A comprehensive, role-segregated web-based loan facilitation system built on Laravel 12 + MySQL.
RuLoans FMS is a comprehensive, web-based Loan Facilitation Management System built on Laravel 12. It provides secure, role-segregated access for Admin, Worker, and Vendor roles. The system handles end-to-end claim lifecycle — from data entry and Excel imports through automated payout calculations to OTP-verified admin approvals — ensuring financial accuracy, full audit trails, and strict data access control across all operational roles.
| Problem | Solution |
|---|---|
| Manual Excel-based claim tracking prone to errors | Structured DB with automated payout calculations |
| No access control — everyone sees sensitive data | Role-based column-level visibility enforced at API level |
| Payment approvals done informally, no audit trail | 6-step OTP-verified approval workflow with full history |
| Vendors have no self-service visibility | Isolated Vendor Portal with C/F balance and SMS alerts |
| No structured reporting by role | Role-aware Excel exports — profit columns hidden from Workers |
| Category | Technology | Version | Cost |
|---|---|---|---|
| Backend Framework | Laravel (PHP) | v12.x | FREE |
| Language | PHP | 8.3+ | FREE |
| Database | MySQL | 8.0+ | FREE |
| Frontend Styling | CSS3 / Tailwind / Bootstrap | As per wireframe | FREE |
| Charts | Chart.js / ApexCharts | Latest CDN | FREE |
| Excel Import/Export | Laravel Excel (Maatwebsite) | ^3.1 | FREE |
| OTP / SMS | MSG91 API | REST API | ~Rs.0.15/SMS |
| Identity Verification | DigiLocker API (MeitY) | OAuth2 | FREE (govt API) |
| Hosting | Hostinger / DigitalOcean / AWS | Shared/VPS | Rs.1,500–3,000/mo |
| Trigger | Recipient | OTP Validity | Max Attempts |
|---|---|---|---|
| Login (new device) | All Roles | 5 minutes | 3 (then 30 min block) |
| Payment Approval | Admin Only | 5 minutes | 3 (then 30 min block) |
| Add New User | Admin Only | 5 minutes | 3 (then 30 min block) |
| View Payout Reports | Vendor Only | 5 minutes | 3 |
| Password Reset | All Roles | 10 minutes | 3 |
| Field | Formula |
|---|---|
| Gross Payout | Loan Amount × Vendor Rate % |
| TDS Amount | Gross Payout × TDS % |
| Net Payout | Gross Payout − TDS Amount |
| B/F Balance | Previous month's C/F balance |
| C/F Balance | Net Payout − Paid Amount + B/F Balance |
| Step | Actor | Action |
|---|---|---|
| 1 — Calculate | Worker | Selects vendor and month, enters TDS%, reviews Gross/Net payout, enters paid amount |
| 2 — Submit | Worker | Clicks 'Request Payment Approval'. PaymentRequest created with status = PENDING and full payout snapshot |
| 3 — Notify | System | Admin receives notification badge on dashboard. Optional MSG91 SMS alert sent to Admin mobile |
| 4 — Review | Admin | Opens request, reviews all amounts (Gross, TDS, B/F, Net Payout) and full claim breakdown |
| 5 — Approve + OTP | Admin | Clicks Approve. MSG91 OTP triggered to Admin phone. Admin enters 6-digit OTP (3 attempts, 5 min expiry) |
| 6 — Approved | System | Status updated to APPROVED. C/F balance saved. Vendor notified instantly via MSG91 SMS with approved amount details |
| Area | Implementation |
|---|---|
| SQL Injection | Always use Laravel Eloquent ORM or query builder with parameter binding — never raw user input in SQL strings |
| XSS | All output in Blade templates uses {{ }} (auto-escaped). Use {!! !!} only for trusted admin-generated content |
| CSRF | All forms use directive — Laravel CSRF middleware enabled globally |
| Column-Level Security | Sensitive payout columns stripped at Laravel API Resource level — never included in Worker/Vendor responses regardless of frontend state |
| OTP Security | 3-attempt limit, 5-minute expiry, 30-minute lockout, purpose-specific (cannot reuse approval OTP for login) |
| HTTPS | Force HTTPS in production via AppServiceProvider boot() and web server config. SSL certificate mandatory |
| Rate Limiting | Login: 5 attempts per 15 minutes. OTP: 3 attempts per 30 minutes. All API routes: 60 requests per minute |
| Audit Trail | Every create/update/delete/status-change logged via Spatie ActivityLog with user ID, IP, before/after values |
| Vendor Isolation | Laravel Gate and Policy classes ensure Vendors can only query their own vendor_id. All queries scoped with where vendor_id = auth()->user()->vendor->id |
| Session Security | SESSION_SECURE_COOKIE=true in production. SameSite=strict. 30-min inactivity auto-logout |
Server setup, Laravel 12 install, MySQL schema migration, Blade/Stitch theme, 12+ screens as static views
Login, OTP via MSG91, role middleware, route guards, session management, user CRUD with OTP
Claims CRUD, Book3.xlsx import, payout formula engine, TDS/B/F/C/F balance logic, column visibility enforcement
6-step payment request workflow, MSG91 OTP integration, admin approve/reject cycle, SMS notifications, audit trail
Role-based Excel/PDF exports, vendor portal isolation, QA testing, production deployment
DigiLocker OAuth2 eKYC (Aadhaar/PAN), MeitY-approved flow, partner portal registration
| # | Phase | Deliverables | Amount | % Share |
|---|---|---|---|---|
| 01 | Setup & UI Implementation | Server setup, Laravel install, DB architecture, 12+ screens UI | Rs. 4,000 | 16.7% |
| 02 | Authentication & Roles | Secure login, RBAC (Admin/Worker/Vendor), visibility logic | Rs. 3,000 | 12.5% |
| 03 | Core Financial Logic | Claims, Book3.xlsx parser, payout calculation, TDS/B/F/C/F logic | Rs. 6,000 | 25% |
| 04 | Approval & OTP Flow | 6-step workflow, admin review/approve cycle, MSG91 OTP, notifications | Rs. 4,000 | 16.7% |
| 05 | Reporting & Launch | Role-based reports/exports, vendor portal polish, QA, deployment | Rs. 3,000 | 12.5% |
| 06 | DigiLocker Integration | DigiLocker OAuth2 eKYC (Aadhaar/PAN), MeitY-approved flow | Rs. 4,000 | 16.7% |
Please read the proposal carefully, then sign below to confirm your acceptance.