Multi-App Platform · Fintech
Funded Academy Platform
Prop trading platform where real money moves. Three architectural layers that need to agree on who can do what.
Overview
Funded Academy is a prop trading platform built across three distinct architectural layers — Laravel backend, Vue 3 admin panel, Next.js public site, and a WordPress/WooCommerce storefront. When real money is involved, every layer must enforce the same access rules.
The core challenge is RBAC consistency: permissions defined in the database must be correctly enforced in backend routes, reflected in frontend directives, and auditable across all three applications. A single inconsistency means either a security hole or a broken user experience.
Beyond access control, the platform includes infrastructure-level threat detection with centralized Nginx IP blocking that auto-syncs from the Laravel database, pattern-based bot detection, and automated security responses.
Hard Problems
Challenge
RBAC consistency across database, backend routes, and frontend directives — a single mismatch means either a security hole or broken UX.
Solution
RbacAuditService that parses backend routes via reflection, scans Vue files for directive usage via regex, and cross-references against database permissions to flag inconsistencies.
Challenge
Centralized IP blocking across 5 different sites running on the same server without per-app implementation.
Solution
NginxBlocklistService that auto-syncs blocked IPs from Laravel database to nginx.conf include files, triggers graceful reload — blocking happens at infrastructure level in microseconds.
Challenge
Flexible threat pattern matching that adapts to new attack vectors without code deploys.
Solution
Database-driven pattern engine supporting 4 match types (url_regex, url_contains, user_agent, rate_limit) with threat level scoring and retroactive analysis capability.
Key Decisions
| Decision | Chose | Over | Because |
|---|---|---|---|
| Repository structure | Multi-repo with symlinks | Monorepo | Granular access control for freelancers — each contractor sees only their layer, not the full stack. |
| Security layer | Nginx-level blocking | Application middleware | Infrastructure defense operates in microseconds vs. milliseconds. Malicious requests never reach PHP. |
| Permission system | Database-driven RBAC | Config-file permissions | Runtime permission changes without redeployment. Critical for a platform where roles evolve weekly. |