DEV Community: CsharpDeveloper

SellMatik — Privacy Policy

CsharpDeveloper — Sun, 22 Mar 2026 21:20:06 +0000

SellMatik is a Chrome browser extension that analyzes product pages on Trendyol. This privacy policy explains how SellMatik handles user data.

Last updated: March 23, 2026

## Data Collection

SellMatik does NOT collect, transmit, or store any personal data on external servers.

All data processing happens entirely within your browser. No information is sent to any third-party service, analytics platform, or external server.

## Data Usage

SellMatik accesses the following data locally in your browser only:

### Product Page Data

Product name, price, ratings, and review count
Seller information and competitor seller listings
Favorite count and category information
Product images (displayed within the extension panel)

This data is read from publicly visible content on Trendyol product pages that you visit.

### Search Results
SellMatik performs searches on Trendyol to find competing product listings. These searches are made directly from your browser to Trendyol, with no intermediary server.

### Locally Stored Data
Using Chrome's built-in Storage API, SellMatik stores:

Your preferred commission rate and supplier cost settings
Products you manually choose to save
Extension enabled/disabled preference

This data is stored locally in your browser's Chrome Storage and is never transmitted externally.

## Data Sharing

SellMatik does NOT:

Sell or transfer user data to third parties
Collect personally identifiable information
Use analytics or tracking tools
Send data to external servers
Use cookies or tracking pixels
Access browsing history beyond the active Trendyol page

## Permissions

SellMatik requires the following browser permissions:

activeTab: To read product information from the Trendyol page you are currently viewing
storage: To save your preferences and saved products locally
Host permission (trendyol.com): To run the analysis script on Trendyol product pages and search for competing listings

## Changes to This Policy

If we make changes to this privacy policy, we will update the "Last updated" date above.

## Contact

If you have questions about this privacy policy, please leave a review on the Chrome Web Store listing.

I Built a Chrome Extension That Translates Text Instantly — LinguaSnap

CsharpDeveloper — Fri, 20 Mar 2026 20:24:10 +0000

I got tired of copying text, opening Google Translate, pasting, and going back. So I built LinguaSnap — a Chrome extension that translates selected text instantly, right where you are.

How It Works

Select any text on any webpage
A tooltip appears below with the translation
That's it. No popups, no new tabs, no complicated settings.

Why I Built This

I read a lot of English documentation and articles. Every time I hit a word or sentence I didn't understand, the workflow was:

Select text → Copy → Open new tab → Go to Google Translate → Paste → Read → Go back

That's 6 steps for a simple translation. With LinguaSnap it's:

Select text → Read translation

Two steps. The translation appears right below your selection in a clean tooltip.

Features

Instant tooltip translation — select text, see translation immediately
17+ languages — English, Turkish, German, French, Spanish, Italian, Portuguese, Russian, Japanese, Korean, Chinese, Arabic, Hindi, and more
Auto-detect source language — no need to specify what language you're translating from
Listen to pronunciation — click the speaker icon to hear the translation spoken aloud
Save to vocabulary — build your personal word list while browsing
Translation history — access your last 100 translations
Export vocabulary — download your saved words as CSV
Right-click translate — context menu integration
Copy with one click — click the translation to copy it
Dark theme — clean, modern UI that doesn't distract
Enable/disable toggle — turn it off when you don't need it

The Tech

It's a simple Chrome Extension (Manifest V3):

Content Script — injects the tooltip UI into web pages
Background Service Worker — handles API calls to avoid CORS issues
Popup — settings, manual translation, history, and vocabulary tabs
Chrome Storage API — saves preferences and vocabulary locally

The translation API is MyMemory (free), which provides decent translations for most languages.

What I Learned

1. Content scripts can't make API calls directly — CORS blocks them. The solution is to send a message to the background service worker, make the API call there, and send the result back.

// content.js — send to background
chrome.runtime.sendMessage(
  { action: 'translate', text, targetLang },
  (response) => {
    if (response.success) showTranslation(response.translation);
  }
);

// background.js — handle and respond
chrome.runtime.onMessage.addListener((request, sender, sendResponse) => {
  if (request.action === 'translate') {
    fetch(`https://api.mymemory.translated.net/get?q=${encodeURIComponent(request.text)}&langpair=autodetect|${request.targetLang}`)
      .then(r => r.json())
      .then(data => sendResponse({ success: true, translation: data.responseData.translatedText }))
      .catch(() => sendResponse({ success: false }));
    return true; // Keep channel open for async
  }
});

2. Tooltip positioning is tricky — you need to handle viewport edges, scrolling, and the case where the tooltip would go off-screen.

3. Chrome Web Store review takes time — my first submission took about a week. Use activeTab instead of broad host permissions to speed up the review process.

Try It

LinguaSnap is free on the Chrome Web Store:

Install LinguaSnap →

Select any text on any webpage and see the translation instantly.

What tools do you use for quick translations while browsing? Let me know in the comments.

JWT Refresh Token Rotation in .NET — Why Your Auth is Probably Broken

CsharpDeveloper — Sun, 15 Mar 2026 20:58:55 +0000

Most JWT implementations I see in .NET projects have the same problem: the refresh token never changes. Once issued, it sits in the database (or worse, in a cookie) forever until it expires.

This is a security hole. Here's why, and how to fix it with refresh token rotation.

The Problem

Standard JWT flow:

1. User logs in → gets access token (15 min) + refresh token (7 days)
2. Access token expires
3. Client sends refresh token → gets new access token
4. Same refresh token is reused for 7 days

What happens if someone steals the refresh token on day 1? They have 7 full days of access to the account. The real user has no idea.

The Fix: Token Rotation

With rotation, every time a refresh token is used, it's revoked and replaced with a new one:

1. User logs in → access token + refresh token A
2. Access token expires
3. Client sends refresh token A → gets new access token + refresh token B
4. Refresh token A is now dead
5. If anyone tries to use refresh token A again → ALERT, revoke everything

Step 5 is the key. If a stolen token is used after the legitimate user already rotated it, the system knows something is wrong.

Implementation in .NET

The Entity

public class RefreshToken
{
    public Guid Id { get; set; } = Guid.NewGuid();
    public string Token { get; set; }
    public DateTime ExpiresAt { get; set; }
    public bool IsRevoked { get; set; }
    public DateTime? RevokedAt { get; set; }
    public string? ReplacedByToken { get; set; }
    public Guid UserId { get; set; }
    public ApplicationUser User { get; set; }

    public bool IsExpired => DateTime.UtcNow >= ExpiresAt;
    public bool IsActive => !IsRevoked && !IsExpired;
}

Notice the ReplacedByToken field — this creates a chain. When a token is rotated, we record which token replaced it. This lets us trace the entire token lineage if something goes wrong.

The Token Service

public class TokenService : ITokenService
{
    private readonly IConfiguration _config;
    private readonly ApplicationDbContext _context;

    public string GenerateAccessToken(ApplicationUser user,
        IList<string> roles, Guid? tenantId)
    {
        var claims = new List<Claim>
        {
            new(ClaimTypes.NameIdentifier, user.Id.ToString()),
            new(ClaimTypes.Email, user.Email!),
            new("tenant_id", tenantId?.ToString() ?? "")
        };

        foreach (var role in roles)
            claims.Add(new Claim(ClaimTypes.Role, role));

        var key = new SymmetricSecurityKey(
            Encoding.UTF8.GetBytes(_config["JwtSettings:Secret"]!));

        var token = new JwtSecurityToken(
            issuer: _config["JwtSettings:Issuer"],
            audience: _config["JwtSettings:Audience"],
            claims: claims,
            expires: DateTime.UtcNow.AddMinutes(15),
            signingCredentials: new SigningCredentials(
                key, SecurityAlgorithms.HmacSha256));

        return new JwtSecurityTokenHandler().WriteToken(token);
    }

    public async Task<RefreshToken> GenerateRefreshTokenAsync(
        Guid userId, CancellationToken ct = default)
    {
        var refreshToken = new RefreshToken
        {
            Token = Convert.ToBase64String(
                RandomNumberGenerator.GetBytes(64)),
            ExpiresAt = DateTime.UtcNow.AddDays(7),
            UserId = userId
        };

        _context.RefreshTokens.Add(refreshToken);
        await _context.SaveChangesAsync(ct);
        return refreshToken;
    }

    public async Task RevokeRefreshTokenAsync(
        string token, string? replacedByToken = null,
        CancellationToken ct = default)
    {
        var refreshToken = await _context.RefreshTokens
            .FirstOrDefaultAsync(t => t.Token == token, ct);

        if (refreshToken != null)
        {
            refreshToken.IsRevoked = true;
            refreshToken.RevokedAt = DateTime.UtcNow;
            refreshToken.ReplacedByToken = replacedByToken;
            await _context.SaveChangesAsync(ct);
        }
    }
}

The Rotation Flow

public class RefreshTokenCommandHandler
    : IRequestHandler<RefreshTokenCommand, Result<TokenResponse>>
{
    private readonly ITokenService _tokenService;
    private readonly UserManager<ApplicationUser> _userManager;

    public async Task<Result<TokenResponse>> Handle(
        RefreshTokenCommand request, CancellationToken ct)
    {
        // 1. Validate the incoming refresh token
        var existingToken = await _tokenService
            .ValidateRefreshTokenAsync(request.Token, ct);

        if (existingToken == null)
            return Result<TokenResponse>
                .Failure("Invalid or expired refresh token.");

        // 2. Find the user
        var user = await _userManager
            .FindByIdAsync(existingToken.UserId.ToString());

        if (user == null || !user.IsActive)
            return Result<TokenResponse>
                .Failure("User not found or deactivated.");

        // 3. Generate NEW refresh token
        var newRefreshToken = await _tokenService
            .GenerateRefreshTokenAsync(user.Id, ct);

        // 4. Revoke the OLD token and link to new one
        await _tokenService.RevokeRefreshTokenAsync(
            request.Token, newRefreshToken.Token, ct);

        // 5. Generate new access token
        var roles = await _userManager.GetRolesAsync(user);
        var accessToken = _tokenService
            .GenerateAccessToken(user, roles, user.TenantId);

        return Result<TokenResponse>.Success(new TokenResponse
        {
            AccessToken = accessToken,
            RefreshToken = newRefreshToken.Token,
            ExpiresAt = DateTime.UtcNow.AddMinutes(15)
        });
    }
}

The critical part is step 4 — the old token is revoked and linked to the new one via ReplacedByToken.

Detecting Token Theft

If someone tries to use a revoked token, you know it's been stolen. You can then revoke the entire token family:

public async Task<RefreshToken?> ValidateRefreshTokenAsync(
    string token, CancellationToken ct = default)
{
    var refreshToken = await _context.RefreshTokens
        .FirstOrDefaultAsync(
            t => t.Token == token &&
            !t.IsRevoked &&
            t.ExpiresAt > DateTime.UtcNow, ct);

    return refreshToken;
}

If the token is revoked but someone tries to use it → the legitimate token was already rotated → someone has the old token → compromise detected.

The Complete Auth Flow

POST /api/auth/register
  → Creates user, tenant, free trial subscription
  → Returns access token + refresh token

POST /api/auth/login
  → Validates credentials
  → Returns access token + refresh token

POST /api/auth/refresh
  → Validates refresh token
  → Revokes old token
  → Issues new access token + new refresh token
  → Links old → new token

POST /api/auth/forgot-password
  → Generates reset token
  → Sends email (doesn't reveal if user exists)

POST /api/auth/reset-password
  → Validates reset token
  → Updates password

GET /api/auth/me
  → Returns current user from JWT claims

Configuration

{
  "JwtSettings": {
    "Secret": "your-256-bit-secret-key-min-32-chars",
    "Issuer": "YourApp",
    "Audience": "YourApp.Client",
    "AccessTokenExpirationMinutes": 15,
    "RefreshTokenExpirationDays": 7
  }
}

Access token: 15 minutes — short enough that a stolen token has limited damage.

Refresh token: 7 days — long enough for good UX, but rotated on every use.

Common Mistakes

1. Storing refresh tokens in localStorage — Use httpOnly cookies instead. localStorage is accessible to any JavaScript on the page (XSS vulnerability).

2. Not setting ClockSkew to zero:

options.TokenValidationParameters = new TokenValidationParameters
{
    ClockSkew = TimeSpan.Zero // Default is 5 minutes!
};

Without this, expired tokens are valid for an extra 5 minutes.

3. Using the same secret in all environments — Dev, staging, and production should all have different JWT secrets.

4. Not revoking all tokens on password change — When a user changes their password, invalidate all existing refresh tokens.

Try It Out

I built a complete SaaS boilerplate that includes this auth system, plus multi-tenancy, Stripe billing, Clean Architecture with CQRS, and more.

SaaS Kit on Gumroad →

The auth system is production-ready with proper token rotation, role-based access, and password reset flow — all wired up and tested.

How do you handle refresh tokens in your .NET projects? Let me know in the comments.

How to Build a Chrome Extension with Manifest V3 — Complete Guide

CsharpDeveloper — Sun, 15 Mar 2026 20:54:59 +0000

Chrome extensions are one of the easiest ways to build a product that reaches millions of users. And with Manifest V3, Google has made the platform more secure and performant.

Here's everything you need to know to build your first Chrome extension.

Project Structure

A Chrome extension has 4 main parts:

my-extension/
├── manifest.json          # Config file (the brain)
├── background/
│   └── background.js      # Runs in background (API calls, events)
├── content/
│   ├── content.js         # Injected into web pages
│   └── content.css        # Styles for injected UI
├── popup/
│   ├── popup.html         # Click extension icon → this opens
│   ├── popup.css
│   └── popup.js
└── icons/
    ├── icon16.png
    ├── icon48.png
    └── icon128.png

Step 1: manifest.json

This is the config file that tells Chrome what your extension does:

{
  "manifest_version": 3,
  "name": "My Extension",
  "version": "1.0.0",
  "description": "What your extension does",
  "permissions": ["storage", "activeTab"],
  "action": {
    "default_popup": "popup/popup.html",
    "default_icon": { "48": "icons/icon48.png" }
  },
  "content_scripts": [
    {
      "matches": ["<all_urls>"],
      "js": ["content/content.js"],
      "css": ["content/content.css"]
    }
  ],
  "background": {
    "service_worker": "background/background.js"
  }
}

Key things:

manifest_version: 3 — always use 3, version 2 is deprecated
permissions — only request what you need (less permissions = faster review)
content_scripts — runs on every page the user visits
background — service worker, runs in the background

Step 2: Content Script — Inject UI into Pages

This is where the magic happens. Your content script runs on every webpage and can read/modify the DOM.

Here's a practical example — a floating tooltip that appears when the user selects text:

let tooltip = null;

document.addEventListener('mouseup', async (e) => {
  if (e.target.closest('#my-tooltip')) return;

  const selectedText = window.getSelection().toString().trim();
  if (!selectedText || selectedText.length < 2) {
    removeTooltip();
    return;
  }

  showTooltip(e, selectedText);
});

function showTooltip(e, text) {
  removeTooltip();

  tooltip = document.createElement('div');
  tooltip.id = 'my-tooltip';
  tooltip.innerHTML = `
    <div class="tooltip-header">
      <span>MY EXTENSION</span>
      <span class="close">&times;</span>
    </div>
    <div class="tooltip-content">${text}</div>
  `;

  document.body.appendChild(tooltip);
  tooltip.style.position = 'absolute';
  tooltip.style.top = `${e.pageY + 10}px`;
  tooltip.style.left = `${e.pageX}px`;
  tooltip.style.zIndex = '2147483647';

  tooltip.querySelector('.close')
    .addEventListener('click', removeTooltip);
}

function removeTooltip() {
  if (tooltip) { tooltip.remove(); tooltip = null; }
}

Style it with content.css:

#my-tooltip {
  background: #1a1a2e;
  color: #e0e0e0;
  border-radius: 10px;
  padding: 10px 14px;
  font-family: sans-serif;
  box-shadow: 0 8px 24px rgba(0, 0, 0, 0.4);
  max-width: 350px;
}

Step 3: Background Service Worker

The background script handles things that don't need a visible page:

API calls (avoids CORS issues)
Context menus (right-click)
Messages between content script and popup
Notifications and alarms

// Run on install
chrome.runtime.onInstalled.addListener(() => {
  chrome.storage.sync.set({ enabled: true });

  chrome.contextMenus.create({
    id: 'my-action',
    title: 'Do something with "%s"',
    contexts: ['selection']
  });
});

// Handle messages from content script
chrome.runtime.onMessage.addListener((request, sender, sendResponse) => {
  if (request.action === 'apiCall') {
    fetch(request.url)
      .then(r => r.json())
      .then(data => sendResponse({ success: true, data }))
      .catch(err => sendResponse({ success: false }));
    return true; // Keep channel open for async
  }
});

Step 4: Popup

The popup opens when a user clicks your extension icon. It's just HTML:

<!DOCTYPE html>
<html>
<head>
  <link rel="stylesheet" href="popup.css">
</head>
<body>
  <h1>My Extension</h1>
  <label>
    <input type="checkbox" id="toggle" checked>
    Enable
  </label>
  <script src="popup.js"></script>
</body>
</html>

// popup.js
document.addEventListener('DOMContentLoaded', async () => {
  const toggle = document.getElementById('toggle');
  const { enabled } = await chrome.storage.sync.get({ enabled: true });
  toggle.checked = enabled;

  toggle.addEventListener('change', () => {
    chrome.storage.sync.set({ enabled: toggle.checked });
  });
});

Step 5: Message Passing

Content scripts can't make API calls directly (CORS). Send messages to the background script instead:

// content.js — send message
chrome.runtime.sendMessage(
  { action: 'apiCall', url: 'https://api.example.com/data' },
  (response) => {
    if (response.success) {
      console.log(response.data);
    }
  }
);

// background.js — receive and handle
chrome.runtime.onMessage.addListener((request, sender, sendResponse) => {
  if (request.action === 'apiCall') {
    fetch(request.url)
      .then(r => r.json())
      .then(data => sendResponse({ success: true, data }))
      .catch(() => sendResponse({ success: false }));
    return true;
  }
});

Step 6: Storage

Chrome provides two storage types:

// sync — syncs across devices, small data (settings)
await chrome.storage.sync.set({ theme: 'dark', language: 'en' });
const settings = await chrome.storage.sync.get({ theme: 'dark' });

// local — local only, larger data (history, cache)
await chrome.storage.local.set({ history: [...items] });
const { history } = await chrome.storage.local.get({ history: [] });

Step 7: Load and Test

Go to chrome://extensions
Enable Developer mode (top right)
Click Load unpacked
Select your extension folder
Visit any webpage and test

Every time you change code, click the reload button on the extensions page.

Step 8: Publish

ZIP your extension folder
Go to Chrome Web Store Developer Dashboard
Pay $5 one-time registration fee
Upload ZIP, add description and screenshots
Submit for review (1-3 days)

Common Permissions Explained

Permission	What it does
`activeTab`	Access current tab on user click
`storage`	Save/load settings and data
`contextMenus`	Add right-click menu items
`notifications`	Show desktop notifications
`tabs`	Access tab URLs and info

Pro tip: Use fewer permissions = faster review + more user trust.

Quick Start Template

If you want to skip the setup and start building immediately, I put together a complete Chrome Extension Starter Kit with all of this already wired up — popup with tabs, content script with tooltip system, background worker, storage, dark theme, and options page.

Chrome Extension Starter Kit →

Questions? Drop a comment below. Happy building!

LinguaSnap Privacy Policy

CsharpDeveloper — Sun, 15 Mar 2026 13:13:09 +0000

Privacy Policy for LinguaSnap

Last updated: March 16, 2026

## What data we collect
LinguaSnap only processes text that you explicitly select on web pages for translation purposes.

## How we use your data

Selected text is sent to MyMemory Translation API for translation
Your language preference is stored locally in your browser
No personal data is collected, stored, or shared

## Data storage

User preferences (target language, enable/disable) are stored locally using Chrome Storage API
No data is sent to our servers
No cookies are used
No analytics or tracking

## Third-party services

MyMemory Translation API (api.mymemory.translated.net) — used solely for translation

## Contact
For questions about this privacy policy, contact: ugurkurekci98@gmail.com

How I Built a Production-Ready Multi-Tenant SaaS Boilerplate with .NET 10

CsharpDeveloper — Sun, 15 Mar 2026 01:01:42 +0000

Every SaaS product needs the same boring infrastructure — authentication, billing, multi-tenancy, user management. I've built these from scratch multiple times and finally decided to package it all into a reusable starter kit.

Here's how I architected it and the decisions I made along the way.

The Problem

You have a great SaaS idea. You start coding. Then you spend weeks on:

JWT authentication with refresh token rotation
Multi-tenant data isolation
Stripe subscription billing
Role-based authorization
Rate limiting
Email service

By the time you're done with infrastructure, you've lost momentum on your actual product.

The Architecture

I went with Clean Architecture — four layers with strict dependency rules:

API → Infrastructure → Application → Domain

Domain — Entities, enums, exceptions. Zero external dependencies.

Application — CQRS commands/queries, validators, interfaces. Defines WHAT the app does.

Infrastructure — EF Core, Stripe, email, JWT. Implements HOW it's done.

API — Controllers, middleware, configuration. The entry point.

Why Clean Architecture? Because the buyer of this boilerplate needs to swap things out. Don't like PostgreSQL? Switch to SQL Server with one config change. Don't want Stripe? Implement IPaymentService with your preferred provider. The infrastructure is pluggable.

Multi-Tenancy: Three Resolution Strategies

This was the most interesting part to design. Tenants can be resolved through:

1. JWT Claim — After login, the tenant_id is embedded in the access token. Every request automatically knows which tenant it belongs to.

2. HTTP Header — API clients send X-Tenant-Id header. Useful for server-to-server communication.

3. Subdomain — acme.yourapp.com resolves to the "acme" tenant. Great for customer-facing apps.

The resolution happens in middleware, before any business logic runs:

public async Task InvokeAsync(HttpContext context,
    ICurrentTenantService tenantService,
    ApplicationDbContext dbContext)
{
    // Try JWT claim first
    var tenantIdClaim = context.User.FindFirstValue("tenant_id");
    if (Guid.TryParse(tenantIdClaim, out var tenantId))
    {
        var tenant = await dbContext.Tenants
            .FirstOrDefaultAsync(t => t.Id == tenantId);
        if (tenant != null)
        {
            tenantService.SetTenant(tenant.Id, tenant.Slug);
            await _next(context);
            return;
        }
    }

    // Fall back to header, then subdomain...
}

The ICurrentTenantService is a scoped service — it lives for the duration of the request. Once the tenant is set, every downstream service automatically knows which tenant is active.

Authentication: JWT + Refresh Token Rotation

Standard JWT with a twist — refresh token rotation. When a client uses a refresh token to get a new access token, the old refresh token is revoked and a new one is issued.

Why? If someone steals a refresh token and the legitimate user also tries to refresh, the system detects the reuse and can invalidate all tokens for that user.

Access Token: 15 minutes (short-lived)
Refresh Token: 7 days (stored in DB, rotated on use)

The auth flow:

POST /api/auth/register — Creates user + tenant + free trial subscription
POST /api/auth/login — Returns access + refresh tokens
POST /api/auth/refresh — Rotates tokens
POST /api/auth/forgot-password — Sends reset email
GET /api/auth/me — Returns current user profile

CQRS with MediatR

Every action is a small, focused class:

// Command
public record LoginCommand(string Email, string Password)
    : IRequest<Result<TokenResponse>>;

// Handler
public class LoginCommandHandler
    : IRequestHandler<LoginCommand, Result<TokenResponse>>
{
    public async Task<Result<TokenResponse>> Handle(
        LoginCommand request, CancellationToken cancellationToken)
    {
        // validate credentials, generate tokens, return result
    }
}

// Validator (runs automatically via pipeline)
public class LoginCommandValidator : AbstractValidator<LoginCommand>
{
    public LoginCommandValidator()
    {
        RuleFor(x => x.Email).NotEmpty().EmailAddress();
        RuleFor(x => x.Password).NotEmpty();
    }
}

The ValidationBehaviour pipeline intercepts every command/query and runs the matching validator before the handler executes. No manual validation code in handlers.

Stripe Integration

Three subscription plans are seeded by default:

Plan	Price	Max Users	API Calls
Free	$0	2	1,000/mo
Pro	$29/mo	25	50,000/mo
Enterprise	$99/mo	Unlimited	Unlimited

The billing flow:

Tenant admin hits POST /api/subscriptions/checkout
Backend creates a Stripe Checkout Session
User completes payment on Stripe's hosted page
Stripe sends webhook → backend updates subscription status

Webhook handling covers all the important events:

checkout.session.completed — Activate subscription
invoice.paid — Renew subscription
invoice.payment_failed — Mark as past due
customer.subscription.deleted — Expire subscription

The Audit Trail

Every entity that extends BaseEntity automatically gets:

public abstract class BaseEntity
{
    public Guid Id { get; set; } = Guid.NewGuid();
    public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
    public DateTime? ModifiedAt { get; set; }
    public string? CreatedBy { get; set; }
    public string? ModifiedBy { get; set; }
}

An EF Core interceptor automatically sets these fields on save — no manual code needed in handlers.

Entities implementing ISoftDeletable are never actually deleted. DELETE operations are converted to updates with IsDeleted = true, and a global query filter excludes them from all reads.

What I'd Do Differently

1. Event-driven architecture — Right now, the welcome email is sent directly from the registration handler. In a production system, I'd publish a UserRegisteredEvent and handle the email in a separate consumer.

2. Integration tests — The current test suite covers domain logic and validation. I'd add integration tests with WebApplicationFactory and a test database.

3. API versioning — Not included yet, but important for any SaaS that will evolve over time.

Tech Stack

.NET 10 / ASP.NET Core
Entity Framework Core (PostgreSQL + SQL Server)
MediatR (CQRS)
FluentValidation
Stripe.net
MailKit (SMTP)
Serilog
Docker + docker-compose
Swagger/OpenAPI

Try It Out

I packaged this into a starter kit that you can use to build your own SaaS product. Clone it, edit appsettings.json, run dotnet run, and start building your actual features instead of infrastructure.

SaaS Kit on Gumroad →

$49 one-time purchase, unlimited projects, full source code.

What's your approach to multi-tenancy? I'd love to hear how others handle tenant isolation, especially at scale. Drop a comment below.