DEV Community: ABIN RAJ The latest articles on DEV Community by ABIN RAJ (@abin_raj_cc3eb22152ca590c). https://dev.to/abin_raj_cc3eb22152ca590c https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3965011%2F56dd04f9-ff21-4dd5-9185-2af37651f45f.png DEV Community: ABIN RAJ https://dev.to/abin_raj_cc3eb22152ca590c en How we built role-based access control and offline-first PWA sync for a multi-tenant pharmacy SaaS in Next.js ABIN RAJ Fri, 05 Jun 2026 07:57:06 +0000 https://dev.to/abin_raj_cc3eb22152ca590c/how-we-built-role-based-access-control-and-offline-first-pwa-sync-for-a-multi-tenant-pharmacy-saas-mbn https://dev.to/abin_raj_cc3eb22152ca590c/how-we-built-role-based-access-control-and-offline-first-pwa-sync-for-a-multi-tenant-pharmacy-saas-mbn <p>When we started building <a href="https://www.medexpiry.com" rel="noopener noreferrer">MedExpiry</a> — a PWA pharmacy inventory management SaaS — two architectural problems showed up early and refused to go away:</p> <ol> <li>How do you enforce role-based access across a genuinely multi-tiered user hierarchy without a database call on every request?</li> <li>How do you handle offline data in a domain where stale information has real-world consequences?</li> </ol> <p>This post is about how we thought through both problems. No silver bullets — just the decisions, the tradeoffs, and what we'd do differently.</p> <h2> The role hierarchy we had to model </h2> <p>Pharmacy organizations aren't flat. A pharmacy chain has a corporate owner overseeing multiple branches. Each branch has a manager. Each manager oversees pharmacists and support staff. Our role model had to reflect that reality:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>super_admin → platform operator account_admin → manages a pharmacy chain shop_owner/Admin → manages a single branch Employee → limited access, expiry tracking only </code></pre> </div> <p>Each role lives in a completely separate namespace — different routes, different data, different offline stores. The core requirement was hard isolation: a shop_owner from one pharmacy must never touch data from another, even accidentally.</p> <h2> Middleware: the first gate </h2> <p>Next.js middleware runs at the edge before any page renders. We use it for coarse-grained routing enforcement — no React, no database, just a JWT read and a redirect decision.</p> <p>The pattern looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Map of base paths to roles that can access them</span> <span class="kd">const</span> <span class="nx">PATH_ROLE_MAP</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">/pharmacyadmin</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">account_admin</span><span class="dl">'</span><span class="p">],</span> <span class="dl">'</span><span class="s1">/shopadmin</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">shop_owner</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Admin</span><span class="dl">'</span><span class="p">],</span> <span class="dl">'</span><span class="s1">/employees</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Employee</span><span class="dl">'</span><span class="p">],</span> <span class="p">};</span> <span class="c1">// Where each role lands after login</span> <span class="kd">const</span> <span class="nx">ROLE_DEFAULT_PATHS</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">account_admin</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/pharmacyadmin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">shop_owner</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/shopadmin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Employee</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/employees</span><span class="dl">'</span><span class="p">,</span> <span class="p">};</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="nf">redirectTo</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nf">decodeJWT</span><span class="p">(</span><span class="nx">token</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">payload</span><span class="p">?.</span><span class="nx">role</span><span class="p">)</span> <span class="k">return</span> <span class="nf">redirectTo</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="c1">// Root path → send to role's home</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">redirectTo</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">ROLE_DEFAULT_PATHS</span><span class="p">[</span><span class="nx">payload</span><span class="p">.</span><span class="nx">role</span><span class="p">]</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Check if role is allowed on this path</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="p">[</span><span class="nx">path</span><span class="p">,</span> <span class="nx">allowedRoles</span><span class="p">]</span> <span class="k">of</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">entries</span><span class="p">(</span><span class="nx">PATH_ROLE_MAP</span><span class="p">))</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">nextUrl</span><span class="p">.</span><span class="nx">pathname</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="nx">path</span><span class="p">))</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">allowedRoles</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">role</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">redirectTo</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">ROLE_DEFAULT_PATHS</span><span class="p">[</span><span class="nx">payload</span><span class="p">.</span><span class="nx">role</span><span class="p">]</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">break</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p>The key decision here: role comes from the JWT, not the database. No async DB call, no latency, no failure mode at the gate. The tradeoff is that role changes don't take effect until the token expires — for a pharmacy SaaS, that's acceptable.</p> <h2> The harder problem: role-scoped offline caching </h2> <p>← <a href="https://www.medexpiry.com" rel="noopener noreferrer">MedExpiry</a> is a PWA, so it has to work without a connection. That's where the real complexity lives.</p> <p>The service worker needs to know the current role — and cache only what that role is allowed to see. We solved this by giving every role its own isolated cache namespace:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Each role gets completely separate caches</span> <span class="kd">const</span> <span class="nx">getRoleCacheNames</span> <span class="o">=</span> <span class="p">(</span><span class="nx">role</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">api</span><span class="p">:</span> <span class="s2">`myapp-api-</span><span class="p">${</span><span class="nx">role</span><span class="p">}</span><span class="s2">-v1`</span><span class="p">,</span> <span class="na">pages</span><span class="p">:</span> <span class="s2">`myapp-pages-</span><span class="p">${</span><span class="nx">role</span><span class="p">}</span><span class="s2">-v1`</span><span class="p">,</span> <span class="na">db</span><span class="p">:</span> <span class="s2">`offlineQueue-</span><span class="p">${</span><span class="nx">role</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>And each role has a config object that declares exactly what it's allowed to cache:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">ROLE_CONFIG</span> <span class="o">=</span> <span class="p">{</span> <span class="na">shop_owner</span><span class="p">:</span> <span class="p">{</span> <span class="na">cachedEndpoints</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/api/inventory</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/api/bills</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/api/expiry</span><span class="dl">'</span><span class="p">],</span> <span class="na">cachedPages</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/shopadmin</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/shopadmin/inventory</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/shopadmin/expiry</span><span class="dl">'</span><span class="p">],</span> <span class="na">offlineQueues</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">pendingInventory</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">pendingExpiry</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="na">Employee</span><span class="p">:</span> <span class="p">{</span> <span class="na">cachedEndpoints</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/api/expiry</span><span class="dl">'</span><span class="p">],</span> <span class="na">cachedPages</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/employees/expiry</span><span class="dl">'</span><span class="p">],</span> <span class="na">offlineQueues</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">pendingExpiry</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="c1">// other roles follow the same pattern</span> <span class="p">};</span> </code></pre> </div> <p>An Employee caches one endpoint and one page. A shop_owner caches their full inventory and billing data. The configs are completely separate — no shared state between roles or tenants.</p> <p>When a user logs in, the service worker receives their role via a <code>postMessage</code>, clears all other role caches, and sets up only the current role's data. On logout, every role cache is wiped — not just the current one. A new user on the same device always starts clean.</p> <h2> Offline POST handling: queue first, sync later </h2> <p>When a pharmacist adds inventory or logs an expired product while offline, we intercept the POST in the service worker, store it in IndexedDB, and return a success response immediately so the user can keep working:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Service worker POST handler (simplified)</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nf">clone</span><span class="p">());</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Network failed</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">_</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Offline: queue the request</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">clone</span><span class="p">().</span><span class="nf">json</span><span class="p">();</span> <span class="k">await</span> <span class="nf">storeInQueue</span><span class="p">(</span><span class="nx">offlineStore</span><span class="p">,</span> <span class="nx">requestUrl</span><span class="p">,</span> <span class="nx">data</span><span class="p">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">Response</span><span class="p">(</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">offline</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Saved offline. Will sync when back online.</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p>When connectivity returns, the <code>online</code> event fires and sync runs automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nb">self</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">online</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pending</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getAllPendingItems</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="nx">pending</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">)</span> <span class="k">await</span> <span class="nf">syncAll</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>No polling, no recurring timer. The browser fires <code>online</code> reliably — we trust it.</p> <h2> The data integrity decision </h2> <p>Early on we considered a simple "serve cache indefinitely while offline" approach. The problem: pharmacy stock data has real-world consequences if it's stale. A pharmacist dispensing medicine based on old inventory could miss an expiry flag or over-dispense.</p> <p>Our solution was to timestamp every cached API response and treat anything older than one hour as expired:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">age</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">cachedResponse</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">cached-at</span><span class="dl">'</span><span class="p">),</span> <span class="mi">10</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">age</span> <span class="o">&gt;</span> <span class="mi">3</span><span class="nx">_600_000</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Don't serve silently stale data — tell the user to reconnect</span> <span class="k">return</span> <span class="nf">errorResponse</span><span class="p">(</span><span class="dl">'</span><span class="s1">Cached data expired. Please reconnect.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">cachedResponse</span><span class="p">;</span> </code></pre> </div> <p>Serving stale pharmacy data silently felt like the wrong tradeoff. An honest error is safer than confident but wrong inventory counts. The 1-hour TTL was a product decision, not a technical one — what's your domain's tolerance?</p> <h2> Three things we'd do differently </h2> <p><strong>Define a permission matrix early.</strong> We started with roles hardcoded into route arrays. As the app grew, changing one permission meant touching five files. A <code>{ action: [roles] }</code> map would have scaled much better from the start.</p> <p><strong>Design the service worker config as pure data.</strong> Our <code>ROLE_CONFIG</code> object means adding a new role is a one-line change. We didn't design it that way from day one — we refactored into it. Start there.</p> <p><strong>Decide your cache TTL before you write a line of code.</strong> It sounds like a detail. It shapes everything about how your offline UX feels and how much you can trust the data your UI shows.</p> <p>If you're building in healthtech or have handled role-scoped offline sync differently, I'd genuinely like to hear your approach in the comments.</p> <p>We're currently in free beta at <a href="https://www.medexpiry.com" rel="noopener noreferrer">medexpiry.com</a> — a PWA pharmacy inventory SaaS with the architecture described above running in production. All feedback welcome.</p> nextjs javascript webdev saas