">-&gt;</span><span class="nf">toISOString</span><span class="p">()],</span> <span class="s1">'user_id'</span> <span class="o">=&gt;</span> <span class="s1">'system'</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Consent Management </h2> <p>Patients must give informed consent for data collection and processing. Consent must be tracked, versioned, and revocable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ConsentService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">recordConsent</span><span class="p">(</span> <span class="kt">string</span> <span class="nv">$patientId</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$consentType</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$version</span><span class="p">,</span> <span class="kt">bool</span> <span class="nv">$granted</span><span class="p">,</span> <span class="kt">?string</span> <span class="nv">$ipAddress</span> <span class="o">=</span> <span class="kc">null</span> <span class="p">):</span> <span class="kt">ConsentRecord</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">ConsentRecord</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'patient_id'</span> <span class="o">=&gt;</span> <span class="nv">$patientId</span><span class="p">,</span> <span class="s1">'consent_type'</span> <span class="o">=&gt;</span> <span class="nv">$consentType</span><span class="p">,</span> <span class="s1">'version'</span> <span class="o">=&gt;</span> <span class="nv">$version</span><span class="p">,</span> <span class="s1">'granted'</span> <span class="o">=&gt;</span> <span class="nv">$granted</span><span class="p">,</span> <span class="s1">'granted_at'</span> <span class="o">=&gt;</span> <span class="nv">$granted</span> <span class="o">?</span> <span class="nf">now</span><span class="p">()</span> <span class="o">:</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'revoked_at'</span> <span class="o">=&gt;</span> <span class="o">!</span><span class="nv">$granted</span> <span class="o">?</span> <span class="nf">now</span><span class="p">()</span> <span class="o">:</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="nv">$ipAddress</span><span class="p">,</span> <span class="s1">'metadata'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'user_agent'</span> <span class="o">=&gt;</span> <span class="nf">request</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">userAgent</span><span class="p">(),</span> <span class="s1">'consent_form_version'</span> <span class="o">=&gt;</span> <span class="nv">$version</span><span class="p">,</span> <span class="p">],</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">hasActiveConsent</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$patientId</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$consentType</span><span class="p">):</span> <span class="kt">bool</span> <span class="p">{</span> <span class="nv">$latest</span> <span class="o">=</span> <span class="nc">ConsentRecord</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'patient_id'</span><span class="p">,</span> <span class="nv">$patientId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'consent_type'</span><span class="p">,</span> <span class="nv">$consentType</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">latest</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="k">return</span> <span class="nv">$latest</span> <span class="o">&amp;&amp;</span> <span class="nv">$latest</span><span class="o">-&gt;</span><span class="n">granted</span> <span class="o">&amp;&amp;</span> <span class="nv">$latest</span><span class="o">-&gt;</span><span class="n">revoked_at</span> <span class="o">===</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">revokeConsent</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$patientId</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$consentType</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$latest</span> <span class="o">=</span> <span class="nc">ConsentRecord</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'patient_id'</span><span class="p">,</span> <span class="nv">$patientId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'consent_type'</span><span class="p">,</span> <span class="nv">$consentType</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'granted'</span><span class="p">,</span> <span class="kc">true</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">whereNull</span><span class="p">(</span><span class="s1">'revoked_at'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">latest</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$latest</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$latest</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'revoked_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="nc">DataAnonymisationJob</span><span class="o">::</span><span class="nf">dispatch</span><span class="p">(</span><span class="nv">$patientId</span><span class="p">,</span> <span class="nv">$consentType</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">onQueue</span><span class="p">(</span><span class="s1">'high'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Production Results </h2> <p>After implementing security-by-design across healthcare data platforms:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Security audit findings (critical)</td> <td>7</td> <td>0</td> </tr> <tr> <td>Data access without audit trail</td> <td>~15% of operations</td> <td>0%</td> </tr> <tr> <td>Unauthorised access attempts detected</td> <td>Unknown</td> <td>23/month (all blocked and logged)</td> </tr> <tr> <td>Compliance audit preparation time</td> <td>4 weeks</td> <td>3 days</td> </tr> <tr> <td>Data breach incidents</td> <td>N/A (pre-platform)</td> <td>0</td> </tr> <tr> <td>Mean time to detect anomalous access</td> <td>Unknown</td> <td>&lt; 15 minutes</td> </tr> </tbody> </table></div> <h2> Key Takeaways </h2> <ol> <li><p><strong>Security is architecture, not a feature.</strong> It must be built into every layer — authentication, access control, encryption, audit logging, and data retention — from day one.</p></li> <li><p><strong>Log every data access.</strong> In healthcare, the question is not "if" an audit will happen but "when." Complete audit trails make the difference between a smooth audit and a compliance crisis.</p></li> <li><p><strong>Encrypt sensitive fields, not just the database.</strong> Encryption at rest protects against disk theft. Field-level encryption protects against application-layer breaches and insider threats.</p></li> <li><p><strong>Implement RBAC with conditions.</strong> "Doctor" is not a sufficient access level. "Doctor who is assigned to this patient, accessing during working hours, from a known IP" is closer to what healthcare systems require.</p></li> <li><p><strong>Manage consent as a first-class data model.</strong> Consent is not a checkbox — it is a versioned, auditable, revocable record that governs what data you are allowed to process.</p></li> <li><p><strong>Plan for data retention from the start.</strong> Healthcare regulations specify both minimum and maximum retention periods. Build the retention and purging infrastructure before you have millions of records.</p></li> </ol> <h2> Conclusion </h2> <p>Building healthcare data platforms requires a security mindset that goes beyond typical web application security. Every design decision — from database schema to API design to deployment configuration — must account for the sensitivity of the data and the regulatory requirements that govern it.</p> <p>The patterns in this article are not theoretical. They come from building systems that handle real patient data under real regulatory scrutiny. Whether you build in Laravel or Node.js, the principles are universal: encrypt by default, log everything, enforce access at every layer, and design for the audit that will inevitably come.</p> security hipaa laravel node From Monolith to Modular: A Strangler Migration Playbook Olamilekan Lamidi Tue, 28 Apr 2026 14:23:02 +0000 https://dev.to/oluwatosinolamilekan/from-monolith-to-modular-a-strangler-migration-playbook-527p https://dev.to/oluwatosinolamilekan/from-monolith-to-modular-a-strangler-migration-playbook-527p <p>Every successful application eventually outgrows its original architecture. What started as a clean, well-structured monolith becomes a tangled web of dependencies where changing one feature risks breaking three others. Deployments become risky, test suites take forever, and developers spend more time navigating the codebase than writing new features.</p> <p>The instinct is to rewrite. Do not. Rewrites are how engineering teams burn months of effort and deliver something that, at best, does what the old system already did. The better approach is incremental migration: systematically extracting capabilities from the monolith while keeping the system running in production the entire time.</p> <p>I have led these migrations across multiple companies — taking legacy codebases with 15+ modules, hundreds of database tables, and years of accumulated technical debt and transforming them into modular, maintainable architectures without downtime. This article is the playbook.</p> <h2> Why Monoliths Become Painful </h2> <p>Monoliths are not inherently bad. They are fast to build, easy to deploy, and simple to reason about — at small scale. The problems emerge gradually:</p> <ol> <li><p><strong>Deployment coupling:</strong> Every change, no matter how small, requires deploying the entire application. A CSS fix and a payment logic change ship in the same deployment.</p></li> <li><p><strong>Dependency tangles:</strong> Module A depends on Module B which depends on Module C which depends on Module A. Circular dependencies make changes unpredictable.</p></li> <li><p><strong>Test suite slowdown:</strong> Running the full test suite takes 30+ minutes. Developers start skipping tests. Bugs escape to production.</p></li> <li><p><strong>Team bottlenecks:</strong> Multiple teams working on the same codebase create merge conflicts, code review backlogs, and release coordination overhead.</p></li> <li><p><strong>Scaling limitations:</strong> You cannot scale the payment processing component independently of the user profile component. Everything scales (or fails) together.</p></li> </ol> <h2> The Strangler Fig Pattern </h2> <p>The strangler fig pattern, named after the plant that gradually envelops its host tree, is the safest approach to migrating away from a monolith. The strategy:</p> <ol> <li> <strong>Identify a capability</strong> to extract from the monolith</li> <li> <strong>Build the new implementation</strong> alongside the old one</li> <li> <strong>Route traffic</strong> to the new implementation (gradually or all at once)</li> <li> <strong>Remove the old implementation</strong> once the new one is proven</li> <li> <strong>Repeat</strong> for the next capability</li> </ol> <p>The monolith continues to run throughout. There is no big bang cutover. Each migration step is small, reversible, and independently testable.</p> <h2> Phase 1: Understanding What You Have </h2> <p>Before you extract anything, you need a map of the current system.</p> <h3> Dependency Analysis </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Laravel: Find all cross-module dependencies</span> <span class="c"># Look for imports/use statements between modules</span> </code></pre> </div> <h3> Laravel Module Boundary Analysis </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Console\Commands</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Console\Command</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Support\Facades\File</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">AnalyzeModuleDependencies</span> <span class="kd">extends</span> <span class="nc">Command</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$signature</span> <span class="o">=</span> <span class="s1">'modules:analyze'</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$modules</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getModuleDirectories</span><span class="p">();</span> <span class="nv">$dependencies</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$modules</span> <span class="k">as</span> <span class="nv">$module</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$files</span> <span class="o">=</span> <span class="nc">File</span><span class="o">::</span><span class="nf">allFiles</span><span class="p">(</span><span class="nf">app_path</span><span class="p">(</span><span class="nv">$module</span><span class="p">));</span> <span class="nv">$imports</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$files</span> <span class="k">as</span> <span class="nv">$file</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$content</span> <span class="o">=</span> <span class="nv">$file</span><span class="o">-&gt;</span><span class="nf">getContents</span><span class="p">();</span> <span class="nb">preg_match_all</span><span class="p">(</span><span class="s1">'/use App\\\\(\w+)\\\\/'</span><span class="p">,</span> <span class="nv">$content</span><span class="p">,</span> <span class="nv">$matches</span><span class="p">);</span> <span class="nv">$imports</span> <span class="o">=</span> <span class="nb">array_merge</span><span class="p">(</span><span class="nv">$imports</span><span class="p">,</span> <span class="nv">$matches</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="p">}</span> <span class="nv">$externalDeps</span> <span class="o">=</span> <span class="nb">array_unique</span><span class="p">(</span> <span class="nb">array_filter</span><span class="p">(</span><span class="nv">$imports</span><span class="p">,</span> <span class="k">fn</span> <span class="p">(</span><span class="nv">$dep</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$dep</span> <span class="o">!==</span> <span class="nv">$module</span><span class="p">)</span> <span class="p">);</span> <span class="nv">$dependencies</span><span class="p">[</span><span class="nv">$module</span><span class="p">]</span> <span class="o">=</span> <span class="nv">$externalDeps</span><span class="p">;</span> <span class="p">}</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$dependencies</span> <span class="k">as</span> <span class="nv">$module</span> <span class="o">=&gt;</span> <span class="nv">$deps</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">info</span><span class="p">(</span><span class="s2">"</span><span class="si">{</span><span class="nv">$module</span><span class="si">}</span><span class="s2"> depends on: "</span> <span class="mf">.</span> <span class="nb">implode</span><span class="p">(</span><span class="s1">', '</span><span class="p">,</span> <span class="nv">$deps</span><span class="p">));</span> <span class="p">}</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">detectCircularDependencies</span><span class="p">(</span><span class="nv">$dependencies</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">detectCircularDependencies</span><span class="p">(</span><span class="kt">array</span> <span class="nv">$dependencies</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$dependencies</span> <span class="k">as</span> <span class="nv">$moduleA</span> <span class="o">=&gt;</span> <span class="nv">$depsA</span><span class="p">)</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$depsA</span> <span class="k">as</span> <span class="nv">$moduleB</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="k">isset</span><span class="p">(</span><span class="nv">$dependencies</span><span class="p">[</span><span class="nv">$moduleB</span><span class="p">])</span> <span class="o">&amp;&amp;</span> <span class="nb">in_array</span><span class="p">(</span><span class="nv">$moduleA</span><span class="p">,</span> <span class="nv">$dependencies</span><span class="p">[</span><span class="nv">$moduleB</span><span class="p">]))</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">warn</span><span class="p">(</span><span class="s2">"Circular dependency: </span><span class="si">{</span><span class="nv">$moduleA</span><span class="si">}</span><span class="s2"> &lt;-&gt; </span><span class="si">{</span><span class="nv">$moduleB</span><span class="si">}</span><span class="s2">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">getModuleDirectories</span><span class="p">():</span> <span class="kt">array</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">collect</span><span class="p">(</span><span class="nc">File</span><span class="o">::</span><span class="nf">directories</span><span class="p">(</span><span class="nf">app_path</span><span class="p">()))</span> <span class="o">-&gt;</span><span class="nf">map</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$dir</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">basename</span><span class="p">(</span><span class="nv">$dir</span><span class="p">))</span> <span class="o">-&gt;</span><span class="nf">filter</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$dir</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="o">!</span><span class="nb">in_array</span><span class="p">(</span><span class="nv">$dir</span><span class="p">,</span> <span class="p">[</span><span class="s1">'Console'</span><span class="p">,</span> <span class="s1">'Exceptions'</span><span class="p">,</span> <span class="s1">'Http'</span><span class="p">,</span> <span class="s1">'Providers'</span><span class="p">]))</span> <span class="o">-&gt;</span><span class="nf">values</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">all</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Node.js Dependency Mapping </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">fs</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">path</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">ModuleDependency</span> <span class="p">{</span> <span class="nl">module</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">dependsOn</span><span class="p">:</span> <span class="kr">string</span><span class="p">[];</span> <span class="nl">files</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">linesOfCode</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">analyzeModuleDependencies</span><span class="p">(</span><span class="nx">srcDir</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">ModuleDependency</span><span class="p">[]</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">modules</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readdirSync</span><span class="p">(</span><span class="nx">srcDir</span><span class="p">,</span> <span class="p">{</span> <span class="na">withFileTypes</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">.</span><span class="nf">filter</span><span class="p">((</span><span class="nx">d</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">d</span><span class="p">.</span><span class="nf">isDirectory</span><span class="p">())</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">d</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">d</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="k">return</span> <span class="nx">modules</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">moduleName</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">moduleDir</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">srcDir</span><span class="p">,</span> <span class="nx">moduleName</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">files</span> <span class="o">=</span> <span class="nf">getAllFiles</span><span class="p">(</span><span class="nx">moduleDir</span><span class="p">,</span> <span class="p">[</span><span class="dl">'</span><span class="s1">.ts</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">.js</span><span class="dl">'</span><span class="p">]);</span> <span class="kd">const</span> <span class="na">imports</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">let</span> <span class="nx">totalLines</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">files</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">file</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">content</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readFileSync</span><span class="p">(</span><span class="nx">file</span><span class="p">,</span> <span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span><span class="p">);</span> <span class="nx">totalLines</span> <span class="o">+=</span> <span class="nx">content</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="se">\n</span><span class="dl">'</span><span class="p">).</span><span class="nx">length</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">importRegex</span> <span class="o">=</span> <span class="sr">/from</span><span class="se">\s</span><span class="sr">+</span><span class="se">[</span><span class="sr">'"</span><span class="se">]\.\.\/(\w</span><span class="sr">+</span><span class="se">)</span><span class="sr">/g</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">match</span><span class="p">;</span> <span class="k">while </span><span class="p">((</span><span class="nx">match</span> <span class="o">=</span> <span class="nx">importRegex</span><span class="p">.</span><span class="nf">exec</span><span class="p">(</span><span class="nx">content</span><span class="p">))</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">match</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">!==</span> <span class="nx">moduleName</span><span class="p">)</span> <span class="p">{</span> <span class="nx">imports</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">match</span><span class="p">[</span><span class="mi">1</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">module</span><span class="p">:</span> <span class="nx">moduleName</span><span class="p">,</span> <span class="na">dependsOn</span><span class="p">:</span> <span class="p">[...</span><span class="k">new</span> <span class="nc">Set</span><span class="p">(</span><span class="nx">imports</span><span class="p">)],</span> <span class="na">files</span><span class="p">:</span> <span class="nx">files</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">linesOfCode</span><span class="p">:</span> <span class="nx">totalLines</span><span class="p">,</span> <span class="p">};</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">getAllFiles</span><span class="p">(</span><span class="nx">dir</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">extensions</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]):</span> <span class="kr">string</span><span class="p">[]</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">results</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="o">=</span> <span class="p">[];</span> <span class="kd">const</span> <span class="nx">entries</span> <span class="o">=</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readdirSync</span><span class="p">(</span><span class="nx">dir</span><span class="p">,</span> <span class="p">{</span> <span class="na">withFileTypes</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">entry</span> <span class="k">of</span> <span class="nx">entries</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fullPath</span> <span class="o">=</span> <span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="nx">dir</span><span class="p">,</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">name</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">entry</span><span class="p">.</span><span class="nf">isDirectory</span><span class="p">())</span> <span class="p">{</span> <span class="nx">results</span><span class="p">.</span><span class="nf">push</span><span class="p">(...</span><span class="nf">getAllFiles</span><span class="p">(</span><span class="nx">fullPath</span><span class="p">,</span> <span class="nx">extensions</span><span class="p">));</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">extensions</span><span class="p">.</span><span class="nf">some</span><span class="p">((</span><span class="nx">ext</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">entry</span><span class="p">.</span><span class="nx">name</span><span class="p">.</span><span class="nf">endsWith</span><span class="p">(</span><span class="nx">ext</span><span class="p">)))</span> <span class="p">{</span> <span class="nx">results</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="nx">fullPath</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">results</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h2> Phase 2: Establish Module Boundaries </h2> <p>Before extracting services, enforce boundaries within the monolith. This is the most important step and the one most teams skip.</p> <h3> Laravel: Module Service Providers and Contracts </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Billing/Contracts/BillingService.php</span> <span class="kn">namespace</span> <span class="nn">App\Billing\Contracts</span><span class="p">;</span> <span class="kd">interface</span> <span class="nc">BillingService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">createInvoice</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$customerId</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$lineItems</span><span class="p">):</span> <span class="kt">Invoice</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">processPayment</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$invoiceId</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$paymentMethod</span><span class="p">):</span> <span class="kt">PaymentResult</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">getCustomerBalance</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$customerId</span><span class="p">):</span> <span class="kt">Money</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// app/Billing/BillingServiceProvider.php</span> <span class="kn">namespace</span> <span class="nn">App\Billing</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Support\ServiceProvider</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">BillingServiceProvider</span> <span class="kd">extends</span> <span class="nc">ServiceProvider</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">register</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">app</span><span class="o">-&gt;</span><span class="nf">bind</span><span class="p">(</span> <span class="nc">Contracts\BillingService</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="nc">Services\BillingServiceImpl</span><span class="o">::</span><span class="n">class</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// app/Orders/Services/OrderService.php</span> <span class="kn">namespace</span> <span class="nn">App\Orders\Services</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Billing\Contracts\BillingService</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">OrderService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__construct</span><span class="p">(</span><span class="k">private</span> <span class="kt">BillingService</span> <span class="nv">$billing</span><span class="p">)</span> <span class="p">{}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">completeOrder</span><span class="p">(</span><span class="kt">Order</span> <span class="nv">$order</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$invoice</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">billing</span><span class="o">-&gt;</span><span class="nf">createInvoice</span><span class="p">(</span> <span class="nv">$order</span><span class="o">-&gt;</span><span class="n">customer_id</span><span class="p">,</span> <span class="nv">$order</span><span class="o">-&gt;</span><span class="n">lineItems</span><span class="o">-&gt;</span><span class="nf">toArray</span><span class="p">()</span> <span class="p">);</span> <span class="nv">$order</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'invoice_id'</span> <span class="o">=&gt;</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'invoiced'</span><span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Node.js: Module Interfaces </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/billing/contracts.ts</span> <span class="k">export</span> <span class="kr">interface</span> <span class="nx">BillingService</span> <span class="p">{</span> <span class="nf">createInvoice</span><span class="p">(</span><span class="nx">customerId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">lineItems</span><span class="p">:</span> <span class="nx">LineItem</span><span class="p">[]):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Invoice</span><span class="o">&gt;</span><span class="p">;</span> <span class="nf">processPayment</span><span class="p">(</span><span class="nx">invoiceId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">method</span><span class="p">:</span> <span class="nx">PaymentMethod</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">PaymentResult</span><span class="o">&gt;</span><span class="p">;</span> <span class="nf">getCustomerBalance</span><span class="p">(</span><span class="nx">customerId</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Money</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// src/billing/index.ts</span> <span class="k">export</span> <span class="p">{</span> <span class="nx">BillingServiceImpl</span> <span class="k">as</span> <span class="nx">BillingService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./services/billing-service</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">BillingService</span> <span class="k">as</span> <span class="nx">BillingServiceInterface</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./contracts</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// src/orders/services/order-service.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">BillingService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../billing/contracts</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">OrderService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">billing</span><span class="p">:</span> <span class="nx">BillingService</span><span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">completeOrder</span><span class="p">(</span><span class="nx">order</span><span class="p">:</span> <span class="nx">Order</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="k">void</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">invoice</span> <span class="o">=</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">billing</span><span class="p">.</span><span class="nf">createInvoice</span><span class="p">(</span> <span class="nx">order</span><span class="p">.</span><span class="nx">customerId</span><span class="p">,</span> <span class="nx">order</span><span class="p">.</span><span class="nx">lineItems</span> <span class="p">);</span> <span class="k">await</span> <span class="k">this</span><span class="p">.</span><span class="nx">orderRepo</span><span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">order</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">{</span> <span class="na">invoiceId</span><span class="p">:</span> <span class="nx">invoice</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">invoiced</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The key insight: modules communicate through interfaces, not direct implementation references. When you later extract the billing module into its own service, you replace the implementation behind the interface. The calling code does not change.</p> <h2> Phase 3: Extract the First Service </h2> <p>Choose a module that is:</p> <ul> <li>Well-bounded (few incoming dependencies)</li> <li>Independently valuable</li> <li>Not on the critical path (if the extraction has problems, it should not take down the whole system)</li> </ul> <h3> The Routing Layer </h3> <p>Use a proxy or feature flag to route traffic between the monolith and the new service:</p> <h3> Laravel: Switchable Implementation </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// app/Billing/BillingServiceProvider.php</span> <span class="kd">class</span> <span class="nc">BillingServiceProvider</span> <span class="kd">extends</span> <span class="nc">ServiceProvider</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">register</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">app</span><span class="o">-&gt;</span><span class="nf">bind</span><span class="p">(</span><span class="nc">Contracts\BillingService</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="nv">$app</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$useNewService</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'features.billing_service_v2'</span><span class="p">,</span> <span class="kc">false</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$useNewService</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">HttpBillingServiceClient</span><span class="p">(</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'services.billing.url'</span><span class="p">),</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'services.billing.api_key'</span><span class="p">),</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Services\BillingServiceImpl</span><span class="p">();</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// The HTTP client talks to the extracted billing service</span> <span class="kd">class</span> <span class="nc">HttpBillingServiceClient</span> <span class="kd">implements</span> <span class="nc">Contracts\BillingService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__construct</span><span class="p">(</span> <span class="k">private</span> <span class="kt">string</span> <span class="nv">$baseUrl</span><span class="p">,</span> <span class="k">private</span> <span class="kt">string</span> <span class="nv">$apiKey</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">createInvoice</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$customerId</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$lineItems</span><span class="p">):</span> <span class="kt">Invoice</span> <span class="p">{</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nc">Http</span><span class="o">::</span><span class="nf">withToken</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">apiKey</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">timeout</span><span class="p">(</span><span class="mi">10</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">retry</span><span class="p">(</span><span class="mi">3</span><span class="p">,</span> <span class="mi">100</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">post</span><span class="p">(</span><span class="s2">"</span><span class="si">{</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">baseUrl</span><span class="si">}</span><span class="s2">/api/invoices"</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'customer_id'</span> <span class="o">=&gt;</span> <span class="nv">$customerId</span><span class="p">,</span> <span class="s1">'line_items'</span> <span class="o">=&gt;</span> <span class="nv">$lineItems</span><span class="p">,</span> <span class="p">]);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">failed</span><span class="p">())</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">BillingServiceException</span><span class="p">(</span><span class="s2">"Failed to create invoice: "</span> <span class="mf">.</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">body</span><span class="p">());</span> <span class="p">}</span> <span class="k">return</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">fromArray</span><span class="p">(</span><span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Node.js: Strategy Pattern Switch </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">BillingService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./contracts</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">LocalBillingService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./services/billing-service</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">RemoteBillingService</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./services/remote-billing-service</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">createBillingService</span><span class="p">():</span> <span class="nx">BillingService</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">BILLING_SERVICE_V2</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">true</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">RemoteBillingService</span><span class="p">(</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">BILLING_SERVICE_URL</span><span class="o">!</span><span class="p">,</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">BILLING_SERVICE_API_KEY</span><span class="o">!</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">LocalBillingService</span><span class="p">();</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">RemoteBillingService</span> <span class="k">implements</span> <span class="nx">BillingService</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span> <span class="k">private</span> <span class="nx">baseUrl</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="k">private</span> <span class="nx">apiKey</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">createInvoice</span><span class="p">(</span><span class="nx">customerId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">lineItems</span><span class="p">:</span> <span class="nx">LineItem</span><span class="p">[]):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">Invoice</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">baseUrl</span><span class="p">}</span><span class="s2">/api/invoices`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="k">this</span><span class="p">.</span><span class="nx">apiKey</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">customer_id</span><span class="p">:</span> <span class="nx">customerId</span><span class="p">,</span> <span class="na">line_items</span><span class="p">:</span> <span class="nx">lineItems</span> <span class="p">}),</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`Billing service error: </span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Phase 4: Data Migration Strategy </h2> <p>The hardest part of service extraction is data ownership. When the billing module becomes its own service, who owns the billing tables?</p> <h3> Shared Database Phase </h3> <p>Initially, the new service reads from the same database as the monolith. This avoids data migration complexity during the initial extraction.</p> <h3> Data Sync Phase </h3> <p>Introduce event-based data synchronisation. The new service maintains its own datastore, kept in sync via events:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">BillingDataSyncListener</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">(</span><span class="kt">CustomerUpdated</span> <span class="nv">$event</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nc">Http</span><span class="o">::</span><span class="nf">post</span><span class="p">(</span><span class="nf">config</span><span class="p">(</span><span class="s1">'services.billing.url'</span><span class="p">)</span> <span class="mf">.</span> <span class="s1">'/api/sync/customer'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'customer_id'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">customerId</span><span class="p">,</span> <span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'email'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">email</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Full Ownership Phase </h3> <p>The new service owns its data completely. The monolith no longer writes to billing tables. All access goes through the service API.</p> <h2> Phase 5: Zero-Downtime Cutover </h2> <p>The cutover from monolith to new service should be invisible to users:</p> <ol> <li><p><strong>Shadow mode:</strong> Both implementations run. The new service processes requests but responses come from the monolith. Compare outputs for correctness.</p></li> <li><p><strong>Canary rollout:</strong> Route 5% of traffic to the new service. Monitor error rates, latency, and correctness. Gradually increase.</p></li> <li><p><strong>Full rollout:</strong> Route 100% to the new service. Keep the monolith implementation for 2 weeks as a rollback option.</p></li> <li><p><strong>Cleanup:</strong> Remove the old implementation from the monolith.<br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">BillingServiceProvider</span> <span class="kd">extends</span> <span class="nc">ServiceProvider</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">register</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">app</span><span class="o">-&gt;</span><span class="nf">bind</span><span class="p">(</span><span class="nc">Contracts\BillingService</span><span class="o">::</span><span class="n">class</span><span class="p">,</span> <span class="k">function</span> <span class="p">()</span> <span class="p">{</span> <span class="nv">$strategy</span> <span class="o">=</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'features.billing_migration_phase'</span><span class="p">);</span> <span class="k">return</span> <span class="k">match</span> <span class="p">(</span><span class="nv">$strategy</span><span class="p">)</span> <span class="p">{</span> <span class="s1">'monolith'</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">Services\BillingServiceImpl</span><span class="p">(),</span> <span class="s1">'shadow'</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">ShadowBillingService</span><span class="p">(</span> <span class="n">primary</span><span class="o">:</span> <span class="k">new</span> <span class="nc">Services\BillingServiceImpl</span><span class="p">(),</span> <span class="n">shadow</span><span class="o">:</span> <span class="k">new</span> <span class="nc">HttpBillingServiceClient</span><span class="p">(</span><span class="cm">/*...*/</span><span class="p">),</span> <span class="p">),</span> <span class="s1">'canary'</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">CanaryBillingService</span><span class="p">(</span> <span class="n">legacy</span><span class="o">:</span> <span class="k">new</span> <span class="nc">Services\BillingServiceImpl</span><span class="p">(),</span> <span class="n">modern</span><span class="o">:</span> <span class="k">new</span> <span class="nc">HttpBillingServiceClient</span><span class="p">(</span><span class="cm">/*...*/</span><span class="p">),</span> <span class="n">percentage</span><span class="o">:</span> <span class="p">(</span><span class="n">int</span><span class="p">)</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'features.billing_canary_percentage'</span><span class="p">,</span> <span class="mi">5</span><span class="p">),</span> <span class="p">),</span> <span class="s1">'modern'</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">HttpBillingServiceClient</span><span class="p">(</span><span class="cm">/*...*/</span><span class="p">),</span> <span class="k">default</span> <span class="o">=&gt;</span> <span class="k">new</span> <span class="nc">Services\BillingServiceImpl</span><span class="p">(),</span> <span class="p">};</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Measuring Migration Success </h2> <p>Track these metrics throughout the migration:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Purpose</th> </tr> </thead> <tbody> <tr> <td>Deployment frequency</td> <td>Should increase as modules become independent</td> </tr> <tr> <td>Lead time for changes</td> <td>Should decrease as codebase complexity drops</td> </tr> <tr> <td>Test suite runtime</td> <td>Should decrease per module</td> </tr> <tr> <td>Incidents per deployment</td> <td>Should decrease with smaller change sets</td> </tr> <tr> <td>Mean time to recovery</td> <td>Should decrease with independent rollback capability</td> </tr> </tbody> </table></div> <h3> Production Results from Past Migrations </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before (Monolith)</th> <th>After (Modular)</th> </tr> </thead> <tbody> <tr> <td>Deployment frequency</td> <td>1–2 per week</td> <td>3–5 per day</td> </tr> <tr> <td>Full test suite runtime</td> <td>35 minutes</td> <td>8 minutes (per module)</td> </tr> <tr> <td>Average deploy risk score</td> <td>High</td> <td>Low (per module)</td> </tr> <tr> <td>Time to onboard new developer</td> <td>3 weeks</td> <td>1 week</td> </tr> <tr> <td>Query execution time</td> <td>1.8s average</td> <td>180ms average (60% reduction)</td> </tr> <tr> <td>System performance</td> <td>Baseline</td> <td>40% improvement</td> </tr> </tbody> </table></div> <h2> Key Takeaways </h2> <ol> <li><p><strong>Never rewrite. Always migrate incrementally.</strong> The strangler fig pattern lets you replace the monolith piece by piece while keeping the system running.</p></li> <li><p><strong>Establish boundaries before extracting.</strong> Enforce module interfaces within the monolith first. This makes extraction a configuration change, not a rewrite.</p></li> <li><p><strong>Start with a low-risk module.</strong> Pick something well-bounded and non-critical for your first extraction. Build confidence before tackling core business logic.</p></li> <li><p><strong>Use feature flags for cutover.</strong> Shadow mode, canary rollouts, and instant rollback make the migration safe. Never do a big bang switchover.</p></li> <li><p><strong>Solve data ownership explicitly.</strong> Shared database → event-based sync → full ownership is the safest data migration path.</p></li> <li><p><strong>Measure continuously.</strong> Deployment frequency, test runtime, and incident rate tell you whether the migration is actually improving things.</p></li> </ol> <h2> Conclusion </h2> <p>Migrating from a monolith to a modular architecture is not a technical project — it is an engineering discipline applied over weeks and months. The strangler fig pattern makes it safe. Interface-first module design makes it clean. Feature flags make it reversible. And continuous measurement makes it accountable.</p> <p>Whether you are working in Laravel or Node.js, the approach is the same: understand what you have, enforce boundaries, extract behind interfaces, migrate data carefully, and cut over gradually. The monolith did not become painful overnight, and the fix will not happen overnight either. But each step makes the system better, and the cumulative impact is transformative.</p> laravel microservices devops node Why I Mentor Junior Developers: Growing the Next Generation of Tech Talent Olamilekan Lamidi Sun, 19 Apr 2026 21:20:52 +0000 https://dev.to/oluwatosinolamilekan/why-i-mentor-junior-developers-growing-the-next-generation-of-tech-talent-46nn https://dev.to/oluwatosinolamilekan/why-i-mentor-junior-developers-growing-the-next-generation-of-tech-talent-46nn <h2> The Mentoring Gap in Tech </h2> <p>The technology industry has a well-documented pipeline problem. We talk endlessly about hiring, about talent shortages, about the difficulty of finding "senior" engineers. What we talk about far less is the systematic failure to develop the talent we already have.</p> <p>This gap is especially acute in emerging markets. In Lagos, where I began my career, the demand for experienced software engineers far outstrips supply. Boot camps and university programmes produce developers who can write code, but the journey from writing code to building production systems — understanding architecture, debugging complex distributed systems, making sound technical trade-offs under pressure — that journey requires guided experience. It requires mentorship.</p> <p>The statistics bear this out. According to a 2023 Stack Overflow Developer Survey, over 60% of developers with fewer than five years of experience report that they lack access to meaningful technical mentorship at work. In African tech ecosystems, where the average engineering team is smaller and companies often cannot afford dedicated developer experience roles, the problem is even more pronounced.</p> <p>I have seen the consequences firsthand. Junior developers who are talented but directionless, writing code that works but does not scale. Mid-level engineers who have plateaued because nobody ever showed them how to think about system design. Brilliant minds leaving the industry entirely because they felt unsupported and overwhelmed.</p> <p>This is not a talent problem. It is a mentorship problem. And it is one that senior engineers — those of us who have accumulated the scars and the knowledge — have both the ability and the responsibility to solve.</p> <h2> My Approach to Mentoring </h2> <p>Over the years, I have developed a mentoring approach that goes beyond answering questions when asked. It is proactive, structured, and woven into the daily fabric of engineering work. I learned early that the most effective mentoring does not happen in scheduled one-on-ones (though those matter too). It happens in the moments where engineering decisions are being made in real time.</p> <h3> Code Reviews as Teaching Moments </h3> <p>I treat every code review as a teaching opportunity. When I review a junior developer's pull request, I do not simply approve or request changes. I explain the reasoning behind my suggestions. If I ask someone to refactor a database query, I explain what the current query does to performance at scale. If I suggest a different design pattern, I walk through the trade-offs of both approaches.</p> <p>At Lordwin Group, where I led a team of five backend developers, I established a code review culture where every pull request received at least two reviews, and at least one review had to include an explanatory comment — not just "change this," but "here is why." The impact was immediate. Junior developers began anticipating architectural concerns in their own code before the review stage. The quality of initial submissions improved dramatically within three months.</p> <p>I remember reviewing a pull request from a junior developer on the team who had written a working but brittle API endpoint for the gaming platform. Instead of rewriting it myself, I scheduled a 30-minute pair programming session. We walked through the request lifecycle together — how the payload was validated, how the database was queried, how the response was structured, and where the failure points were under load. By the end of the session, the developer had refactored the endpoint themselves, and more importantly, they understood the principles behind the refactoring. That developer went on to independently architect a feature module for our investment platform three months later.</p> <h3> Pair Programming as Skill Transfer </h3> <p>Pair programming is the most underutilised mentoring tool in software engineering. I use it deliberately, especially for complex features or unfamiliar domains. When I was at 2am Tech, collaborating with a cross-functional team of eight engineers building Addio — a financial platform serving 500+ organisations — I regularly paired with less experienced team members on critical backend work.</p> <p>One engineer on the team was strong in frontend development but had limited backend experience. Rather than assigning them only frontend tasks, I paired with them on building a Node.js service that handled vendor payment workflows. Over several pairing sessions, we worked through API design, database transaction management, error handling patterns, and queue-based architecture for processing payments asynchronously. Within two months, that engineer was confidently building backend services independently and had begun contributing to our architecture discussions.</p> <p>Olamilekan Lamidi does not hoard knowledge. That principle guides everything I do in a team.</p> <h3> Architecture Discussions as Education </h3> <p>I make a point of including junior and mid-level engineers in architecture discussions, even when their immediate role does not require it. At 54gene, where I worked as a full-stack developer building data collection systems for Africa's leading genomics company, we had a cross-functional team of 10+ members. I advocated for — and helped establish — weekly architecture review sessions where engineers at every level could participate.</p> <p>These sessions were not presentations. They were collaborative discussions where I would propose an architecture, invite challenges, and walk through the reasoning behind decisions. Why we chose a service-oriented approach for certain modules. Why we implemented specific caching strategies for patient data forms. How we balanced data sensitivity with system performance.</p> <p>The junior engineers on the team may not have been making those architectural decisions, but by witnessing and participating in the discussion, they were building the mental models they would need when they eventually did. Several of those engineers have since moved into senior roles at other companies — and I know those sessions played a part in their growth.</p> <h2> Structuring Mentorship Beyond Technical Skills </h2> <p>Technical mentoring is essential, but it is not sufficient. The engineers I mentor most effectively are the ones where I invest in three dimensions: technical skills, soft skills, and career navigation.</p> <h3> Technical Skills: Building Depth and Breadth </h3> <p>I structure technical mentoring around progressive complexity. A junior developer on my team does not jump straight from CRUD operations to distributed systems. I map out a learning path:</p> <ol> <li> <strong>Foundations:</strong> Clean code, testing, version control discipline, debugging methodologies</li> <li> <strong>Intermediate:</strong> API design, database optimisation, authentication patterns, error handling at scale</li> <li> <strong>Advanced:</strong> System architecture, event-driven patterns, performance profiling, infrastructure as code</li> </ol> <p>At Lordwin Group, I created informal "engineering growth plans" for each of the five developers I led. These were not corporate HR documents — they were living technical roadmaps. Each quarter, I sat with every team member and reviewed where they were, what they had learned, and what they needed to tackle next. One developer who started as a PHP-only backend engineer progressed to confidently working across Node.js and React within eight months through this structured approach.</p> <h3> Soft Skills: Communication, Estimation, and Ownership </h3> <p>I have watched technically brilliant engineers stall in their careers because they could not communicate their ideas, estimate their work, or take ownership of outcomes. Mentoring in these areas is harder — it requires trust and candid conversation — but the payoff is enormous.</p> <p>I coach engineers on how to present technical proposals to non-technical stakeholders. How to write clear, concise pull request descriptions. How to estimate work by breaking down unknowns. How to own a failure, conduct a post-mortem, and extract lessons without blame. These are the skills that separate engineers who write code from engineers who lead teams.</p> <h3> Career Guidance: Navigating the Path </h3> <p>Especially for engineers in Lagos and across Africa, career navigation can be opaque. Which technologies should you invest in? When should you specialise versus generalise? How do you break into remote roles with international companies? How do you negotiate compensation?</p> <p>I share my own career trajectory openly — from Civic MediaLab in Lagos to working with teams across Ukraine, the United States, and the United Kingdom. I discuss the decisions I made, the mistakes I made, and the skills that unlocked each transition. For engineers who aspire to work on the global stage, having someone who has walked that path is invaluable.</p> <h2> Impact: Developers Who Grew </h2> <p>Mentoring is difficult to quantify. There is no dashboard that shows "junior developer promoted to senior because Olamilekan Lamidi spent 30 minutes explaining event-driven architecture." But the evidence is there in the trajectories of the people I have worked with.</p> <p>At Lordwin Group, two of the five developers I led as a senior engineer went on to secure senior engineering positions within 18 months of our time working together. One of them now leads a team of his own at a fintech company in Lagos. He told me directly that the code review culture and architecture discussions I established were the most impactful learning experiences of his early career.</p> <p>At 2am Tech, the engineer I paired with on backend services went from being a frontend-only developer to a full-stack engineer within one product cycle. They credited the pairing sessions with giving them the confidence to tackle unfamiliar domains.</p> <p>At 54gene, the junior engineers who participated in our architecture reviews went on to contribute meaningfully to system design decisions by the end of their tenure — a progression that typically takes much longer without structured exposure.</p> <p>These are not isolated cases. They are the predictable outcome of treating mentoring as engineering work — work that deserves time, intention, and rigour.</p> <h2> Community Engagement: Mentoring Beyond the Workplace </h2> <p>My commitment to mentoring extends beyond the teams I work with directly. I have been active in the Lagos tech community, participating in developer meetups and knowledge-sharing sessions that help early-career engineers navigate the industry. I engage on platforms like ADPList, where I offer mentoring sessions focused on backend engineering, career transitions, and breaking into remote international roles.</p> <p>I also contribute to the broader engineering community through technical writing — articles like this one, published on Medium, DEV.TO, and LinkedIn — that distil hard-earned lessons into accessible guidance. Every article I publish is, in a sense, a mentoring session at scale. When a junior developer in Nairobi or Accra reads about how I optimised database queries at VacancySoft or architected a real-time gaming backend at Lordwin Group, they are gaining access to production-level knowledge that they might not encounter in their current work environment.</p> <p>This is not altruism. It is ecosystem building. The stronger the engineers around me, the stronger the teams I work with, the products I contribute to, and the industry as a whole.</p> <h2> The Business Case for Mentoring </h2> <p>For engineering leaders reading this, mentoring is not just a moral good — it is a strategic advantage. The data is compelling:</p> <p><strong>Faster Onboarding.</strong> Teams with structured mentoring practices onboard new engineers 40–50% faster. At Lordwin Group, new developers were contributing production code within their second week, compared to the industry average of four to six weeks. This was a direct result of the code review culture and pairing practices I established.</p> <p><strong>Better Code Quality.</strong> When junior developers understand the "why" behind architectural decisions, they write better code from the start. Our pull request rejection rate at Lordwin Group dropped by roughly 35% within four months of implementing teaching-oriented code reviews.</p> <p><strong>Reduced Turnover.</strong> Engineers who feel invested in stay. In an industry where the average tenure is under two years, creating an environment where developers are actively growing is one of the most effective retention strategies available. The Lordwin team remained remarkably stable during my tenure despite competitive market conditions.</p> <p><strong>Knowledge Distribution.</strong> In teams without mentoring culture, knowledge concentrates in one or two senior engineers. This creates catastrophic bus factor risk. By actively distributing knowledge through mentoring, I ensured that no single engineer — including myself — was a single point of failure.</p> <h2> A Call to Action for Senior Engineers </h2> <p>If you are a senior engineer reading this, I want to challenge you directly: when was the last time you deliberately taught someone something?</p> <p>Not answered a question in Slack. Not pointed someone to the documentation. Actually sat down, understood where someone was struggling, and helped them build the mental model they needed to solve the problem themselves.</p> <p>Olamilekan Lamidi's career was shaped by a senior engineer who chose to invest 30 minutes in a confused junior developer at Civic MediaLab in 2017. That investment compounded. It made me a better engineer, which made me a better technical lead, which made the teams I led more effective, which made the products we shipped more robust.</p> <p>Every senior engineer has this power. The question is whether we choose to use it.</p> <p>The technology sector does not advance through individual brilliance alone. It advances when knowledge flows freely, when experienced practitioners invest in the next generation, and when the barriers to entry are lowered not by reducing standards, but by raising support.</p> <p>I mentor because I was mentored. I share because someone shared with me. And I will continue doing so because I have seen, over nine years and across six companies and four countries, that this is how you build an industry that lasts.</p> softwareengineering techleadership careergrowth techcommunity Designing Audit-Proof Financial Workflows with Immutable Logs Olamilekan Lamidi Fri, 17 Apr 2026 10:10:10 +0000 https://dev.to/oluwatosinolamilekan/designing-audit-proof-financial-workflows-with-immutable-logs-1ba https://dev.to/oluwatosinolamilekan/designing-audit-proof-financial-workflows-with-immutable-logs-1ba <h2> Why Mutable Records Break Under Audit </h2> <p>Most web applications store the current state of a record. When an invoice status changes from "pending" to "paid," the database row is updated in place. The previous state is gone.</p> <p>This works fine for most applications. For financial systems, it is a liability:</p> <ul> <li> <strong>No history:</strong> You cannot prove what the invoice status was yesterday at 3pm.</li> <li> <strong>No attribution:</strong> You cannot tell who changed the status or why.</li> <li> <strong>No reconciliation path:</strong> When numbers do not match, there is no trail to follow.</li> <li> <strong>No tamper evidence:</strong> A modified record looks identical to a legitimate one.</li> </ul> <p>Financial regulations — PCI DSS, SOX, FCA guidelines — require that systems maintain a complete, tamper-evident record of all financial transactions and state changes. An UPDATE statement destroys exactly the evidence you are required to preserve.</p> <h2> The Immutable Log Pattern </h2> <p>The solution is to never update or delete financial records. Instead, every change is recorded as a new, append-only event:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Event 1] Invoice #1042 CREATED — amount: £5,000 — by: user_42 — at: 2025-03-01T09:15:00Z [Event 2] Invoice #1042 APPROVED — approved_by: user_15 — at: 2025-03-01T14:30:00Z [Event 3] Invoice #1042 PAYMENT_RECEIVED — amount: £5,000 — ref: PAY_8821 — at: 2025-03-05T11:00:00Z [Event 4] Invoice #1042 RECONCILED — matched_to: BANK_TXN_4401 — at: 2025-03-06T08:45:00Z </code></pre> </div> <p>The current state of the invoice is derived by replaying the events in order. The audit trail is the events themselves. Nothing is lost, nothing is overwritten.</p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Client Request] | v [Application Layer] - Validate business rules - Create event record | v [DB Transaction] - Write event to audit_events table (append-only) - Update materialised view / current-state table | v [Audit Events Table] [Current State Table] (immutable, append-only) (derived, rebuildable) | v [Async Consumers] - Compliance reporting - Reconciliation engine - Notification service </code></pre> </div> <p>The critical design decision: the audit events table is the source of truth. The current-state table is a projection that can be rebuilt from events at any time.</p> <h2> Implementation in Laravel </h2> <h3> Audit Events Migration </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="nc">Schema</span><span class="o">::</span><span class="nf">create</span><span class="p">(</span><span class="s1">'audit_events'</span><span class="p">,</span> <span class="k">function</span> <span class="p">(</span><span class="kt">Blueprint</span> <span class="nv">$table</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">uuid</span><span class="p">(</span><span class="s1">'id'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">primary</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'aggregate_type'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'aggregate_id'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">unsignedBigInteger</span><span class="p">(</span><span class="s1">'sequence_number'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'event_type'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'payload'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'metadata'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'actor_id'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'actor_type'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'ip_address'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">nullable</span><span class="p">();</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">string</span><span class="p">(</span><span class="s1">'checksum'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">timestamp</span><span class="p">(</span><span class="s1">'occurred_at'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">timestamp</span><span class="p">(</span><span class="s1">'created_at'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">unique</span><span class="p">([</span><span class="s1">'aggregate_type'</span><span class="p">,</span> <span class="s1">'aggregate_id'</span><span class="p">,</span> <span class="s1">'sequence_number'</span><span class="p">]);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">index</span><span class="p">([</span><span class="s1">'aggregate_type'</span><span class="p">,</span> <span class="s1">'aggregate_id'</span><span class="p">]);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">index</span><span class="p">(</span><span class="s1">'event_type'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">index</span><span class="p">(</span><span class="s1">'occurred_at'</span><span class="p">);</span> <span class="nv">$table</span><span class="o">-&gt;</span><span class="nf">index</span><span class="p">(</span><span class="s1">'actor_id'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <p>The <code>checksum</code> column stores a hash of the event data plus the previous event's checksum, forming a hash chain. Any tampering with a historical record breaks the chain.</p> <h3> Audit Event Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kn">namespace</span> <span class="nn">App\Services</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">App\Models\AuditEvent</span><span class="p">;</span> <span class="kn">use</span> <span class="no">Illuminate\Support\Facades\DB</span><span class="p">;</span> <span class="kn">use</span> <span class="nc">Illuminate\Support\Str</span><span class="p">;</span> <span class="kd">class</span> <span class="nc">AuditEventService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">record</span><span class="p">(</span> <span class="kt">string</span> <span class="nv">$aggregateType</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$aggregateId</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$eventType</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$payload</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$actorId</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$actorType</span> <span class="o">=</span> <span class="s1">'user'</span><span class="p">,</span> <span class="kt">?string</span> <span class="nv">$ipAddress</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="p">):</span> <span class="kt">AuditEvent</span> <span class="p">{</span> <span class="k">return</span> <span class="no">DB</span><span class="o">::</span><span class="nf">transaction</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="k">use</span> <span class="p">(</span> <span class="nv">$aggregateType</span><span class="p">,</span> <span class="nv">$aggregateId</span><span class="p">,</span> <span class="nv">$eventType</span><span class="p">,</span> <span class="nv">$payload</span><span class="p">,</span> <span class="nv">$actorId</span><span class="p">,</span> <span class="nv">$actorType</span><span class="p">,</span> <span class="nv">$ipAddress</span> <span class="p">)</span> <span class="p">{</span> <span class="nv">$lastEvent</span> <span class="o">=</span> <span class="nc">AuditEvent</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'aggregate_type'</span><span class="p">,</span> <span class="nv">$aggregateType</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'aggregate_id'</span><span class="p">,</span> <span class="nv">$aggregateId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orderByDesc</span><span class="p">(</span><span class="s1">'sequence_number'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">lockForUpdate</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="nv">$sequenceNumber</span> <span class="o">=</span> <span class="nv">$lastEvent</span> <span class="o">?</span> <span class="nv">$lastEvent</span><span class="o">-&gt;</span><span class="n">sequence_number</span> <span class="o">+</span> <span class="mi">1</span> <span class="o">:</span> <span class="mi">1</span><span class="p">;</span> <span class="nv">$previousChecksum</span> <span class="o">=</span> <span class="nv">$lastEvent</span><span class="o">?-&gt;</span><span class="n">checksum</span> <span class="o">??</span> <span class="s1">'GENESIS'</span><span class="p">;</span> <span class="nv">$eventData</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'aggregate_type'</span> <span class="o">=&gt;</span> <span class="nv">$aggregateType</span><span class="p">,</span> <span class="s1">'aggregate_id'</span> <span class="o">=&gt;</span> <span class="nv">$aggregateId</span><span class="p">,</span> <span class="s1">'sequence_number'</span> <span class="o">=&gt;</span> <span class="nv">$sequenceNumber</span><span class="p">,</span> <span class="s1">'event_type'</span> <span class="o">=&gt;</span> <span class="nv">$eventType</span><span class="p">,</span> <span class="s1">'payload'</span> <span class="o">=&gt;</span> <span class="nv">$payload</span><span class="p">,</span> <span class="s1">'actor_id'</span> <span class="o">=&gt;</span> <span class="nv">$actorId</span><span class="p">,</span> <span class="s1">'occurred_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">];</span> <span class="nv">$checksum</span> <span class="o">=</span> <span class="nb">hash</span><span class="p">(</span><span class="s1">'sha256'</span><span class="p">,</span> <span class="nv">$previousChecksum</span> <span class="mf">.</span> <span class="nb">json_encode</span><span class="p">(</span><span class="nv">$eventData</span><span class="p">));</span> <span class="k">return</span> <span class="nc">AuditEvent</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'id'</span> <span class="o">=&gt;</span> <span class="nc">Str</span><span class="o">::</span><span class="nf">uuid</span><span class="p">(),</span> <span class="mf">...</span><span class="nv">$eventData</span><span class="p">,</span> <span class="s1">'metadata'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'previous_checksum'</span> <span class="o">=&gt;</span> <span class="nv">$previousChecksum</span><span class="p">,</span> <span class="s1">'schema_version'</span> <span class="o">=&gt;</span> <span class="s1">'1.0'</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'actor_type'</span> <span class="o">=&gt;</span> <span class="nv">$actorType</span><span class="p">,</span> <span class="s1">'ip_address'</span> <span class="o">=&gt;</span> <span class="nv">$ipAddress</span><span class="p">,</span> <span class="s1">'checksum'</span> <span class="o">=&gt;</span> <span class="nv">$checksum</span><span class="p">,</span> <span class="s1">'created_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">});</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">verifyChain</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$aggregateType</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$aggregateId</span><span class="p">):</span> <span class="kt">bool</span> <span class="p">{</span> <span class="nv">$events</span> <span class="o">=</span> <span class="nc">AuditEvent</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'aggregate_type'</span><span class="p">,</span> <span class="nv">$aggregateType</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'aggregate_id'</span><span class="p">,</span> <span class="nv">$aggregateId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orderBy</span><span class="p">(</span><span class="s1">'sequence_number'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="nv">$previousChecksum</span> <span class="o">=</span> <span class="s1">'GENESIS'</span><span class="p">;</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$events</span> <span class="k">as</span> <span class="nv">$event</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$eventData</span> <span class="o">=</span> <span class="p">[</span> <span class="s1">'aggregate_type'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">aggregate_type</span><span class="p">,</span> <span class="s1">'aggregate_id'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">aggregate_id</span><span class="p">,</span> <span class="s1">'sequence_number'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">sequence_number</span><span class="p">,</span> <span class="s1">'event_type'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">event_type</span><span class="p">,</span> <span class="s1">'payload'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">payload</span><span class="p">,</span> <span class="s1">'actor_id'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">actor_id</span><span class="p">,</span> <span class="s1">'occurred_at'</span> <span class="o">=&gt;</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">occurred_at</span><span class="p">,</span> <span class="p">];</span> <span class="nv">$expectedChecksum</span> <span class="o">=</span> <span class="nb">hash</span><span class="p">(</span><span class="s1">'sha256'</span><span class="p">,</span> <span class="nv">$previousChecksum</span> <span class="mf">.</span> <span class="nb">json_encode</span><span class="p">(</span><span class="nv">$eventData</span><span class="p">));</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$expectedChecksum</span> <span class="o">!==</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">checksum</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="nv">$previousChecksum</span> <span class="o">=</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="n">checksum</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">getHistory</span><span class="p">(</span> <span class="kt">string</span> <span class="nv">$aggregateType</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$aggregateId</span> <span class="p">):</span> <span class="nc">\Illuminate\Support\Collection</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">AuditEvent</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'aggregate_type'</span><span class="p">,</span> <span class="nv">$aggregateType</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'aggregate_id'</span><span class="p">,</span> <span class="nv">$aggregateId</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orderBy</span><span class="p">(</span><span class="s1">'sequence_number'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Using It in a Financial Workflow </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">InvoiceService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">__construct</span><span class="p">(</span> <span class="k">private</span> <span class="kt">AuditEventService</span> <span class="nv">$auditService</span><span class="p">,</span> <span class="p">)</span> <span class="p">{}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">createInvoice</span><span class="p">(</span><span class="kt">array</span> <span class="nv">$data</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$userId</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$ip</span><span class="p">):</span> <span class="kt">Invoice</span> <span class="p">{</span> <span class="k">return</span> <span class="no">DB</span><span class="o">::</span><span class="nf">transaction</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$data</span><span class="p">,</span> <span class="nv">$userId</span><span class="p">,</span> <span class="nv">$ip</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$invoice</span> <span class="o">=</span> <span class="nc">Invoice</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'number'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">generateInvoiceNumber</span><span class="p">(),</span> <span class="s1">'client_id'</span> <span class="o">=&gt;</span> <span class="nv">$data</span><span class="p">[</span><span class="s1">'client_id'</span><span class="p">],</span> <span class="s1">'amount'</span> <span class="o">=&gt;</span> <span class="nv">$data</span><span class="p">[</span><span class="s1">'amount'</span><span class="p">],</span> <span class="s1">'currency'</span> <span class="o">=&gt;</span> <span class="nv">$data</span><span class="p">[</span><span class="s1">'currency'</span><span class="p">],</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'draft'</span><span class="p">,</span> <span class="s1">'due_date'</span> <span class="o">=&gt;</span> <span class="nv">$data</span><span class="p">[</span><span class="s1">'due_date'</span><span class="p">],</span> <span class="p">]);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">auditService</span><span class="o">-&gt;</span><span class="nf">record</span><span class="p">(</span> <span class="n">aggregateType</span><span class="o">:</span> <span class="s1">'invoice'</span><span class="p">,</span> <span class="n">aggregateId</span><span class="o">:</span> <span class="p">(</span><span class="n">string</span><span class="p">)</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="n">eventType</span><span class="o">:</span> <span class="s1">'invoice.created'</span><span class="p">,</span> <span class="n">payload</span><span class="o">:</span> <span class="p">[</span> <span class="s1">'number'</span> <span class="o">=&gt;</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="n">number</span><span class="p">,</span> <span class="s1">'amount'</span> <span class="o">=&gt;</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="n">amount</span><span class="p">,</span> <span class="s1">'currency'</span> <span class="o">=&gt;</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="n">currency</span><span class="p">,</span> <span class="s1">'client_id'</span> <span class="o">=&gt;</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="n">client_id</span><span class="p">,</span> <span class="p">],</span> <span class="n">actorId</span><span class="o">:</span> <span class="nv">$userId</span><span class="p">,</span> <span class="n">ipAddress</span><span class="o">:</span> <span class="nv">$ip</span><span class="p">,</span> <span class="p">);</span> <span class="k">return</span> <span class="nv">$invoice</span><span class="p">;</span> <span class="p">});</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">approveInvoice</span><span class="p">(</span><span class="kt">Invoice</span> <span class="nv">$invoice</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$approverId</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$ip</span><span class="p">):</span> <span class="kt">Invoice</span> <span class="p">{</span> <span class="k">return</span> <span class="no">DB</span><span class="o">::</span><span class="nf">transaction</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$invoice</span><span class="p">,</span> <span class="nv">$approverId</span><span class="p">,</span> <span class="nv">$ip</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'approved'</span><span class="p">]);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">auditService</span><span class="o">-&gt;</span><span class="nf">record</span><span class="p">(</span> <span class="n">aggregateType</span><span class="o">:</span> <span class="s1">'invoice'</span><span class="p">,</span> <span class="n">aggregateId</span><span class="o">:</span> <span class="p">(</span><span class="n">string</span><span class="p">)</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="n">eventType</span><span class="o">:</span> <span class="s1">'invoice.approved'</span><span class="p">,</span> <span class="n">payload</span><span class="o">:</span> <span class="p">[</span> <span class="s1">'previous_status'</span> <span class="o">=&gt;</span> <span class="s1">'draft'</span><span class="p">,</span> <span class="s1">'new_status'</span> <span class="o">=&gt;</span> <span class="s1">'approved'</span><span class="p">,</span> <span class="p">],</span> <span class="n">actorId</span><span class="o">:</span> <span class="nv">$approverId</span><span class="p">,</span> <span class="n">ipAddress</span><span class="o">:</span> <span class="nv">$ip</span><span class="p">,</span> <span class="p">);</span> <span class="k">return</span> <span class="nv">$invoice</span><span class="o">-&gt;</span><span class="nf">fresh</span><span class="p">();</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Implementation in Node.js </h2> <h3> Prisma Schema </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>model AuditEvent { id String @id @default(uuid()) aggregateType String @map("aggregate_type") aggregateId String @map("aggregate_id") sequenceNumber Int @map("sequence_number") eventType String @map("event_type") payload Json metadata Json actorId String @map("actor_id") actorType String @map("actor_type") @default("user") ipAddress String? @map("ip_address") checksum String occurredAt DateTime @map("occurred_at") createdAt DateTime @default(now()) @map("created_at") @@unique([aggregateType, aggregateId, sequenceNumber]) @@index([aggregateType, aggregateId]) @@index([eventType]) @@index([occurredAt]) @@index([actorId]) @@map("audit_events") } </code></pre> </div> <h3> Audit Event Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">prisma</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">();</span> <span class="kr">interface</span> <span class="nx">RecordEventParams</span> <span class="p">{</span> <span class="nl">aggregateType</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">aggregateId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">eventType</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">payload</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">unknown</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">actorId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">actorType</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">ipAddress</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">recordAuditEvent</span><span class="p">(</span><span class="nx">params</span><span class="p">:</span> <span class="nx">RecordEventParams</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">prisma</span><span class="p">.</span><span class="nf">$transaction</span><span class="p">(</span><span class="k">async </span><span class="p">(</span><span class="nx">tx</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">lastEvent</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">auditEvent</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">aggregateType</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">aggregateType</span><span class="p">,</span> <span class="na">aggregateId</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">aggregateId</span><span class="p">,</span> <span class="p">},</span> <span class="na">orderBy</span><span class="p">:</span> <span class="p">{</span> <span class="na">sequenceNumber</span><span class="p">:</span> <span class="dl">'</span><span class="s1">desc</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">sequenceNumber</span> <span class="o">=</span> <span class="nx">lastEvent</span> <span class="p">?</span> <span class="nx">lastEvent</span><span class="p">.</span><span class="nx">sequenceNumber</span> <span class="o">+</span> <span class="mi">1</span> <span class="p">:</span> <span class="mi">1</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">previousChecksum</span> <span class="o">=</span> <span class="nx">lastEvent</span><span class="p">?.</span><span class="nx">checksum</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">GENESIS</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">eventData</span> <span class="o">=</span> <span class="p">{</span> <span class="na">aggregate_type</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">aggregateType</span><span class="p">,</span> <span class="na">aggregate_id</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">aggregateId</span><span class="p">,</span> <span class="na">sequence_number</span><span class="p">:</span> <span class="nx">sequenceNumber</span><span class="p">,</span> <span class="na">event_type</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">eventType</span><span class="p">,</span> <span class="na">payload</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">payload</span><span class="p">,</span> <span class="na">actor_id</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">actorId</span><span class="p">,</span> <span class="na">occurred_at</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">checksum</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">previousChecksum</span> <span class="o">+</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">eventData</span><span class="p">))</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">tx</span><span class="p">.</span><span class="nx">auditEvent</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">aggregateType</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">aggregateType</span><span class="p">,</span> <span class="na">aggregateId</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">aggregateId</span><span class="p">,</span> <span class="nx">sequenceNumber</span><span class="p">,</span> <span class="na">eventType</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">eventType</span><span class="p">,</span> <span class="na">payload</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">payload</span><span class="p">,</span> <span class="na">metadata</span><span class="p">:</span> <span class="p">{</span> <span class="na">previous_checksum</span><span class="p">:</span> <span class="nx">previousChecksum</span><span class="p">,</span> <span class="na">schema_version</span><span class="p">:</span> <span class="dl">'</span><span class="s1">1.0</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="na">actorId</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">actorId</span><span class="p">,</span> <span class="na">actorType</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">actorType</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">user</span><span class="dl">'</span><span class="p">,</span> <span class="na">ipAddress</span><span class="p">:</span> <span class="nx">params</span><span class="p">.</span><span class="nx">ipAddress</span><span class="p">,</span> <span class="nx">checksum</span><span class="p">,</span> <span class="na">occurredAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">(),</span> <span class="p">},</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">verifyAuditChain</span><span class="p">(</span> <span class="nx">aggregateType</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">aggregateId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">events</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">auditEvent</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">aggregateType</span><span class="p">,</span> <span class="nx">aggregateId</span> <span class="p">},</span> <span class="na">orderBy</span><span class="p">:</span> <span class="p">{</span> <span class="na">sequenceNumber</span><span class="p">:</span> <span class="dl">'</span><span class="s1">asc</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">let</span> <span class="nx">previousChecksum</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">GENESIS</span><span class="dl">'</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">event</span> <span class="k">of</span> <span class="nx">events</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">eventData</span> <span class="o">=</span> <span class="p">{</span> <span class="na">aggregate_type</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">aggregateType</span><span class="p">,</span> <span class="na">aggregate_id</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">aggregateId</span><span class="p">,</span> <span class="na">sequence_number</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">sequenceNumber</span><span class="p">,</span> <span class="na">event_type</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">eventType</span><span class="p">,</span> <span class="na">payload</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">payload</span><span class="p">,</span> <span class="na">actor_id</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">actorId</span><span class="p">,</span> <span class="na">occurred_at</span><span class="p">:</span> <span class="nx">event</span><span class="p">.</span><span class="nx">occurredAt</span><span class="p">.</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">expectedChecksum</span> <span class="o">=</span> <span class="nx">crypto</span> <span class="p">.</span><span class="nf">createHash</span><span class="p">(</span><span class="dl">'</span><span class="s1">sha256</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">update</span><span class="p">(</span><span class="nx">previousChecksum</span> <span class="o">+</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">eventData</span><span class="p">))</span> <span class="p">.</span><span class="nf">digest</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">expectedChecksum</span> <span class="o">!==</span> <span class="nx">event</span><span class="p">.</span><span class="nx">checksum</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="nx">previousChecksum</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">checksum</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getAggregateHistory</span><span class="p">(</span> <span class="nx">aggregateType</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">aggregateId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">auditEvent</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="nx">aggregateType</span><span class="p">,</span> <span class="nx">aggregateId</span> <span class="p">},</span> <span class="na">orderBy</span><span class="p">:</span> <span class="p">{</span> <span class="na">sequenceNumber</span><span class="p">:</span> <span class="dl">'</span><span class="s1">asc</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> Express Route for Audit Queries </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Router</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">express</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nc">Router</span><span class="p">();</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/audit/:aggregateType/:aggregateId</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">aggregateType</span><span class="p">,</span> <span class="nx">aggregateId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">history</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAggregateHistory</span><span class="p">(</span><span class="nx">aggregateType</span><span class="p">,</span> <span class="nx">aggregateId</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">aggregate</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">aggregateType</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">aggregateId</span> <span class="p">},</span> <span class="na">eventCount</span><span class="p">:</span> <span class="nx">history</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="na">events</span><span class="p">:</span> <span class="nx">history</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">sequence</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nx">sequenceNumber</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nx">eventType</span><span class="p">,</span> <span class="na">payload</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nx">payload</span><span class="p">,</span> <span class="na">actor</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nx">actorId</span><span class="p">,</span> <span class="na">occurredAt</span><span class="p">:</span> <span class="nx">e</span><span class="p">.</span><span class="nx">occurredAt</span><span class="p">,</span> <span class="p">})),</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/audit/:aggregateType/:aggregateId/verify</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">aggregateType</span><span class="p">,</span> <span class="nx">aggregateId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">valid</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">verifyAuditChain</span><span class="p">(</span><span class="nx">aggregateType</span><span class="p">,</span> <span class="nx">aggregateId</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">aggregate</span><span class="p">:</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="nx">aggregateType</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">aggregateId</span> <span class="p">},</span> <span class="na">chainValid</span><span class="p">:</span> <span class="nx">valid</span><span class="p">,</span> <span class="na">verifiedAt</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">().</span><span class="nf">toISOString</span><span class="p">(),</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Retention and Archival Strategy </h2> <p>Audit logs grow fast. A system processing 10,000 transactions per day generates millions of events per year. You need a retention strategy:</p> <ol> <li><p><strong>Hot storage (0–90 days):</strong> Primary database. Full query capability. Used for day-to-day operations and recent audits.</p></li> <li><p><strong>Warm storage (90 days–2 years):</strong> Move older events to a read-optimised store (e.g., partitioned table, read replica, or columnar database). Still queryable but not on the critical path.</p></li> <li><p><strong>Cold storage (2+ years):</strong> Archive to object storage (S3, GCS) in a structured format (Parquet, JSON Lines). Retained for regulatory compliance periods (typically 5–7 years for financial data).</p></li> </ol> <h3> Laravel Archival Command </h3> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ArchiveAuditEvents</span> <span class="kd">extends</span> <span class="nc">Command</span> <span class="p">{</span> <span class="k">protected</span> <span class="nv">$signature</span> <span class="o">=</span> <span class="s1">'audit:archive {--older-than=90}'</span><span class="p">;</span> <span class="k">public</span> <span class="k">function</span> <span class="n">handle</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$cutoff</span> <span class="o">=</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">subDays</span><span class="p">((</span><span class="n">int</span><span class="p">)</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">option</span><span class="p">(</span><span class="s1">'older-than'</span><span class="p">));</span> <span class="nv">$events</span> <span class="o">=</span> <span class="nc">AuditEvent</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'occurred_at'</span><span class="p">,</span> <span class="s1">'&lt;'</span><span class="p">,</span> <span class="nv">$cutoff</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">orderBy</span><span class="p">(</span><span class="s1">'occurred_at'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">cursor</span><span class="p">();</span> <span class="nv">$batch</span> <span class="o">=</span> <span class="p">[];</span> <span class="nv">$batchCount</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$events</span> <span class="k">as</span> <span class="nv">$event</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$batch</span><span class="p">[]</span> <span class="o">=</span> <span class="nv">$event</span><span class="o">-&gt;</span><span class="nf">toArray</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nb">count</span><span class="p">(</span><span class="nv">$batch</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">10000</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">uploadBatch</span><span class="p">(</span><span class="nv">$batch</span><span class="p">,</span> <span class="nv">$batchCount</span><span class="p">);</span> <span class="nv">$batch</span> <span class="o">=</span> <span class="p">[];</span> <span class="nv">$batchCount</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="k">empty</span><span class="p">(</span><span class="nv">$batch</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">uploadBatch</span><span class="p">(</span><span class="nv">$batch</span><span class="p">,</span> <span class="nv">$batchCount</span><span class="p">);</span> <span class="p">}</span> <span class="nc">AuditEvent</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'occurred_at'</span><span class="p">,</span> <span class="s1">'&lt;'</span><span class="p">,</span> <span class="nv">$cutoff</span><span class="p">)</span><span class="o">-&gt;</span><span class="nb">delete</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">info</span><span class="p">(</span><span class="s2">"Archived and purged events older than </span><span class="si">{</span><span class="nv">$cutoff</span><span class="o">-&gt;</span><span class="nf">toDateString</span><span class="p">()</span><span class="si">}</span><span class="s2">."</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">uploadBatch</span><span class="p">(</span><span class="kt">array</span> <span class="nv">$batch</span><span class="p">,</span> <span class="kt">int</span> <span class="nv">$index</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$filename</span> <span class="o">=</span> <span class="nb">sprintf</span><span class="p">(</span><span class="s1">'audit-archive/%s/batch-%04d.json'</span><span class="p">,</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">format</span><span class="p">(</span><span class="s1">'Y/m'</span><span class="p">),</span> <span class="nv">$index</span><span class="p">);</span> <span class="nc">Storage</span><span class="o">::</span><span class="nf">disk</span><span class="p">(</span><span class="s1">'s3'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">put</span><span class="p">(</span> <span class="nv">$filename</span><span class="p">,</span> <span class="nf">collect</span><span class="p">(</span><span class="nv">$batch</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">map</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nb">json_encode</span><span class="p">(</span><span class="nv">$e</span><span class="p">))</span><span class="o">-&gt;</span><span class="nb">implode</span><span class="p">(</span><span class="s2">"</span><span class="se">\n</span><span class="s2">"</span><span class="p">)</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Reconciliation with Immutable Logs </h2> <p>One of the most valuable outcomes of immutable logs is automated reconciliation. Instead of manually comparing spreadsheets, you can programmatically verify that every financial event has a matching counterpart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ReconciliationService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">reconcilePayments</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$date</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="nv">$internalEvents</span> <span class="o">=</span> <span class="nc">AuditEvent</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'event_type'</span><span class="p">,</span> <span class="s1">'payment.completed'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">whereDate</span><span class="p">(</span><span class="s1">'occurred_at'</span><span class="p">,</span> <span class="nv">$date</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">get</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">keyBy</span><span class="p">(</span><span class="k">fn</span> <span class="p">(</span><span class="nv">$e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nv">$e</span><span class="o">-&gt;</span><span class="n">payload</span><span class="p">[</span><span class="s1">'gateway_reference'</span><span class="p">]);</span> <span class="nv">$bankStatements</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">fetchBankStatements</span><span class="p">(</span><span class="nv">$date</span><span class="p">);</span> <span class="nv">$matched</span> <span class="o">=</span> <span class="p">[];</span> <span class="nv">$unmatchedInternal</span> <span class="o">=</span> <span class="p">[];</span> <span class="nv">$unmatchedBank</span> <span class="o">=</span> <span class="p">[];</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$bankStatements</span> <span class="k">as</span> <span class="nv">$statement</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$internalEvents</span><span class="o">-&gt;</span><span class="nf">has</span><span class="p">(</span><span class="nv">$statement</span><span class="o">-&gt;</span><span class="n">reference</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$matched</span><span class="p">[]</span> <span class="o">=</span> <span class="nv">$statement</span><span class="o">-&gt;</span><span class="n">reference</span><span class="p">;</span> <span class="nv">$internalEvents</span><span class="o">-&gt;</span><span class="nf">forget</span><span class="p">(</span><span class="nv">$statement</span><span class="o">-&gt;</span><span class="n">reference</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nv">$unmatchedBank</span><span class="p">[]</span> <span class="o">=</span> <span class="nv">$statement</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="nv">$unmatchedInternal</span> <span class="o">=</span> <span class="nv">$internalEvents</span><span class="o">-&gt;</span><span class="nf">values</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">all</span><span class="p">();</span> <span class="k">return</span> <span class="p">[</span> <span class="s1">'date'</span> <span class="o">=&gt;</span> <span class="nv">$date</span><span class="p">,</span> <span class="s1">'matched_count'</span> <span class="o">=&gt;</span> <span class="nb">count</span><span class="p">(</span><span class="nv">$matched</span><span class="p">),</span> <span class="s1">'unmatched_internal'</span> <span class="o">=&gt;</span> <span class="nb">count</span><span class="p">(</span><span class="nv">$unmatchedInternal</span><span class="p">),</span> <span class="s1">'unmatched_bank'</span> <span class="o">=&gt;</span> <span class="nb">count</span><span class="p">(</span><span class="nv">$unmatchedBank</span><span class="p">),</span> <span class="s1">'discrepancies'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="mf">...</span><span class="nv">$unmatchedInternal</span><span class="p">,</span> <span class="mf">...</span><span class="nv">$unmatchedBank</span><span class="p">],</span> <span class="p">];</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Production Results </h2> <p>After implementing immutable audit logging across financial platforms:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before</th> <th>After</th> </tr> </thead> <tbody> <tr> <td>Reconciliation time (weekly)</td> <td>4+ hours manual</td> <td>15 minutes automated</td> </tr> <tr> <td>Audit preparation time</td> <td>2–3 weeks</td> <td>2 days</td> </tr> <tr> <td>Unresolved discrepancies</td> <td>8–12 per month</td> <td>0–1 per month</td> </tr> <tr> <td>Compliance audit findings</td> <td>Multiple per review</td> <td>Zero material findings</td> </tr> <tr> <td>Data dispute resolution time</td> <td>3–5 days</td> <td>&lt; 1 hour</td> </tr> </tbody> </table></div> <h2> Key Takeaways </h2> <ol> <li><p><strong>Never update financial records in place.</strong> Append new events instead. The current state is a projection of the event history.</p></li> <li><p><strong>Use hash chains for tamper evidence.</strong> Each event's checksum includes the previous event's checksum. Any modification breaks the chain.</p></li> <li><p><strong>Record who, what, when, and why.</strong> Every event needs an actor, a timestamp, and the business context. IP addresses and session identifiers add forensic value.</p></li> <li><p><strong>Plan for retention from day one.</strong> Audit logs grow quickly. Tiered storage (hot/warm/cold) keeps costs manageable while satisfying compliance requirements.</p></li> <li><p><strong>Automate reconciliation.</strong> Immutable logs enable programmatic reconciliation that replaces hours of manual spreadsheet comparison.</p></li> <li><p><strong>Write events and business data in the same transaction.</strong> If they are not atomic, you risk inconsistency between your source of truth and your audit trail.</p></li> </ol> <h2> Conclusion </h2> <p>Audit-proof financial workflows are not about generating more logs — they are about designing systems where every state change is captured, chained, and verifiable. Append-only writes, hash-chain integrity, and tiered retention create a system that answers any auditor's question with evidence, not explanations.</p> <p>Whether you build in Laravel or Node.js, the patterns are the same. This infrastructure pays dividends every time a regulator asks a question or a discrepancy needs resolution.</p> audittrail financialsystems immutablelogsimmutablelogs laravel Database Optimization Strategies That Cut Query Execution Time by 60%: A Practical Guide Olamilekan Lamidi Wed, 15 Apr 2026 23:40:02 +0000 https://dev.to/oluwatosinolamilekan/database-optimization-strategies-that-cut-query-execution-time-by-60-a-practical-guide-4786 https://dev.to/oluwatosinolamilekan/database-optimization-strategies-that-cut-query-execution-time-by-60-a-practical-guide-4786 <p>If your web application is slow, the database is almost certainly the bottleneck. Not the frontend framework. Not the web server. Not the network. The database.</p> <p>I have spent nine years building backend systems across seven companies, and in every single engagement, database performance has been the most impactful area of optimization. At VacancySoft, where I currently serve as a Full Stack Engineer, I reduced query execution times by 60% across our core platform. At Univelcity, I achieved a 45% reduction in API response times, with database optimization accounting for the majority of those gains. At Lordwin Group, I optimised a real-time gaming backend to sustain 3,000+ concurrent users with sub-100ms query responses.</p> <p>This article is the practical guide I wish I had when I started. It covers the exact strategies, tools, and techniques I use to diagnose and fix database performance problems in production systems running PostgreSQL and MySQL.</p> <h2> Strategy 1: Query Analysis and Profiling — Know Before You Optimize </h2> <p>The biggest mistake engineers make with database optimization is guessing. They add indexes randomly, rewrite queries based on intuition, or throw caching at the problem without understanding what is actually slow.</p> <p>I start every optimization effort the same way: <strong>profiling</strong>.</p> <h3> Enable Slow Query Logging </h3> <p>In PostgreSQL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- postgresql.conf</span> <span class="n">log_min_duration_statement</span> <span class="o">=</span> <span class="mi">200</span> <span class="c1">-- Log queries taking &gt; 200ms</span> <span class="n">log_statement</span> <span class="o">=</span> <span class="s1">'none'</span> <span class="c1">-- Don't log all queries, just slow ones</span> </code></pre> </div> <p>In MySQL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">SET</span> <span class="k">GLOBAL</span> <span class="n">slow_query_log</span> <span class="o">=</span> <span class="s1">'ON'</span><span class="p">;</span> <span class="k">SET</span> <span class="k">GLOBAL</span> <span class="n">long_query_time</span> <span class="o">=</span> <span class="mi">0</span><span class="p">.</span><span class="mi">2</span><span class="p">;</span> <span class="c1">-- 200ms threshold</span> <span class="k">SET</span> <span class="k">GLOBAL</span> <span class="n">log_queries_not_using_indexes</span> <span class="o">=</span> <span class="s1">'ON'</span><span class="p">;</span> </code></pre> </div> <p>At VacancySoft, I established a weekly ritual of reviewing the slow query log. This alone surfaced dozens of optimization opportunities that no amount of code review would have caught. Queries that looked clean in the ORM were generating catastrophic execution plans.</p> <h3> Use EXPLAIN ANALYZE Religiously </h3> <p><code>EXPLAIN</code> shows you the query plan. <code>EXPLAIN ANALYZE</code> actually executes the query and shows real timing data. The difference matters.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">EXPLAIN</span> <span class="k">ANALYZE</span> <span class="k">SELECT</span> <span class="n">v</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">v</span><span class="p">.</span><span class="n">title</span><span class="p">,</span> <span class="n">o</span><span class="p">.</span><span class="n">name</span> <span class="k">AS</span> <span class="n">organisation_name</span><span class="p">,</span> <span class="n">s</span><span class="p">.</span><span class="n">name</span> <span class="k">AS</span> <span class="n">sector_name</span> <span class="k">FROM</span> <span class="n">vacancies</span> <span class="n">v</span> <span class="k">JOIN</span> <span class="n">organisations</span> <span class="n">o</span> <span class="k">ON</span> <span class="n">o</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">v</span><span class="p">.</span><span class="n">organisation_id</span> <span class="k">JOIN</span> <span class="n">sectors</span> <span class="n">s</span> <span class="k">ON</span> <span class="n">s</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">v</span><span class="p">.</span><span class="n">sector_id</span> <span class="k">WHERE</span> <span class="n">v</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span> <span class="k">AND</span> <span class="n">v</span><span class="p">.</span><span class="n">created_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'30 days'</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">v</span><span class="p">.</span><span class="n">created_at</span> <span class="k">DESC</span> <span class="k">LIMIT</span> <span class="mi">20</span><span class="p">;</span> </code></pre> </div> <p>Before optimization, this query at VacancySoft returned an <code>EXPLAIN ANALYZE</code> output like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="n">Sort</span> <span class="p">(</span><span class="n">cost</span><span class="o">=</span><span class="mi">15234</span><span class="p">.</span><span class="mi">56</span><span class="p">..</span><span class="mi">15234</span><span class="p">.</span><span class="mi">61</span> <span class="k">rows</span><span class="o">=</span><span class="mi">20</span> <span class="n">width</span><span class="o">=</span><span class="mi">128</span><span class="p">)</span> <span class="p">(</span><span class="n">actual</span> <span class="nb">time</span><span class="o">=</span><span class="mi">1842</span><span class="p">.</span><span class="mi">331</span><span class="p">..</span><span class="mi">1842</span><span class="p">.</span><span class="mi">345</span> <span class="k">rows</span><span class="o">=</span><span class="mi">20</span> <span class="n">loops</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">Sort</span> <span class="k">Key</span><span class="p">:</span> <span class="n">v</span><span class="p">.</span><span class="n">created_at</span> <span class="k">DESC</span> <span class="o">-&gt;</span> <span class="n">Hash</span> <span class="k">Join</span> <span class="p">(</span><span class="n">cost</span><span class="o">=</span><span class="mi">8234</span><span class="p">.</span><span class="mi">12</span><span class="p">..</span><span class="mi">15234</span><span class="p">.</span><span class="mi">43</span> <span class="k">rows</span><span class="o">=</span><span class="mi">20</span> <span class="n">width</span><span class="o">=</span><span class="mi">128</span><span class="p">)</span> <span class="p">(</span><span class="n">actual</span> <span class="nb">time</span><span class="o">=</span><span class="mi">1201</span><span class="p">.</span><span class="mi">442</span><span class="p">..</span><span class="mi">1841</span><span class="p">.</span><span class="mi">892</span> <span class="k">rows</span><span class="o">=</span><span class="mi">24531</span> <span class="n">loops</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Seq</span> <span class="n">Scan</span> <span class="k">on</span> <span class="n">vacancies</span> <span class="n">v</span> <span class="p">(</span><span class="n">cost</span><span class="o">=</span><span class="mi">0</span><span class="p">.</span><span class="mi">00</span><span class="p">..</span><span class="mi">6842</span><span class="p">.</span><span class="mi">00</span> <span class="k">rows</span><span class="o">=</span><span class="mi">24531</span> <span class="n">width</span><span class="o">=</span><span class="mi">96</span><span class="p">)</span> <span class="p">(</span><span class="n">actual</span> <span class="nb">time</span><span class="o">=</span><span class="mi">0</span><span class="p">.</span><span class="mi">021</span><span class="p">..</span><span class="mi">892</span><span class="p">.</span><span class="mi">134</span> <span class="k">rows</span><span class="o">=</span><span class="mi">24531</span> <span class="n">loops</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">Filter</span><span class="p">:</span> <span class="p">((</span><span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="n">created_at</span> <span class="o">&gt;=</span> <span class="p">...))</span> <span class="k">Rows</span> <span class="n">Removed</span> <span class="k">by</span> <span class="n">Filter</span><span class="p">:</span> <span class="mi">187234</span> <span class="n">Planning</span> <span class="nb">Time</span><span class="p">:</span> <span class="mi">0</span><span class="p">.</span><span class="mi">892</span> <span class="n">ms</span> <span class="n">Execution</span> <span class="nb">Time</span><span class="p">:</span> <span class="mi">1843</span><span class="p">.</span><span class="mi">012</span> <span class="n">ms</span> </code></pre> </div> <p>Two immediate red flags: a <strong>sequential scan</strong> on the vacancies table scanning over 200,000 rows and filtering out 187,000 of them, and a <strong>hash join</strong> that is materialising far more rows than the final result needs.</p> <p>This is the kind of visibility that transforms optimization from guesswork into engineering. Olamilekan Lamidi's first rule of database optimization: never optimise a query you have not profiled.</p> <h2> Strategy 2: Indexing Strategies — The Highest-Impact Change </h2> <p>Indexing is the single most impactful optimization technique in my toolkit. A well-placed index can turn a 2-second query into a 5-millisecond query. But indexes are not free — they consume storage, slow down writes, and can mislead the query planner if poorly designed.</p> <h3> Composite Indexes </h3> <p>Order matters in composite indexes. The index <code>(status, created_at)</code> is useful for queries that filter on <code>status</code> and sort or filter on <code>created_at</code>. It is useless for queries that filter only on <code>created_at</code>.</p> <p>For the vacancy search query above, I created:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_vacancies_status_created_at</span> <span class="k">ON</span> <span class="n">vacancies</span> <span class="p">(</span><span class="n">status</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">);</span> </code></pre> </div> <p>This single index eliminated the sequential scan. The query planner now uses an index scan that reads only the relevant rows:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">Index</span> <span class="n">Scan</span> <span class="k">using</span> <span class="n">idx_vacancies_status_created_at</span> <span class="k">on</span> <span class="n">vacancies</span> <span class="n">v</span> <span class="p">(</span><span class="n">cost</span><span class="o">=</span><span class="mi">0</span><span class="p">.</span><span class="mi">42</span><span class="p">..</span><span class="mi">234</span><span class="p">.</span><span class="mi">56</span> <span class="k">rows</span><span class="o">=</span><span class="mi">20</span> <span class="n">width</span><span class="o">=</span><span class="mi">96</span><span class="p">)</span> <span class="p">(</span><span class="n">actual</span> <span class="nb">time</span><span class="o">=</span><span class="mi">0</span><span class="p">.</span><span class="mi">089</span><span class="p">..</span><span class="mi">2</span><span class="p">.</span><span class="mi">341</span> <span class="k">rows</span><span class="o">=</span><span class="mi">20</span> <span class="n">loops</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="k">Index</span> <span class="n">Cond</span><span class="p">:</span> <span class="p">((</span><span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="n">created_at</span> <span class="o">&gt;=</span> <span class="p">...))</span> </code></pre> </div> <p>Execution time: from <strong>1,843ms to 12ms</strong>. A 99.3% reduction from a single composite index.</p> <h3> Partial Indexes </h3> <p>At VacancySoft, the majority of our queries filter on <code>status = 'active'</code>. Only about 15% of vacancies are active at any given time. A partial index dramatically reduces the index size:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_vacancies_active_created_at</span> <span class="k">ON</span> <span class="n">vacancies</span> <span class="p">(</span><span class="n">created_at</span> <span class="k">DESC</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">;</span> </code></pre> </div> <p>This index is roughly 85% smaller than the full composite index, which means it fits in memory more easily and produces faster index scans.</p> <h3> Covering Indexes (Index-Only Scans) </h3> <p>A covering index includes all columns that a query needs, allowing PostgreSQL to serve the query entirely from the index without touching the heap (the actual table data). This eliminates random I/O, which is the most expensive operation on traditional storage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">INDEX</span> <span class="n">idx_vacancies_covering</span> <span class="k">ON</span> <span class="n">vacancies</span> <span class="p">(</span><span class="n">status</span><span class="p">,</span> <span class="n">created_at</span> <span class="k">DESC</span><span class="p">)</span> <span class="n">INCLUDE</span> <span class="p">(</span><span class="n">id</span><span class="p">,</span> <span class="n">title</span><span class="p">,</span> <span class="n">organisation_id</span><span class="p">,</span> <span class="n">sector_id</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">;</span> </code></pre> </div> <p>With this covering index, PostgreSQL executes an <strong>index-only scan</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">Index</span> <span class="k">Only</span> <span class="n">Scan</span> <span class="k">using</span> <span class="n">idx_vacancies_covering</span> <span class="k">on</span> <span class="n">vacancies</span> <span class="n">v</span> <span class="p">(</span><span class="n">cost</span><span class="o">=</span><span class="mi">0</span><span class="p">.</span><span class="mi">42</span><span class="p">..</span><span class="mi">45</span><span class="p">.</span><span class="mi">23</span> <span class="k">rows</span><span class="o">=</span><span class="mi">20</span> <span class="n">width</span><span class="o">=</span><span class="mi">96</span><span class="p">)</span> <span class="p">(</span><span class="n">actual</span> <span class="nb">time</span><span class="o">=</span><span class="mi">0</span><span class="p">.</span><span class="mi">067</span><span class="p">..</span><span class="mi">0</span><span class="p">.</span><span class="mi">412</span> <span class="k">rows</span><span class="o">=</span><span class="mi">20</span> <span class="n">loops</span><span class="o">=</span><span class="mi">1</span><span class="p">)</span> <span class="n">Heap</span> <span class="n">Fetches</span><span class="p">:</span> <span class="mi">0</span> </code></pre> </div> <p><code>Heap Fetches: 0</code> is the goal. The database never touches the table at all.</p> <h3> My Indexing Methodology </h3> <p>I follow a systematic process:</p> <ol> <li> <strong>Identify the top 20 slowest queries</strong> from the slow query log.</li> <li> <strong>Run EXPLAIN ANALYZE</strong> on each one.</li> <li> <strong>Look for sequential scans</strong> on tables with more than 10,000 rows.</li> <li> <strong>Check for sort operations</strong> that are not backed by an index.</li> <li> <strong>Create targeted indexes</strong> and verify the plan changes.</li> <li> <strong>Monitor write performance</strong> to ensure indexes are not degrading INSERT/UPDATE speed beyond acceptable thresholds.</li> </ol> <p>At VacancySoft, this methodology across 15+ modules produced the 60% aggregate reduction in query execution time.</p> <h2> Strategy 3: Query Refactoring — Fixing What the ORM Gets Wrong </h2> <p>ORMs are excellent for productivity but frequently generate suboptimal SQL. The N+1 query problem is the most well-known example, but I encounter more subtle issues regularly.</p> <h3> Eliminating N+1 Queries </h3> <p>In Laravel (which I used extensively at 2am Tech, Lordwin Group, and Viaduct):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Bad: N+1 problem — 1 query for organisations + N queries for vacancies</span> <span class="nv">$organisations</span> <span class="o">=</span> <span class="nc">Organisation</span><span class="o">::</span><span class="nf">all</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$organisations</span> <span class="k">as</span> <span class="nv">$org</span><span class="p">)</span> <span class="p">{</span> <span class="k">echo</span> <span class="nv">$org</span><span class="o">-&gt;</span><span class="n">vacancies</span><span class="o">-&gt;</span><span class="nb">count</span><span class="p">();</span> <span class="c1">// Triggers a query per organisation</span> <span class="p">}</span> <span class="c1">// Good: Eager loading — 2 queries total</span> <span class="nv">$organisations</span> <span class="o">=</span> <span class="nc">Organisation</span><span class="o">::</span><span class="nf">with</span><span class="p">(</span><span class="s1">'vacancies'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="c1">// Better: When you only need the count</span> <span class="nv">$organisations</span> <span class="o">=</span> <span class="nc">Organisation</span><span class="o">::</span><span class="nf">withCount</span><span class="p">(</span><span class="s1">'vacancies'</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">();</span> <span class="k">foreach</span> <span class="p">(</span><span class="nv">$organisations</span> <span class="k">as</span> <span class="nv">$org</span><span class="p">)</span> <span class="p">{</span> <span class="k">echo</span> <span class="nv">$org</span><span class="o">-&gt;</span><span class="n">vacancies_count</span><span class="p">;</span> <span class="c1">// No additional queries</span> <span class="p">}</span> </code></pre> </div> <p>At 2am Tech, the Addio financial platform was suffering from response times exceeding 3 seconds on the organisation dashboard. Profiling revealed over 150 queries per page load, almost all of them N+1 queries from Eloquent relationships. I refactored the critical paths to use eager loading and <code>withCount</code>, reducing the query count to 8 and the response time to 400ms.</p> <h3> Replacing Subqueries with JOINs and CTEs </h3> <p>ORMs often generate correlated subqueries where a JOIN or CTE would be far more efficient:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- ORM-generated: correlated subquery (executes once per row)</span> <span class="k">SELECT</span> <span class="n">o</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">o</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">vacancies</span> <span class="n">v</span> <span class="k">WHERE</span> <span class="n">v</span><span class="p">.</span><span class="n">organisation_id</span> <span class="o">=</span> <span class="n">o</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">v</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">)</span> <span class="k">AS</span> <span class="n">active_vacancy_count</span> <span class="k">FROM</span> <span class="n">organisations</span> <span class="n">o</span> <span class="k">WHERE</span> <span class="n">o</span><span class="p">.</span><span class="n">sector_id</span> <span class="o">=</span> <span class="mi">5</span><span class="p">;</span> <span class="c1">-- Refactored: single pass with JOIN</span> <span class="k">SELECT</span> <span class="n">o</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">o</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="n">v</span><span class="p">.</span><span class="n">id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">active_vacancy_count</span> <span class="k">FROM</span> <span class="n">organisations</span> <span class="n">o</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">vacancies</span> <span class="n">v</span> <span class="k">ON</span> <span class="n">v</span><span class="p">.</span><span class="n">organisation_id</span> <span class="o">=</span> <span class="n">o</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">v</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span> <span class="k">WHERE</span> <span class="n">o</span><span class="p">.</span><span class="n">sector_id</span> <span class="o">=</span> <span class="mi">5</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">o</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">o</span><span class="p">.</span><span class="n">name</span><span class="p">;</span> </code></pre> </div> <h3> Window Functions for Complex Analytics </h3> <p>At VacancySoft, we needed to show month-over-month vacancy trends per sector. The initial implementation used multiple queries with application-level aggregation. I replaced it with a single query using window functions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">WITH</span> <span class="n">monthly_counts</span> <span class="k">AS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="n">s</span><span class="p">.</span><span class="n">name</span> <span class="k">AS</span> <span class="n">sector_name</span><span class="p">,</span> <span class="n">DATE_TRUNC</span><span class="p">(</span><span class="s1">'month'</span><span class="p">,</span> <span class="n">v</span><span class="p">.</span><span class="n">created_at</span><span class="p">)</span> <span class="k">AS</span> <span class="k">month</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">AS</span> <span class="n">vacancy_count</span> <span class="k">FROM</span> <span class="n">vacancies</span> <span class="n">v</span> <span class="k">JOIN</span> <span class="n">sectors</span> <span class="n">s</span> <span class="k">ON</span> <span class="n">s</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">v</span><span class="p">.</span><span class="n">sector_id</span> <span class="k">WHERE</span> <span class="n">v</span><span class="p">.</span><span class="n">created_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'12 months'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">s</span><span class="p">.</span><span class="n">name</span><span class="p">,</span> <span class="n">DATE_TRUNC</span><span class="p">(</span><span class="s1">'month'</span><span class="p">,</span> <span class="n">v</span><span class="p">.</span><span class="n">created_at</span><span class="p">)</span> <span class="p">)</span> <span class="k">SELECT</span> <span class="n">sector_name</span><span class="p">,</span> <span class="k">month</span><span class="p">,</span> <span class="n">vacancy_count</span><span class="p">,</span> <span class="n">LAG</span><span class="p">(</span><span class="n">vacancy_count</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">sector_name</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="k">month</span><span class="p">)</span> <span class="k">AS</span> <span class="n">prev_month_count</span><span class="p">,</span> <span class="n">ROUND</span><span class="p">(</span> <span class="p">(</span><span class="n">vacancy_count</span> <span class="o">-</span> <span class="n">LAG</span><span class="p">(</span><span class="n">vacancy_count</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">sector_name</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="k">month</span><span class="p">))::</span><span class="nb">numeric</span> <span class="o">/</span> <span class="k">NULLIF</span><span class="p">(</span><span class="n">LAG</span><span class="p">(</span><span class="n">vacancy_count</span><span class="p">)</span> <span class="n">OVER</span> <span class="p">(</span><span class="k">PARTITION</span> <span class="k">BY</span> <span class="n">sector_name</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="k">month</span><span class="p">),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">*</span> <span class="mi">100</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span> <span class="k">AS</span> <span class="n">month_over_month_pct</span> <span class="k">FROM</span> <span class="n">monthly_counts</span> <span class="k">ORDER</span> <span class="k">BY</span> <span class="n">sector_name</span><span class="p">,</span> <span class="k">month</span><span class="p">;</span> </code></pre> </div> <p>This single query replaced five application-level queries and a significant amount of JavaScript aggregation logic. Response time for the trends endpoint dropped from 2.1 seconds to 280ms.</p> <h2> Strategy 4: Schema Redesign for Performance </h2> <p>Sometimes the problem is not the query — it is the schema. Normalization is taught as gospel in database courses, but production systems often require strategic denormalization.</p> <h3> Materialized Views </h3> <p>At VacancySoft, our analytics dashboard required aggregating data across five tables. Even with optimized queries and proper indexes, the aggregation was too slow for real-time display. I introduced materialized views:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">MATERIALIZED</span> <span class="k">VIEW</span> <span class="n">mv_sector_analytics</span> <span class="k">AS</span> <span class="k">SELECT</span> <span class="n">s</span><span class="p">.</span><span class="n">id</span> <span class="k">AS</span> <span class="n">sector_id</span><span class="p">,</span> <span class="n">s</span><span class="p">.</span><span class="n">name</span> <span class="k">AS</span> <span class="n">sector_name</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="n">v</span><span class="p">.</span><span class="n">id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">total_vacancies</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="n">v</span><span class="p">.</span><span class="n">id</span><span class="p">)</span> <span class="n">FILTER</span> <span class="p">(</span><span class="k">WHERE</span> <span class="n">v</span><span class="p">.</span><span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">)</span> <span class="k">AS</span> <span class="n">active_vacancies</span><span class="p">,</span> <span class="k">COUNT</span><span class="p">(</span><span class="k">DISTINCT</span> <span class="n">v</span><span class="p">.</span><span class="n">organisation_id</span><span class="p">)</span> <span class="k">AS</span> <span class="n">hiring_organisations</span><span class="p">,</span> <span class="n">PERCENTILE_CONT</span><span class="p">(</span><span class="mi">0</span><span class="p">.</span><span class="mi">5</span><span class="p">)</span> <span class="n">WITHIN</span> <span class="k">GROUP</span> <span class="p">(</span><span class="k">ORDER</span> <span class="k">BY</span> <span class="n">v</span><span class="p">.</span><span class="n">salary_max</span><span class="p">)</span> <span class="k">AS</span> <span class="n">median_salary</span><span class="p">,</span> <span class="n">DATE_TRUNC</span><span class="p">(</span><span class="s1">'day'</span><span class="p">,</span> <span class="n">NOW</span><span class="p">())</span> <span class="k">AS</span> <span class="n">snapshot_date</span> <span class="k">FROM</span> <span class="n">sectors</span> <span class="n">s</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">vacancies</span> <span class="n">v</span> <span class="k">ON</span> <span class="n">v</span><span class="p">.</span><span class="n">sector_id</span> <span class="o">=</span> <span class="n">s</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">v</span><span class="p">.</span><span class="n">created_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'90 days'</span> <span class="k">GROUP</span> <span class="k">BY</span> <span class="n">s</span><span class="p">.</span><span class="n">id</span><span class="p">,</span> <span class="n">s</span><span class="p">.</span><span class="n">name</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">UNIQUE</span> <span class="k">INDEX</span> <span class="k">ON</span> <span class="n">mv_sector_analytics</span> <span class="p">(</span><span class="n">sector_id</span><span class="p">);</span> <span class="c1">-- Refresh concurrently (no lock on reads)</span> <span class="n">REFRESH</span> <span class="n">MATERIALIZED</span> <span class="k">VIEW</span> <span class="n">CONCURRENTLY</span> <span class="n">mv_sector_analytics</span><span class="p">;</span> </code></pre> </div> <p>I set up a cron job to refresh this view every 15 minutes. The dashboard query that previously took 3.8 seconds now completes in under 10ms because it reads from the pre-computed view.</p> <h3> Strategic Denormalization </h3> <p>For the organisation profile pages, rather than joining five tables on every request, I added a <code>cached_stats</code> JSONB column on the organisations table:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">organisations</span> <span class="k">ADD</span> <span class="k">COLUMN</span> <span class="n">cached_stats</span> <span class="n">JSONB</span> <span class="k">DEFAULT</span> <span class="s1">'{}'</span><span class="p">;</span> <span class="c1">-- Updated by a background job every hour</span> <span class="k">UPDATE</span> <span class="n">organisations</span> <span class="k">SET</span> <span class="n">cached_stats</span> <span class="o">=</span> <span class="n">jsonb_build_object</span><span class="p">(</span> <span class="s1">'active_vacancies'</span><span class="p">,</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">vacancies</span> <span class="k">WHERE</span> <span class="n">organisation_id</span> <span class="o">=</span> <span class="n">organisations</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">status</span> <span class="o">=</span> <span class="s1">'active'</span><span class="p">),</span> <span class="s1">'total_vacancies_90d'</span><span class="p">,</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">COUNT</span><span class="p">(</span><span class="o">*</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">vacancies</span> <span class="k">WHERE</span> <span class="n">organisation_id</span> <span class="o">=</span> <span class="n">organisations</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">created_at</span> <span class="o">&gt;=</span> <span class="n">NOW</span><span class="p">()</span> <span class="o">-</span> <span class="n">INTERVAL</span> <span class="s1">'90 days'</span><span class="p">),</span> <span class="s1">'avg_time_to_fill'</span><span class="p">,</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">AVG</span><span class="p">(</span><span class="k">EXTRACT</span><span class="p">(</span><span class="n">EPOCH</span> <span class="k">FROM</span> <span class="p">(</span><span class="n">filled_at</span> <span class="o">-</span> <span class="n">created_at</span><span class="p">))</span> <span class="o">/</span> <span class="mi">86400</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">vacancies</span> <span class="k">WHERE</span> <span class="n">organisation_id</span> <span class="o">=</span> <span class="n">organisations</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">filled_at</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">),</span> <span class="s1">'updated_at'</span><span class="p">,</span> <span class="n">NOW</span><span class="p">()</span> <span class="p">);</span> </code></pre> </div> <p>This is a tradeoff: the data can be up to one hour stale, and we have the overhead of the background update job. But for this use case, slight staleness is acceptable, and the performance gain — from 450ms to 8ms per profile page — is transformative.</p> <h2> Strategy 5: Connection Pooling and Read Replicas </h2> <p>At scale, query optimization alone is not enough. You also need to manage how connections to the database are handled.</p> <h3> Connection Pooling with PgBouncer </h3> <p>PostgreSQL creates a new process for each connection, which is expensive. At VacancySoft, I deployed PgBouncer in front of PostgreSQL in transaction pooling mode:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="c">; pgbouncer.ini </span><span class="nn">[databases]</span> <span class="py">vacancysoft</span> <span class="p">=</span> <span class="s">host=127.0.0.1 port=5432 dbname=vacancysoft</span> <span class="nn">[pgbouncer]</span> <span class="py">listen_port</span> <span class="p">=</span> <span class="s">6432</span> <span class="py">pool_mode</span> <span class="p">=</span> <span class="s">transaction</span> <span class="py">max_client_conn</span> <span class="p">=</span> <span class="s">500</span> <span class="py">default_pool_size</span> <span class="p">=</span> <span class="s">25</span> <span class="py">reserve_pool_size</span> <span class="p">=</span> <span class="s">5</span> </code></pre> </div> <p>This allows 500 application connections to share 25 database connections. Without pooling, our application would regularly hit PostgreSQL's connection limit during traffic spikes, causing cascading failures.</p> <h3> Read Replicas </h3> <p>For read-heavy workloads (which describe most web applications), I split reads and writes across primary and replica databases:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Database configuration with read/write splitting</span> <span class="kd">const</span> <span class="nx">knex</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">knex</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">primary</span> <span class="o">=</span> <span class="nf">knex</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pg</span><span class="dl">'</span><span class="p">,</span> <span class="na">connection</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_PRIMARY_URL</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">replica</span> <span class="o">=</span> <span class="nf">knex</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pg</span><span class="dl">'</span><span class="p">,</span> <span class="na">connection</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DATABASE_REPLICA_URL</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// Service layer decides which connection to use</span> <span class="kd">class</span> <span class="nc">VacancyService</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">search</span><span class="p">(</span><span class="nx">filters</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">replica</span><span class="p">(</span><span class="dl">'</span><span class="s1">vacancies</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="nx">filters</span><span class="p">)</span> <span class="p">.</span><span class="nf">orderBy</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">desc</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">async</span> <span class="nf">create</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">primary</span><span class="p">(</span><span class="dl">'</span><span class="s1">vacancies</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">data</span><span class="p">)</span> <span class="p">.</span><span class="nf">returning</span><span class="p">(</span><span class="dl">'</span><span class="s1">*</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>At VacancySoft, this split reduced load on the primary database by approximately 70%, since the vast majority of our traffic is read operations (search, analytics, reporting).</p> <h2> Strategy 6: Caching Layers </h2> <p>The fastest database query is the one you never make. Caching is the final layer of my optimization strategy.</p> <h3> Redis for Hot Data </h3> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">Redis</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">ioredis</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">redis</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Redis</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_URL</span><span class="p">);</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getSectorAnalytics</span><span class="p">(</span><span class="nx">sectorId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">cacheKey</span> <span class="o">=</span> <span class="s2">`sector:</span><span class="p">${</span><span class="nx">sectorId</span><span class="p">}</span><span class="s2">:analytics`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">cached</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cached</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">cached</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">db</span><span class="p">(</span><span class="dl">'</span><span class="s1">mv_sector_analytics</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="dl">'</span><span class="s1">sector_id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">sectorId</span><span class="p">)</span> <span class="p">.</span><span class="nf">first</span><span class="p">();</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span><span class="nx">cacheKey</span><span class="p">,</span> <span class="mi">900</span><span class="p">,</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="c1">// 15-minute TTL</span> <span class="k">return</span> <span class="nx">data</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Cache Invalidation Strategy </h3> <p>Cache invalidation is famously one of the two hard problems in computer science. My approach is pragmatic:</p> <ol> <li> <strong>TTL-based expiration</strong> for data that can tolerate staleness (analytics, aggregations).</li> <li> <strong>Event-driven invalidation</strong> for data that must be fresh (user profiles, active listings). When a vacancy is created or updated, I publish an event that invalidates the relevant cache keys.</li> <li> <strong>Cache warming</strong> for predictable access patterns. At VacancySoft, I pre-warm the cache for the top 50 sectors and top 100 organisations every 15 minutes, so the first user to access these pages never experiences a cache miss. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Event-driven cache invalidation</span> <span class="nx">eventBus</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">vacancy:created</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">vacancy</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">del</span><span class="p">(</span><span class="s2">`sector:</span><span class="p">${</span><span class="nx">vacancy</span><span class="p">.</span><span class="nx">sector_id</span><span class="p">}</span><span class="s2">:analytics`</span><span class="p">);</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">del</span><span class="p">(</span><span class="s2">`org:</span><span class="p">${</span><span class="nx">vacancy</span><span class="p">.</span><span class="nx">organisation_id</span><span class="p">}</span><span class="s2">:stats`</span><span class="p">);</span> <span class="k">await</span> <span class="nx">redis</span><span class="p">.</span><span class="nf">del</span><span class="p">(</span><span class="dl">'</span><span class="s1">homepage:featured_vacancies</span><span class="dl">'</span><span class="p">);</span> <span class="p">});</span> </code></pre> </div> <h2> Results: Before and After </h2> <p>Here is a summary of the measurable impact these strategies produced across my career, as implemented by Olamilekan Lamidi:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Company</th> <th>Metric</th> <th>Before</th> <th>After</th> <th>Improvement</th> </tr> </thead> <tbody> <tr> <td>VacancySoft</td> <td>Average query execution time</td> <td>850ms</td> <td>340ms</td> <td>60% reduction</td> </tr> <tr> <td>VacancySoft</td> <td>Dashboard load time</td> <td>3.8s</td> <td>0.4s</td> <td>89% reduction</td> </tr> <tr> <td>VacancySoft</td> <td>p95 API response time</td> <td>1.2s</td> <td>180ms</td> <td>85% reduction</td> </tr> <tr> <td>Univelcity</td> <td>API response time (avg)</td> <td>620ms</td> <td>340ms</td> <td>45% reduction</td> </tr> <tr> <td>Univelcity</td> <td>Queries per page load</td> <td>45</td> <td>8</td> <td>82% reduction</td> </tr> <tr> <td>Lordwin Group</td> <td>Real-time query latency</td> <td>220ms</td> <td>35ms</td> <td>84% reduction</td> </tr> <tr> <td>2am Tech</td> <td>Organisation dashboard load</td> <td>3.1s</td> <td>400ms</td> <td>87% reduction</td> </tr> </tbody> </table></div> <h2> Key Takeaways </h2> <ol> <li> <strong>Profile before you optimize.</strong> EXPLAIN ANALYZE and slow query logs should be your starting point, not your intuition.</li> <li> <strong>Composite and partial indexes are the highest-leverage optimization</strong> in most applications. One well-placed index can eliminate 99% of query time.</li> <li> <strong>ORMs are productivity tools, not performance tools.</strong> Review the SQL they generate, especially for complex queries.</li> <li> <strong>Materialized views and strategic denormalization</strong> are not anti-patterns — they are essential tools for read-heavy workloads.</li> <li> <strong>Connection pooling is mandatory</strong> once you are handling more than a few hundred concurrent connections.</li> <li> <strong>Caching is the last layer</strong>, not the first. Optimize the underlying queries before adding cache complexity.</li> </ol> <p>Database optimization is not a one-time project. It is an ongoing discipline. The queries that perform well today may become bottlenecks tomorrow as data grows and access patterns change. Build profiling and monitoring into your workflow, and treat database performance as a first-class engineering concern.</p> database postgres mysql performance The Art of API Design: Principles I Learned Building APIs That Handle 50,000+ Daily Requests Olamilekan Lamidi Sun, 12 Apr 2026 21:02:36 +0000 https://dev.to/oluwatosinolamilekan/the-art-of-api-design-principles-i-learned-building-apis-that-handle-50000-daily-requests-157h https://dev.to/oluwatosinolamilekan/the-art-of-api-design-principles-i-learned-building-apis-that-handle-50000-daily-requests-157h <p>APIs are the backbone of modern software. They power every mobile app you use, every SaaS dashboard you log into, and every integration between systems that makes the modern web work. Yet despite their ubiquity, most APIs are designed poorly. They leak database schema into response payloads, return cryptic error codes, break backward compatibility without warning, and crumble under load.</p> <p>I know this because I have spent the past nine years building, consuming, and debugging APIs across seven companies, multiple industries, and technology stacks spanning PHP (Laravel, Symfony) and JavaScript (Node.js, Express, NestJS). I have built APIs for health-tech platforms at 54gene, financial infrastructure at 2am Tech, real-time gaming at Lordwin Group, on-demand delivery at Viaduct, education technology at Univelcity, and enterprise SaaS at VacancySoft. Collectively, these systems have handled millions of requests and served tens of thousands of users.</p> <p>Through that experience, I have distilled a set of principles that separate well-designed APIs from fragile, frustrating ones. These are not theoretical musings — they are battle-tested patterns drawn from production systems that process 50,000+ daily requests at VacancySoft and have served over 8,000 users at Univelcity with 20,000+ requests per day.</p> <p>This article is a deep dive into those principles.</p> <h2> Principle 1: Design for the Consumer, Not the Database </h2> <p>The most common API design mistake I encounter is what I call "schema leaking" — when an API's resource structure mirrors the underlying database tables rather than reflecting how consumers actually use the data.</p> <p>Early in my career at Univelcity, I fell into this trap. We had a <code>users</code> table, a <code>courses</code> table, and a <code>enrollments</code> join table. The first version of our API had three corresponding endpoints that returned raw table structures. Clients had to make three separate requests and stitch data together themselves.</p> <p>The fix was to think in terms of <strong>resources</strong>, not tables. A consumer doesn't care about your join table. They care about "a student's enrolled courses" or "a course's enrolled students." The API should model those concepts directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">// Bad: Database-centric design GET /users/123 GET /enrollments?user_id=123 GET /courses/456 // Good: Consumer-centric design GET /students/123/courses GET /courses/456/students </span></code></pre> </div> <p>At VacancySoft, I apply this principle rigorously. Our APIs expose business concepts — vacancies, organisations, sectors, market trends — not the complex graph of PostgreSQL tables underneath. When we introduced a "market snapshot" feature, rather than forcing clients to aggregate data from four different endpoints, I designed a single <code>/market-snapshots</code> resource that returned a pre-composed view of the data clients needed. This reduced client-side complexity dramatically and cut the average number of API calls per page load from seven to two.</p> <p>The key insight: your database schema is an implementation detail. Your API contract is a product. Treat it like one.</p> <h2> Principle 2: Versioning Strategies That Don't Break Clients </h2> <p>API versioning is one of those topics where everyone has an opinion and nobody agrees. I have used three approaches across my career: URI versioning, header versioning, and query parameter versioning. Here is what I have learned.</p> <p><strong>URI versioning</strong> (<code>/api/v1/vacancies</code>) is what I use in most production systems and what we use at VacancySoft. It is explicit, easy to understand, easy to route, and easy to document. The tradeoff is that it can lead to code duplication if you are not careful about abstracting shared logic between versions.</p> <p><strong>Header versioning</strong> (<code>Accept: application/vnd.api+json; version=2</code>) is cleaner in theory but harder to test, harder to debug with basic tools like curl, and harder for less experienced developers to consume.</p> <p><strong>Query parameter versioning</strong> (<code>/api/vacancies?version=2</code>) is the worst of both worlds and I do not recommend it.</p> <p>My approach at VacancySoft:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Express router with versioned routes</span> <span class="kd">const</span> <span class="nx">v1Router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">v2Router</span> <span class="o">=</span> <span class="nx">express</span><span class="p">.</span><span class="nc">Router</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v1</span><span class="dl">'</span><span class="p">,</span> <span class="nx">v1Router</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/v2</span><span class="dl">'</span><span class="p">,</span> <span class="nx">v2Router</span><span class="p">);</span> <span class="c1">// Shared business logic lives in services, not controllers</span> <span class="c1">// Controllers are thin version-specific adapters</span> <span class="nx">v1Router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/vacancies</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">vacancyService</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nf">transformV1</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="p">});</span> <span class="nx">v2Router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/vacancies</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">vacancyService</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span><span class="nf">transformV2</span><span class="p">(</span><span class="nx">data</span><span class="p">));</span> <span class="p">});</span> </code></pre> </div> <p>The critical rule I follow: <strong>never remove a version without a deprecation period and proactive communication to consumers.</strong> At VacancySoft, when we deprecated v1 of our vacancy search endpoint, I implemented a deprecation header (<code>Sunset: Sat, 01 Jul 2024 00:00:00 GMT</code>) six months in advance and added logging to track which clients were still using v1. This gave us data-driven confidence to retire the old version without breaking anyone.</p> <h2> Principle 3: Pagination, Filtering, and Sorting at Scale </h2> <p>Pagination seems simple until you are dealing with datasets of hundreds of thousands of records that change frequently. I have implemented both offset-based and cursor-based pagination in production, and the difference matters enormously at scale.</p> <p><strong>Offset pagination</strong> (<code>?page=5&amp;per_page=20</code>) is intuitive but fundamentally broken for large datasets. The database still has to scan all rows up to the offset, meaning page 500 is orders of magnitude slower than page 1. It also produces inconsistent results when records are inserted or deleted between requests.</p> <p>At VacancySoft, where our vacancy dataset exceeds hundreds of thousands of records and is updated continuously, I implemented <strong>cursor-based pagination</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Cursor-based pagination implementation</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getVacancies</span><span class="p">(</span><span class="nx">cursor</span><span class="p">,</span> <span class="nx">limit</span> <span class="o">=</span> <span class="mi">20</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">query</span> <span class="o">=</span> <span class="nf">knex</span><span class="p">(</span><span class="dl">'</span><span class="s1">vacancies</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">orderBy</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">desc</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">orderBy</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">desc</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="nx">limit</span> <span class="o">+</span> <span class="mi">1</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">cursor</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">created_at</span><span class="p">,</span> <span class="nx">id</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">decodeCursor</span><span class="p">(</span><span class="nx">cursor</span><span class="p">);</span> <span class="nx">query</span><span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&lt;</span><span class="dl">'</span><span class="p">,</span> <span class="nx">created_at</span><span class="p">)</span> <span class="p">.</span><span class="nf">orWhere</span><span class="p">(</span><span class="nf">function </span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nf">where</span><span class="p">(</span><span class="dl">'</span><span class="s1">created_at</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">=</span><span class="dl">'</span><span class="p">,</span> <span class="nx">created_at</span><span class="p">)</span> <span class="p">.</span><span class="nf">andWhere</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">&lt;</span><span class="dl">'</span><span class="p">,</span> <span class="nx">id</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">results</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">query</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">hasMore</span> <span class="o">=</span> <span class="nx">results</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="nx">limit</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">items</span> <span class="o">=</span> <span class="nx">hasMore</span> <span class="p">?</span> <span class="nx">results</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">:</span> <span class="nx">results</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">items</span><span class="p">,</span> <span class="na">pagination</span><span class="p">:</span> <span class="p">{</span> <span class="na">has_more</span><span class="p">:</span> <span class="nx">hasMore</span><span class="p">,</span> <span class="na">next_cursor</span><span class="p">:</span> <span class="nx">hasMore</span> <span class="p">?</span> <span class="nf">encodeCursor</span><span class="p">(</span><span class="nx">items</span><span class="p">[</span><span class="nx">items</span><span class="p">.</span><span class="nx">length</span> <span class="o">-</span> <span class="mi">1</span><span class="p">])</span> <span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">encodeCursor</span><span class="p">(</span><span class="nx">record</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">created_at</span><span class="p">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">created_at</span><span class="p">,</span> <span class="na">id</span><span class="p">:</span> <span class="nx">record</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">})</span> <span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This approach uses a composite cursor of <code>(created_at, id)</code> to ensure stable ordering even with duplicate timestamps. It performs consistently regardless of how deep into the dataset a client paginates, because the database uses an index seek rather than a scan.</p> <p>For filtering, I standardise on a predictable pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /api/v2/vacancies?sector=technology&amp;region=london&amp;salary_min=50000&amp;sort=-created_at </span></code></pre> </div> <p>The <code>-</code> prefix for descending sort is a convention I adopted from JSON:API and have used consistently across every API I have built since 2020. It is intuitive and self-documenting.</p> <h2> Principle 4: Error Handling That Helps Developers </h2> <p>Nothing frustrates an API consumer more than unhelpful errors. I have received <code>500 Internal Server Error</code> with an empty body from third-party APIs, and I have vowed never to do that to my consumers.</p> <p>Every API I build follows a consistent error schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"VALIDATION_ERROR"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"The request body contains invalid fields."</span><span class="p">,</span><span class="w"> </span><span class="nl">"details"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Must be a valid email address."</span><span class="p">,</span><span class="w"> </span><span class="nl">"received"</span><span class="p">:</span><span class="w"> </span><span class="s2">"not-an-email"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"salary_min"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Must be a positive integer."</span><span class="p">,</span><span class="w"> </span><span class="nl">"received"</span><span class="p">:</span><span class="w"> </span><span class="mi">-500</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"request_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"req_8f3a2b1c"</span><span class="p">,</span><span class="w"> </span><span class="nl">"documentation_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://api.example.com/docs/errors#VALIDATION_ERROR"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Key principles:</p> <ol> <li> <strong>Machine-readable error codes</strong> (<code>VALIDATION_ERROR</code>, not just HTTP status codes) so clients can programmatically handle different error types.</li> <li> <strong>Human-readable messages</strong> so developers can understand what went wrong without consulting documentation.</li> <li> <strong>Field-level detail</strong> for validation errors so frontend developers know exactly which fields to highlight.</li> <li> <strong>Request IDs</strong> so that when a consumer reports an issue, I can trace it through our logging infrastructure.</li> <li> <strong>Documentation URLs</strong> that link directly to the relevant error documentation.</li> </ol> <p>At VacancySoft, I implemented a centralised error handling middleware that ensures every error — whether it is a validation failure, an authorization error, or an unexpected exception — passes through the same formatting pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Centralised error handler middleware</span> <span class="kd">function</span> <span class="nf">errorHandler</span><span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">requestId</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">headers</span><span class="p">[</span><span class="dl">'</span><span class="s1">x-request-id</span><span class="dl">'</span><span class="p">]</span> <span class="o">||</span> <span class="nf">generateRequestId</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">ValidationError</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">VALIDATION_ERROR</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">details</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">details</span><span class="p">,</span> <span class="na">request_id</span><span class="p">:</span> <span class="nx">requestId</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">AuthorizationError</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">You do not have permission to access this resource.</span><span class="dl">'</span><span class="p">,</span> <span class="na">request_id</span><span class="p">:</span> <span class="nx">requestId</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Unexpected errors: log full stack, return safe message</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">({</span> <span class="na">request_id</span><span class="p">:</span> <span class="nx">requestId</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">,</span> <span class="na">stack</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">stack</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">path</span><span class="p">,</span> <span class="na">method</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">method</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">INTERNAL_ERROR</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">An unexpected error occurred. Please try again.</span><span class="dl">'</span><span class="p">,</span> <span class="na">request_id</span><span class="p">:</span> <span class="nx">requestId</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>This approach ensures that internal details (stack traces, database errors) never leak to consumers, while still providing enough information for debugging.</p> <h2> Principle 5: Rate Limiting and Throttling for Protection </h2> <p>Any API exposed to the internet will eventually be abused — whether by a misconfigured client making thousands of requests in a loop, a scraper, or a deliberate attack. Rate limiting is not optional.</p> <p>I implement rate limiting at multiple layers:</p> <p><strong>Application-level rate limiting</strong> using Redis-backed token bucket or sliding window algorithms:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">rateLimit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">RedisStore</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">rate-limit-redis</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">Redis</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">ioredis</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">redisClient</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Redis</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_URL</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">apiLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">redisClient</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rl:</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 1 minute</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="c1">// 100 requests per minute</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">legacyHeaders</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">handler</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">429</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RATE_LIMIT_EXCEEDED</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests. Please retry after the window resets.</span><span class="dl">'</span><span class="p">,</span> <span class="na">retry_after</span><span class="p">:</span> <span class="nx">res</span><span class="p">.</span><span class="nf">getHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Retry-After</span><span class="dl">'</span><span class="p">),</span> <span class="p">},</span> <span class="p">});</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// Stricter limits for authentication endpoints</span> <span class="kd">const</span> <span class="nx">authLimiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">store</span><span class="p">:</span> <span class="k">new</span> <span class="nc">RedisStore</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="nx">redisClient</span><span class="p">,</span> <span class="na">prefix</span><span class="p">:</span> <span class="dl">'</span><span class="s1">rl:auth:</span><span class="dl">'</span> <span class="p">}),</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="c1">// 15 minutes</span> <span class="na">max</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="c1">// 10 attempts per 15 minutes</span> <span class="na">standardHeaders</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">apiLimiter</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authLimiter</span><span class="p">);</span> </code></pre> </div> <p><strong>Infrastructure-level rate limiting</strong> via Nginx or a CDN as the first line of defence. At VacancySoft, we use Nginx rate limiting in front of our Node.js services to catch abusive traffic before it reaches the application layer. This dual-layer approach proved critical during a traffic spike when a partner's integration went haywire and started hitting our API at 10x the normal rate. Nginx absorbed the burst, and the application-level limiter gracefully degraded the remaining overflow with proper 429 responses.</p> <p>I always include <code>RateLimit-*</code> headers in responses so well-behaved clients can self-throttle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">RateLimit-Limit: 100 RateLimit-Remaining: 67 RateLimit-Reset: 1719849600 </span></code></pre> </div> <h2> Principle 6: Authentication and Authorization Patterns </h2> <p>Authentication (who are you?) and authorization (what can you do?) are distinct concerns that I see conflated constantly. Over my career I have implemented multiple patterns, and the right choice depends heavily on context.</p> <p>For service-to-service communication within a backend, I use short-lived <strong>JWT tokens</strong> with asymmetric key signing (RS256). The issuing service signs with a private key, and consuming services verify with the public key without needing to call back to the auth service:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Token generation (auth service)</span> <span class="kd">function</span> <span class="nf">generateAccessToken</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span> <span class="p">{</span> <span class="na">sub</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">roles</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">roles</span><span class="p">,</span> <span class="na">permissions</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">permissions</span><span class="p">,</span> <span class="p">},</span> <span class="nx">privateKey</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithm</span><span class="p">:</span> <span class="dl">'</span><span class="s1">RS256</span><span class="dl">'</span><span class="p">,</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="dl">'</span><span class="s1">15m</span><span class="dl">'</span><span class="p">,</span> <span class="na">issuer</span><span class="p">:</span> <span class="dl">'</span><span class="s1">auth.vacancysoft.com</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// Middleware for route-level authorization</span> <span class="kd">function</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="nx">permission</span><span class="p">)</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span> <span class="o">||</span> <span class="o">!</span><span class="nx">req</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">permissions</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">permission</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="dl">'</span><span class="s1">FORBIDDEN</span><span class="dl">'</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="s2">`Required permission: </span><span class="p">${</span><span class="nx">permission</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// Usage</span> <span class="nx">router</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span> <span class="dl">'</span><span class="s1">/vacancies/:id</span><span class="dl">'</span><span class="p">,</span> <span class="nx">authenticate</span><span class="p">,</span> <span class="nf">requirePermission</span><span class="p">(</span><span class="dl">'</span><span class="s1">vacancies:delete</span><span class="dl">'</span><span class="p">),</span> <span class="nx">vacancyController</span><span class="p">.</span><span class="nx">destroy</span> <span class="p">);</span> </code></pre> </div> <p>At VacancySoft, I implemented a role-based access control (RBAC) system with granular permissions. Rather than checking <code>if (user.role === 'admin')</code> throughout the codebase, permissions are encoded in the JWT and checked via middleware. This made it trivial to add new roles — when the product team introduced a "regional analyst" role, I added the appropriate permissions without touching a single controller.</p> <p>For external-facing APIs, I use <strong>API keys</strong> for identification combined with <strong>OAuth 2.0</strong> for delegated access when third-party integrations need to act on behalf of users.</p> <h2> Principle 7: Documentation as a First-Class Citizen </h2> <p>I have a rule: if an API endpoint ships without documentation, it does not ship. Documentation is not an afterthought — it is a deliverable.</p> <p>I use the <strong>OpenAPI 3.0 specification</strong> (Swagger) for every API I build, and I generate the spec from code annotations rather than maintaining a separate document that inevitably drifts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="cm">/** * @openapi * /api/v2/vacancies: * get: * summary: Search vacancies * description: &gt; * Returns a paginated, filtered list of vacancies. * Supports cursor-based pagination for stable results. * tags: [Vacancies] * parameters: * - in: query * name: sector * schema: * type: string * description: Filter by sector slug * - in: query * name: cursor * schema: * type: string * description: Pagination cursor from previous response * responses: * 200: * description: Paginated list of vacancies * content: * application/json: * schema: * $ref: '#/components/schemas/VacancyListResponse' * 429: * description: Rate limit exceeded */</span> <span class="nx">router</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/vacancies</span><span class="dl">'</span><span class="p">,</span> <span class="nx">vacancyController</span><span class="p">.</span><span class="nx">search</span><span class="p">);</span> </code></pre> </div> <p>At VacancySoft, our Swagger documentation is auto-generated from these annotations and published to an internal documentation portal. Every endpoint includes request/response examples, error codes, and authentication requirements. When new team members onboard, they can explore and test every endpoint interactively without reading a single line of source code.</p> <p>I also generate <strong>Postman collections</strong> from the OpenAPI spec, which our QA team and integration partners use for testing. This single-source-of-truth approach eliminates the documentation drift that plagues most API teams.</p> <h2> The Results </h2> <p>These principles are not academic exercises. Applied consistently at VacancySoft, they have produced measurable outcomes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>Daily request volume</td> <td>50,000+</td> </tr> <tr> <td>API uptime</td> <td>99.8%+ over the last 12 months</td> </tr> <tr> <td>Average response time (p50)</td> <td>45ms</td> </tr> <tr> <td>Average response time (p95)</td> <td>180ms</td> </tr> <tr> <td>Client integration time</td> <td>Reduced from weeks to days</td> </tr> <tr> <td>Breaking changes in production</td> <td>Zero in the last 18 months</td> </tr> <tr> <td>Support tickets related to API confusion</td> <td>Down 70% after error schema standardisation</td> </tr> </tbody> </table></div> <p>Olamilekan Lamidi's approach to API design has been shaped by one core belief: an API is a product, and its consumers are your users. Every decision — from resource naming to error formatting to pagination strategy — should be made with the consumer's experience in mind.</p> <h2> Key Takeaways </h2> <ol> <li> <strong>Model resources around consumer use cases</strong>, not database tables.</li> <li> <strong>Use URI versioning</strong> with a clear deprecation policy and sunset headers.</li> <li> <strong>Implement cursor-based pagination</strong> for any dataset that changes frequently or exceeds a few thousand records.</li> <li> <strong>Standardise error responses</strong> with machine-readable codes, human-readable messages, and request IDs.</li> <li> <strong>Rate limit at multiple layers</strong> — infrastructure and application — and communicate limits via headers.</li> <li> <strong>Separate authentication from authorization</strong> and encode permissions in tokens for stateless checks.</li> <li> <strong>Treat documentation as a deliverable</strong>, not an afterthought. Generate it from code.</li> </ol> <p>These principles have served me across every company and technology stack I have worked with. Whether you are building a Laravel API in PHP or an Express API in Node.js, the fundamentals remain the same: design for clarity, build for resilience, and always, always think about the person on the other side of the request.</p> api webdev node backend Engineering Real-Time Delivery Tracking That Increased Checkout Conversions by 20% Olamilekan Lamidi Thu, 09 Apr 2026 22:46:21 +0000 https://dev.to/oluwatosinolamilekan/engineering-real-time-delivery-tracking-that-increased-checkout-conversions-by-20-4mo8 https://dev.to/oluwatosinolamilekan/engineering-real-time-delivery-tracking-that-increased-checkout-conversions-by-20-4mo8 <p>In e-commerce and on-demand delivery, the moment a user clicks "Place Order" begins an anxiety cycle. Where is my order? When will it arrive? This uncertainty kills conversions.</p> <p>Between November 2020 and July 2021, I worked as a Full-Stack Developer at Viaduct, where I engineered a real-time delivery tracking system for an on-demand platform serving 5,000+ active users. The platform connected customers with local vendors for same-day delivery. Before I joined, users were abandoning carts and cancelling orders at alarming rates because they had zero visibility into delivery status.</p> <p>This article details how I designed and built the tracking system — Google Maps integration, WebSocket-powered live updates, a Vue.js reactive interface, and the Laravel backend tying it together. The result: a 20% increase in checkout conversions.</p> <h2> The Problem: Delivery Opacity Was Killing Revenue </h2> <p>When I joined Viaduct, the delivery platform was functional but opaque. Users placed orders, received a confirmation email, and waited. The only updates were manual — a dispatcher marked orders "out for delivery" when a driver departed and "delivered" when reported back.</p> <p>The consequences were measurable:</p> <p><strong>Cart abandonment:</strong> 32% of users abandoned at checkout. Exit surveys showed the top reason was "uncertain delivery time."</p> <p><strong>Post-order cancellations:</strong> 15% of completed checkouts were cancelled within 30 minutes, most citing "no delivery updates."</p> <p><strong>Support overload:</strong> 200+ daily calls asking "where is my order?" — each averaging 4 minutes, consuming 13 person-hours daily.</p> <p><strong>Driver accountability gaps:</strong> Without GPS tracking, there was no way to verify delivery times, identify route inefficiencies, or resolve disputes.</p> <h2> My Role: Full-Stack Architect of the Tracking System </h2> <p>I designed and built the entire real-time tracking system end-to-end: the Laravel backend infrastructure, Google Maps API integration, the WebSocket communication layer, and the Vue.js frontend tracking interface. I owned it from initial technical design through production deployment and post-launch optimisation.</p> <h2> Technical Deep Dive: Building the Real-Time Tracking Infrastructure </h2> <h3> 1. Driver Location Collection Architecture </h3> <p>The foundation of real-time tracking is reliable location data. I built a location reporting service on drivers' devices, transmitting GPS coordinates at configurable intervals.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">DriverLocationController</span> <span class="kd">extends</span> <span class="nc">Controller</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">updateLocation</span><span class="p">(</span><span class="kt">UpdateLocationRequest</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">JsonResponse</span> <span class="p">{</span> <span class="nv">$driver</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">();</span> <span class="nv">$validated</span> <span class="o">=</span> <span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">validated</span><span class="p">();</span> <span class="nv">$location</span> <span class="o">=</span> <span class="nc">DriverLocation</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'driver_id'</span> <span class="o">=&gt;</span> <span class="nv">$driver</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'latitude'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'latitude'</span><span class="p">],</span> <span class="s1">'longitude'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'longitude'</span><span class="p">],</span> <span class="s1">'accuracy'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'accuracy'</span><span class="p">],</span> <span class="s1">'speed'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'speed'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'heading'</span> <span class="o">=&gt;</span> <span class="nv">$validated</span><span class="p">[</span><span class="s1">'heading'</span><span class="p">]</span> <span class="o">??</span> <span class="kc">null</span><span class="p">,</span> <span class="s1">'recorded_at'</span> <span class="o">=&gt;</span> <span class="nc">Carbon</span><span class="o">::</span><span class="nf">createFromTimestamp</span><span class="p">(</span><span class="nv">$validated</span><span class="p">[</span><span class="s1">'timestamp'</span><span class="p">]),</span> <span class="p">]);</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$activeDelivery</span> <span class="o">=</span> <span class="nv">$driver</span><span class="o">-&gt;</span><span class="n">activeDelivery</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">broadcastLocationUpdate</span><span class="p">(</span><span class="nv">$activeDelivery</span><span class="p">,</span> <span class="nv">$location</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">updateEstimatedArrival</span><span class="p">(</span><span class="nv">$activeDelivery</span><span class="p">,</span> <span class="nv">$location</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">response</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">([</span><span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'recorded'</span><span class="p">],</span> <span class="mi">200</span><span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">broadcastLocationUpdate</span><span class="p">(</span><span class="kt">Delivery</span> <span class="nv">$delivery</span><span class="p">,</span> <span class="kt">DriverLocation</span> <span class="nv">$location</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nc">Redis</span><span class="o">::</span><span class="nf">publish</span><span class="p">(</span><span class="s2">"delivery:</span><span class="si">{</span><span class="nv">$delivery</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">:location"</span><span class="p">,</span> <span class="nb">json_encode</span><span class="p">([</span> <span class="s1">'delivery_id'</span> <span class="o">=&gt;</span> <span class="nv">$delivery</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'driver'</span> <span class="o">=&gt;</span> <span class="p">[</span> <span class="s1">'latitude'</span> <span class="o">=&gt;</span> <span class="nv">$location</span><span class="o">-&gt;</span><span class="n">latitude</span><span class="p">,</span> <span class="s1">'longitude'</span> <span class="o">=&gt;</span> <span class="nv">$location</span><span class="o">-&gt;</span><span class="n">longitude</span><span class="p">,</span> <span class="s1">'heading'</span> <span class="o">=&gt;</span> <span class="nv">$location</span><span class="o">-&gt;</span><span class="n">heading</span><span class="p">,</span> <span class="p">],</span> <span class="s1">'timestamp'</span> <span class="o">=&gt;</span> <span class="nv">$location</span><span class="o">-&gt;</span><span class="n">recorded_at</span><span class="o">-&gt;</span><span class="nf">toIso8601String</span><span class="p">(),</span> <span class="p">]));</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Location updates published to Redis channels, bridging the Laravel backend and the WebSocket server. This decoupled location ingestion (high-frequency HTTP POSTs from drivers) from location broadcasting (persistent WebSocket connections to customers), allowing each to scale independently.</p> <h3> 2. Google Maps Integration for ETA Calculation </h3> <p>Accurate ETAs were critical. I integrated the Google Maps Directions API with live traffic data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">GoogleMapsService</span> <span class="p">{</span> <span class="k">public</span> <span class="k">static</span> <span class="k">function</span> <span class="n">getDirections</span><span class="p">(</span><span class="kt">array</span> <span class="nv">$origin</span><span class="p">,</span> <span class="kt">array</span> <span class="nv">$destination</span><span class="p">):</span> <span class="kt">?DirectionsResult</span> <span class="p">{</span> <span class="nv">$response</span> <span class="o">=</span> <span class="nc">Http</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s1">'https://maps.googleapis.com/maps/api/directions/json'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'origin'</span> <span class="o">=&gt;</span> <span class="s2">"</span><span class="si">{</span><span class="nv">$origin</span><span class="p">[</span><span class="s1">'lat'</span><span class="p">]</span><span class="si">}</span><span class="s2">,</span><span class="si">{</span><span class="nv">$origin</span><span class="p">[</span><span class="s1">'lng'</span><span class="p">]</span><span class="si">}</span><span class="s2">"</span><span class="p">,</span> <span class="s1">'destination'</span> <span class="o">=&gt;</span> <span class="s2">"</span><span class="si">{</span><span class="nv">$destination</span><span class="p">[</span><span class="s1">'lat'</span><span class="p">]</span><span class="si">}</span><span class="s2">,</span><span class="si">{</span><span class="nv">$destination</span><span class="p">[</span><span class="s1">'lng'</span><span class="p">]</span><span class="si">}</span><span class="s2">"</span><span class="p">,</span> <span class="s1">'mode'</span> <span class="o">=&gt;</span> <span class="s1">'driving'</span><span class="p">,</span> <span class="s1">'departure_time'</span> <span class="o">=&gt;</span> <span class="s1">'now'</span><span class="p">,</span> <span class="s1">'traffic_model'</span> <span class="o">=&gt;</span> <span class="s1">'best_guess'</span><span class="p">,</span> <span class="s1">'key'</span> <span class="o">=&gt;</span> <span class="nf">config</span><span class="p">(</span><span class="s1">'services.google_maps.api_key'</span><span class="p">),</span> <span class="p">]);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">successful</span><span class="p">()</span> <span class="o">||</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'status'</span><span class="p">)</span> <span class="o">!==</span> <span class="s1">'OK'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="nv">$leg</span> <span class="o">=</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'routes.0.legs.0'</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">DirectionsResult</span><span class="p">(</span> <span class="n">durationMinutes</span><span class="o">:</span> <span class="p">(</span><span class="n">int</span><span class="p">)</span> <span class="nb">ceil</span><span class="p">(</span><span class="nv">$leg</span><span class="p">[</span><span class="s1">'duration_in_traffic'</span><span class="p">][</span><span class="s1">'value'</span><span class="p">]</span> <span class="o">/</span> <span class="mi">60</span><span class="p">),</span> <span class="n">distanceKm</span><span class="o">:</span> <span class="nb">round</span><span class="p">(</span><span class="nv">$leg</span><span class="p">[</span><span class="s1">'distance'</span><span class="p">][</span><span class="s1">'value'</span><span class="p">]</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span> <span class="n">polyline</span><span class="o">:</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="nf">json</span><span class="p">(</span><span class="s1">'routes.0.overview_polyline.points'</span><span class="p">),</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Using <code>departure_time=now</code> and <code>traffic_model=best_guess</code> ensured ETAs reflected live traffic — during rush hours, static estimates might show 10 minutes while actual time was 25. However, calling Google Maps on every location update (every 10 seconds per driver) would be prohibitively expensive. I implemented intelligent throttling using Haversine distance:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">ETAService</span> <span class="p">{</span> <span class="k">private</span> <span class="k">const</span> <span class="no">ETA_CACHE_TTL</span> <span class="o">=</span> <span class="mi">60</span><span class="p">;</span> <span class="k">private</span> <span class="k">const</span> <span class="no">MIN_DISTANCE_FOR_RECALC</span> <span class="o">=</span> <span class="mf">0.2</span><span class="p">;</span> <span class="c1">// km</span> <span class="k">public</span> <span class="k">function</span> <span class="n">shouldRecalculateETA</span><span class="p">(</span><span class="kt">Delivery</span> <span class="nv">$delivery</span><span class="p">,</span> <span class="kt">DriverLocation</span> <span class="nv">$newLocation</span><span class="p">):</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$delivery</span><span class="o">-&gt;</span><span class="n">eta_updated_at</span><span class="p">)</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">diffInSeconds</span><span class="p">(</span><span class="nv">$delivery</span><span class="o">-&gt;</span><span class="n">eta_updated_at</span><span class="p">)</span> <span class="o">&lt;</span> <span class="k">self</span><span class="o">::</span><span class="no">ETA_CACHE_TTL</span><span class="p">)</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="nv">$lastCalcLocation</span> <span class="o">=</span> <span class="nc">Cache</span><span class="o">::</span><span class="nf">get</span><span class="p">(</span><span class="s2">"eta_calc_location:</span><span class="si">{</span><span class="nv">$delivery</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">"</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$lastCalcLocation</span><span class="p">)</span> <span class="k">return</span> <span class="kc">true</span><span class="p">;</span> <span class="k">return</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">haversineDistance</span><span class="p">(</span> <span class="nv">$lastCalcLocation</span><span class="p">[</span><span class="s1">'lat'</span><span class="p">],</span> <span class="nv">$lastCalcLocation</span><span class="p">[</span><span class="s1">'lng'</span><span class="p">],</span> <span class="nv">$newLocation</span><span class="o">-&gt;</span><span class="n">latitude</span><span class="p">,</span> <span class="nv">$newLocation</span><span class="o">-&gt;</span><span class="n">longitude</span> <span class="p">)</span> <span class="o">&gt;=</span> <span class="k">self</span><span class="o">::</span><span class="no">MIN_DISTANCE_FOR_RECALC</span><span class="p">;</span> <span class="p">}</span> <span class="k">private</span> <span class="k">function</span> <span class="n">haversineDistance</span><span class="p">(</span><span class="kt">float</span> <span class="nv">$lat1</span><span class="p">,</span> <span class="kt">float</span> <span class="nv">$lon1</span><span class="p">,</span> <span class="kt">float</span> <span class="nv">$lat2</span><span class="p">,</span> <span class="kt">float</span> <span class="nv">$lon2</span><span class="p">):</span> <span class="kt">float</span> <span class="p">{</span> <span class="nv">$dLat</span> <span class="o">=</span> <span class="nb">deg2rad</span><span class="p">(</span><span class="nv">$lat2</span> <span class="o">-</span> <span class="nv">$lat1</span><span class="p">);</span> <span class="nv">$dLon</span> <span class="o">=</span> <span class="nb">deg2rad</span><span class="p">(</span><span class="nv">$lon2</span> <span class="o">-</span> <span class="nv">$lon1</span><span class="p">);</span> <span class="nv">$a</span> <span class="o">=</span> <span class="nb">sin</span><span class="p">(</span><span class="nv">$dLat</span><span class="o">/</span><span class="mi">2</span><span class="p">)</span><span class="o">**</span><span class="mi">2</span> <span class="o">+</span> <span class="nb">cos</span><span class="p">(</span><span class="nb">deg2rad</span><span class="p">(</span><span class="nv">$lat1</span><span class="p">))</span> <span class="o">*</span> <span class="nb">cos</span><span class="p">(</span><span class="nb">deg2rad</span><span class="p">(</span><span class="nv">$lat2</span><span class="p">))</span> <span class="o">*</span> <span class="nb">sin</span><span class="p">(</span><span class="nv">$dLon</span><span class="o">/</span><span class="mi">2</span><span class="p">)</span><span class="o">**</span><span class="mi">2</span><span class="p">;</span> <span class="k">return</span> <span class="mi">6371</span> <span class="o">*</span> <span class="mi">2</span> <span class="o">*</span> <span class="nb">atan2</span><span class="p">(</span><span class="nb">sqrt</span><span class="p">(</span><span class="nv">$a</span><span class="p">),</span> <span class="nb">sqrt</span><span class="p">(</span><span class="mi">1</span> <span class="o">-</span> <span class="nv">$a</span><span class="p">));</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>ETAs were recalculated only when the driver moved 200m+ and 60+ seconds had elapsed, reducing Google Maps API calls by ~80%.</p> <h3> 3. WebSocket Server for Live Customer Updates </h3> <p>The real-time frontend was powered by a Node.js WebSocket server subscribed to Redis channels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">wss</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">WebSocket</span><span class="p">.</span><span class="nc">Server</span><span class="p">({</span> <span class="na">port</span><span class="p">:</span> <span class="mi">6001</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">subscriber</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Redis</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">REDIS_URL</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">deliverySubscriptions</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">();</span> <span class="nx">wss</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">connection</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">ws</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">raw</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">raw</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">subscribe_delivery</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">deliverySubscriptions</span><span class="p">.</span><span class="nf">has</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">))</span> <span class="p">{</span> <span class="nx">deliverySubscriptions</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">,</span> <span class="k">new</span> <span class="nc">Set</span><span class="p">());</span> <span class="nx">subscriber</span><span class="p">.</span><span class="nf">subscribe</span><span class="p">(</span> <span class="s2">`delivery:</span><span class="p">${</span><span class="nx">msg</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">}</span><span class="s2">:location`</span><span class="p">,</span> <span class="s2">`delivery:</span><span class="p">${</span><span class="nx">msg</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">}</span><span class="s2">:eta`</span><span class="p">,</span> <span class="s2">`delivery:</span><span class="p">${</span><span class="nx">msg</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">}</span><span class="s2">:status`</span> <span class="p">);</span> <span class="p">}</span> <span class="nx">deliverySubscriptions</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">).</span><span class="nf">add</span><span class="p">(</span><span class="nx">ws</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">close</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">ws</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">subs</span> <span class="o">=</span> <span class="nx">deliverySubscriptions</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">ws</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">subs</span><span class="p">)</span> <span class="p">{</span> <span class="nx">subs</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">ws</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">subs</span><span class="p">.</span><span class="nx">size</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="nx">deliverySubscriptions</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">ws</span><span class="p">.</span><span class="nx">deliveryId</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">});</span> <span class="p">});</span> <span class="nx">subscriber</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">message</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">channel</span><span class="p">,</span> <span class="nx">message</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[,</span> <span class="nx">deliveryId</span><span class="p">,</span> <span class="nx">eventType</span><span class="p">]</span> <span class="o">=</span> <span class="nx">channel</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">:</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">subs</span> <span class="o">=</span> <span class="nx">deliverySubscriptions</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">deliveryId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">subs</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="s2">`delivery_</span><span class="p">${</span><span class="nx">eventType</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">message</span><span class="p">)</span> <span class="p">});</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">ws</span> <span class="k">of</span> <span class="nx">subs</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">ws</span><span class="p">.</span><span class="nx">readyState</span> <span class="o">===</span> <span class="nx">WebSocket</span><span class="p">.</span><span class="nx">OPEN</span><span class="p">)</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">payload</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>The server was deliberately stateless — it bridged Redis pub/sub to WebSocket connections with no business logic, making it horizontally scalable.</p> <h3> 4. Vue.js Real-Time Tracking Interface </h3> <p>The customer-facing tracking page used Vue.js Composition API. The core was a WebSocket composable with exponential backoff reconnection:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">export</span> <span class="kd">function</span> <span class="nf">useDeliveryWebSocket</span><span class="p">(</span><span class="nx">deliveryId</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">driverLocation</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">eta</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">deliveryStatus</span> <span class="o">=</span> <span class="nf">ref</span><span class="p">(</span><span class="dl">'</span><span class="s1">confirmed</span><span class="dl">'</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">ws</span> <span class="o">=</span> <span class="kc">null</span><span class="p">,</span> <span class="nx">reconnectAttempts</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">connect</span><span class="p">()</span> <span class="p">{</span> <span class="nx">ws</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">WebSocket</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VUE_APP_WS_URL</span><span class="p">);</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">onopen</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">reconnectAttempts</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">ws</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">subscribe_delivery</span><span class="dl">'</span><span class="p">,</span> <span class="nx">deliveryId</span> <span class="p">}));</span> <span class="p">};</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">onmessage</span> <span class="o">=</span> <span class="p">({</span> <span class="nx">data</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">delivery_location</span><span class="dl">'</span><span class="p">)</span> <span class="nx">driverLocation</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">driver</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">delivery_eta</span><span class="dl">'</span><span class="p">)</span> <span class="nx">eta</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">eta_minutes</span><span class="p">;</span> <span class="k">else</span> <span class="k">if </span><span class="p">(</span><span class="nx">msg</span><span class="p">.</span><span class="nx">type</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">delivery_status</span><span class="dl">'</span><span class="p">)</span> <span class="nx">deliveryStatus</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">status</span><span class="p">;</span> <span class="p">};</span> <span class="nx">ws</span><span class="p">.</span><span class="nx">onclose</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">reconnectAttempts</span> <span class="o">&lt;</span> <span class="mi">10</span><span class="p">)</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">connect</span><span class="p">,</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="mi">1000</span> <span class="o">*</span> <span class="mi">2</span> <span class="o">**</span> <span class="nx">reconnectAttempts</span><span class="o">++</span><span class="p">,</span> <span class="mi">30000</span><span class="p">));</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">driverLocation</span><span class="p">,</span> <span class="nx">eta</span><span class="p">,</span> <span class="nx">deliveryStatus</span><span class="p">,</span> <span class="nx">connect</span><span class="p">,</span> <span class="na">disconnect</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">ws</span><span class="p">?.</span><span class="nf">close</span><span class="p">()</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>The map component initialised Google Maps, rendered destination and driver markers, and animated the driver marker between positions using cubic easing. Without animation, the marker would "teleport" every 10 seconds — with smooth interpolation, users perceived continuous movement, dramatically improving perceived quality.</p> <h3> 5. Delivery Status Lifecycle and Performance </h3> <p>Every status transition published to Redis for real-time updates, sent push notifications, and recorded metrics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">Delivery</span> <span class="kd">extends</span> <span class="nc">Model</span> <span class="p">{</span> <span class="k">public</span> <span class="k">function</span> <span class="n">markPickedUp</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'picked_up'</span><span class="p">,</span> <span class="s1">'picked_up_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="nc">Redis</span><span class="o">::</span><span class="nf">publish</span><span class="p">(</span><span class="s2">"delivery:</span><span class="si">{</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">:status"</span><span class="p">,</span> <span class="nb">json_encode</span><span class="p">([</span> <span class="s1">'delivery_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'picked_up'</span><span class="p">,</span> <span class="s1">'driver'</span> <span class="o">=&gt;</span> <span class="p">[</span><span class="s1">'name'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">driver</span><span class="o">-&gt;</span><span class="n">name</span><span class="p">,</span> <span class="s1">'phone'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">driver</span><span class="o">-&gt;</span><span class="n">phone</span><span class="p">],</span> <span class="p">]));</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">order</span><span class="o">-&gt;</span><span class="n">customer</span><span class="o">-&gt;</span><span class="nf">notify</span><span class="p">(</span><span class="k">new</span> <span class="nc">DeliveryPickedUpNotification</span><span class="p">(</span><span class="nv">$this</span><span class="p">));</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">markDelivered</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span><span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'delivered'</span><span class="p">,</span> <span class="s1">'delivered_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()]);</span> <span class="nc">Redis</span><span class="o">::</span><span class="nf">publish</span><span class="p">(</span><span class="s2">"delivery:</span><span class="si">{</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">:status"</span><span class="p">,</span> <span class="nb">json_encode</span><span class="p">([</span> <span class="s1">'delivery_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="s1">'delivered'</span><span class="p">,</span> <span class="p">]));</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">order</span><span class="o">-&gt;</span><span class="n">customer</span><span class="o">-&gt;</span><span class="nf">notify</span><span class="p">(</span><span class="k">new</span> <span class="nc">DeliveryCompletedNotification</span><span class="p">(</span><span class="nv">$this</span><span class="p">));</span> <span class="nc">DeliveryMetric</span><span class="o">::</span><span class="nf">create</span><span class="p">([</span> <span class="s1">'delivery_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'driver_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">driver_id</span><span class="p">,</span> <span class="s1">'estimated_minutes'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">estimated_arrival_minutes</span><span class="p">,</span> <span class="s1">'actual_minutes'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">picked_up_at</span><span class="o">?-&gt;</span><span class="nf">diffInMinutes</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">delivered_at</span><span class="p">),</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The <code>DeliveryMetric</code> model enabled comparing estimated vs. actual delivery times, identifying underperforming drivers and slow routes.</p> <p>For performance at scale, I buffered location writes in Redis and flushed to PostgreSQL in batches every 30 seconds, reducing database write load by 90% while maintaining real-time delivery through the pub/sub layer. Vendor discovery pages used PostGIS spatial queries (<code>ST_DWithin</code>, <code>ST_Distance</code>) with aggressive caching, returning results in under 50ms across thousands of records.</p> <h2> The Results: Measurable Business Impact </h2> <p>The system launched after eight weeks of development. Results over a 60-day observation period:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Before</th> <th>After</th> <th>Change</th> </tr> </thead> <tbody> <tr> <td>Checkout conversion rate</td> <td>68%</td> <td>88%</td> <td><strong>+20 percentage points</strong></td> </tr> <tr> <td>Post-order cancellation rate</td> <td>15%</td> <td>4%</td> <td><strong>73% reduction</strong></td> </tr> <tr> <td>"Where is my order?" support calls</td> <td>200+/day</td> <td>~35/day</td> <td><strong>82% reduction</strong></td> </tr> <tr> <td>Customer satisfaction score</td> <td>3.4/5</td> <td>4.3/5</td> <td><strong>26% improvement</strong></td> </tr> <tr> <td>Active platform users</td> <td>~3,200</td> <td>5,000+</td> <td><strong>56% growth</strong></td> </tr> <tr> <td>Tracking page views per order</td> <td>0</td> <td>4.2</td> <td>New engagement channel</td> </tr> </tbody> </table></div> <p>The support call reduction alone freed 11 person-hours daily — redirected to proactive customer outreach and vendor management.</p> <h2> Technical Lessons </h2> <ol> <li><p><strong>Decouple ingestion from delivery.</strong> Location collection (Laravel) and broadcasting (Node.js WebSocket) had different performance profiles. Separate services connected by Redis allowed independent scaling.</p></li> <li><p><strong>Animate transitions, don't teleport.</strong> Users perceive smooth movement as real-time tracking and position jumps as a broken system.</p></li> <li><p><strong>Throttle expensive API calls intelligently.</strong> The Haversine check before ETA recalculation saved thousands of unnecessary Google Maps calls daily.</p></li> <li><p><strong>Buffer writes, stream reads.</strong> Batch-writing to the database while streaming through Redis provided both persistence and live performance.</p></li> <li><p><strong>Measure business metrics.</strong> WebSocket latency matters, but checkout conversion rate proved the system's value.</p></li> </ol> websock vue laravel fullstack