DEV Community: Konstantin The latest articles on DEV Community by Konstantin (@prontodev). https://dev.to/prontodev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3903100%2F892761b8-f18e-4be9-a149-4e4c4ff76914.png DEV Community: Konstantin https://dev.to/prontodev en 3 security bugs I shipped in my open-source SaaS — and how I fixed them Konstantin Fri, 29 May 2026 11:02:29 +0000 https://dev.to/prontodev/3-security-bugs-i-shipped-in-my-open-source-saas-and-how-i-fixed-them-gd0 https://dev.to/prontodev/3-security-bugs-i-shipped-in-my-open-source-saas-and-how-i-fixed-them-gd0 <p>Shipping fast as a solo founder means you will introduce security bugs. That's not a question of skill — it's a question of bandwidth. The question is whether you catch them before someone else does.</p> <p>I'm building Pronto — an open-source self-hosted POS, CRM, and booking system for service businesses. During a security review of v1.0, I found three issues that made me genuinely uncomfortable. None were exploited. All are now fixed.</p> <p>Here's what they were, why they happened, and how I fixed each one.</p> <h2> Bug 1: Bot tokens leaking to client-side HTML </h2> <h3> What happened </h3> <p>Pronto supports Telegram, WhatsApp, and Viber notifications. Each tenant configures their own bot credentials in Settings. These credentials are stored in the database and used server-side to dispatch notifications.</p> <p>In an early version, I had a notification preview endpoint that fetched tenant settings — including bot tokens — and returned them in a JSON response that was consumed directly by a client-side component.</p> <p>The token never appeared visibly in the UI. But it was sitting in a fetch response, readable from the browser's DevTools network tab.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ WRONG — this response reached the client</span> <span class="kd">const</span> <span class="nx">settings</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/settings/notifications</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// response included: { telegram_token: "7412...", viber_token: "1234..." }</span> </code></pre> </div> <p>Any user logged into that tenant's account could extract their own bot token from the browser. For multi-tenant SaaS, this is a real problem — especially if a tenant's account gets compromised.</p> <h3> Why it happened </h3> <p>I built the notifications settings UI quickly and pulled the same endpoint used for server-side rendering. The path of least resistance was "fetch everything, display what you need." The token fields weren't rendered in the UI, so it felt safe. It wasn't.</p> <h3> The fix </h3> <p>All notification dispatch moved to server-only API routes protected by an internal secret header. Client-facing endpoints now return only non-sensitive configuration (enabled/disabled state, phone number prefix for display) — never credentials.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ Server-side only — internal routes</span> <span class="c1">// middleware checks: req.headers['x-internal-secret'] === process.env.INTERNAL_API_SECRET</span> <span class="c1">// ✅ Client receives only display data</span> <span class="kd">const</span> <span class="nx">settings</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/settings/notifications/display</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// response: { telegram_enabled: true, whatsapp_number_preview: "+1 234 ***" }</span> </code></pre> </div> <p><strong>Rule learned:</strong> If it looks like a credential, it never touches the client. Not even in a field that isn't rendered.</p> <h2> Bug 2: Unauthenticated API endpoint </h2> <h3> What happened </h3> <p>The public booking page — where clients book appointments without creating an account — needs to fetch available time slots for a given business. This endpoint is intentionally public. No auth required.</p> <p>However, the same route handler also accepted a <code>staff_id</code> parameter and, when provided, returned full staff profile data including internal notes and contact details that were never meant to be public.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /api/public/slots?business=salon-maya&amp;staff_id=123 // returned available slots ✅ // also returned: { name, phone, internal_notes, salary_type } ❌ </span></code></pre> </div> <h3> Why it happened </h3> <p>The staff lookup was added to pre-fill the booking form when a client clicks a specific staff member's profile. I reused an existing staff fetch function without thinking about what data it exposed. The function was designed for internal admin use.</p> <h3> The fix </h3> <p>Public endpoints now use dedicated lean serializers that explicitly whitelist fields:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ Public staff serializer — only what the booking page needs</span> <span class="kd">function</span> <span class="nf">serializeStaffPublic</span><span class="p">(</span><span class="nx">staff</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">staff</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">staff</span><span class="p">.</span><span class="nx">display_name</span><span class="p">,</span> <span class="na">avatar_url</span><span class="p">:</span> <span class="nx">staff</span><span class="p">.</span><span class="nx">avatar_url</span><span class="p">,</span> <span class="na">services</span><span class="p">:</span> <span class="nx">staff</span><span class="p">.</span><span class="nx">services</span><span class="p">,</span> <span class="p">}</span> <span class="c1">// internal_notes, phone, salary_type — never included</span> <span class="p">}</span> </code></pre> </div> <p><strong>Rule learned:</strong> Never reuse internal data fetchers for public endpoints. Write a separate serializer that explicitly lists what's allowed out.</p> <h2> Bug 3: In-memory rate limiting that restarts on deploy </h2> <h3> What happened </h3> <p>The public booking form is rate-limited to prevent spam. I implemented this with a simple in-memory store:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ❌ In-memory rate limiter</span> <span class="kd">const</span> <span class="nx">attempts</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Map</span><span class="p">()</span> <span class="c1">// { ip: { count, resetAt } }</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">checkRateLimit</span><span class="p">(</span><span class="nx">ip</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">record</span> <span class="o">=</span> <span class="nx">attempts</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">ip</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">record</span> <span class="o">&amp;&amp;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">count</span> <span class="o">&gt;=</span> <span class="mi">10</span> <span class="o">&amp;&amp;</span> <span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">&lt;</span> <span class="nx">record</span><span class="p">.</span><span class="nx">resetAt</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">false</span> <span class="c1">// rate limited</span> <span class="p">}</span> <span class="c1">// update record...</span> <span class="k">return</span> <span class="kc">true</span> <span class="p">}</span> </code></pre> </div> <p>This works fine in development. In production, every container restart wipes the Map. Every deploy resets all rate limit counters. A bad actor who knows your deploy schedule (or just retries after a restart) bypasses the limit entirely.</p> <p>For a SaaS with multiple instances, it's even worse — each instance has its own Map, so the effective limit is <code>N instances × 10 requests</code>.</p> <h3> Why it happened </h3> <p>In-memory is the fastest path to "rate limiting is implemented." It works in local testing. The failure mode only appears in production at scale or with deliberate probing.</p> <h3> The fix </h3> <p>The proper solution is Redis (Upstash works well for serverless). But I documented it as a known limitation with a clear upgrade path rather than blocking the release:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// ✅ Production path — Redis via Upstash</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Ratelimit</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@upstash/ratelimit</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Redis</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@upstash/redis</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">ratelimit</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Ratelimit</span><span class="p">({</span> <span class="na">redis</span><span class="p">:</span> <span class="nx">Redis</span><span class="p">.</span><span class="nf">fromEnv</span><span class="p">(),</span> <span class="na">limiter</span><span class="p">:</span> <span class="nx">Ratelimit</span><span class="p">.</span><span class="nf">slidingWindow</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="dl">'</span><span class="s1">1 h</span><span class="dl">'</span><span class="p">),</span> <span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">success</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">ratelimit</span><span class="p">.</span><span class="nf">limit</span><span class="p">(</span><span class="nx">ip</span><span class="p">)</span> </code></pre> </div> <p>For self-hosted single-instance deployments, the in-memory version is documented as acceptable with the caveat clearly stated in README. For SaaS — Redis is required.</p> <p><strong>Rule learned:</strong> In-memory state that needs to survive restarts is a production bug, not a dev shortcut. Either implement it properly or document the limitation explicitly so users aren't surprised.</p> <h2> The meta-lesson </h2> <p>All three bugs share a root cause: I made the "fast path" decision without thinking about the security surface.</p> <ul> <li>Fastest notification settings: return everything to the client</li> <li>Fastest staff lookup: reuse the existing function</li> <li>Fastest rate limiting: in-memory Map</li> </ul> <p>Speed of implementation and security surface are often in tension. When you're building solo, you need a personal forcing function to catch this tension before it ships.</p> <p>Mine is now: <strong>anything that touches credentials, user data, or auth gets a 5-minute threat model before it goes to production.</strong> Not a formal audit. Just five minutes of "who can call this, what can they get, what happens if this is wrong."</p> <p>It has caught two more issues since I formalized it.</p> <p>Pronto is open-source under MIT. If you find something I missed — issues are open.</p> <p><strong>GitHub:</strong> <a href="https://github.com/SGrappelli/pronto" rel="noopener noreferrer">github.com/SGrappelli/pronto</a><br> <strong>SaaS:</strong> <a href="https://trypronto.app" rel="noopener noreferrer">trypronto.app</a></p> security opensource selfhosted webdev How I built subdomain-based multi-tenancy with Next.js 14, Supabase RLS, and Cloudflare — for free Konstantin Wed, 06 May 2026 11:13:58 +0000 https://dev.to/prontodev/how-i-built-subdomain-based-multi-tenancy-with-nextjs-14-supabase-rls-and-cloudflare-for-free-2m02 https://dev.to/prontodev/how-i-built-subdomain-based-multi-tenancy-with-nextjs-14-supabase-rls-and-cloudflare-for-free-2m02 <p>Multi-tenancy is one of those things that sounds simple until you're three hours deep into middleware, wildcard DNS, and Row Level Security policies wondering where it all went wrong.</p> <p>I built it for Pronto — an open-source POS, CRM, and booking system for service businesses. Every business that signs up gets their own subdomain: <code>salon-maya.trypronto.app</code>. Fully isolated. One codebase.</p> <p>Here's exactly how I did it, what broke, and what I'd do differently.</p> <h2> The architecture in one diagram </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client request: salon-maya.trypronto.app ↓ Cloudflare (wildcard *.trypronto.app → DigitalOcean) ↓ Next.js Middleware (extract slug from hostname) ↓ Supabase RLS (row-level isolation per business_id) ↓ Tenant data </code></pre> </div> <p>Three layers. Each one solves a different problem.</p> <h2> Layer 1: Cloudflare wildcard DNS </h2> <p>This is the easiest part. In your Cloudflare dashboard, add one DNS record:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Type</span><span class="pi">:</span> <span class="s">A</span> <span class="na">Name</span><span class="pi">:</span> <span class="err">*</span> <span class="na">Content</span><span class="pi">:</span> <span class="s">your-server-ip</span> <span class="na">Proxy</span><span class="pi">:</span> <span class="s">✅ (orange cloud)</span> </code></pre> </div> <p>One record handles every subdomain. <code>salon-maya</code>, <code>barbershop-joe</code>, <code>cafe-lima</code> — all routed to the same server automatically.</p> <p>Then enable <strong>Universal SSL</strong> and make sure it covers wildcard <code>*.yourdomain.com</code>. Cloudflare's free plan does this.</p> <p>That's it for DNS. Cost: $0.</p> <h2> Layer 2: Next.js Middleware — extracting the tenant </h2> <p>Every request needs to know <em>which</em> tenant it belongs to. Middleware runs before any page renders, which makes it the right place for this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hostname</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">host</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span> <span class="kd">const</span> <span class="nx">baseDomain</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_BASE_DOMAIN</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">trypronto.app</span><span class="dl">'</span> <span class="c1">// salon-maya.trypronto.app → slug = "salon-maya"</span> <span class="kd">const</span> <span class="nx">slug</span> <span class="o">=</span> <span class="nx">hostname</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="s2">`.</span><span class="p">${</span><span class="nx">baseDomain</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="c1">// Skip if it's the root domain</span> <span class="k">if </span><span class="p">(</span><span class="nx">slug</span> <span class="o">===</span> <span class="nx">baseDomain</span> <span class="o">||</span> <span class="nx">slug</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">www</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="c1">// Pass slug to the request via header</span> <span class="kd">const</span> <span class="nx">requestHeaders</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">)</span> <span class="nx">requestHeaders</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-tenant-slug</span><span class="dl">'</span><span class="p">,</span> <span class="nx">slug</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">({</span> <span class="na">request</span><span class="p">:</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">requestHeaders</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/((?!api|_next/static|_next/image|favicon.ico).*)</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p>Then in any Server Component or API route, read it back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">headers</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/headers</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Page</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">headersList</span> <span class="o">=</span> <span class="nf">headers</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">slug</span> <span class="o">=</span> <span class="nx">headersList</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-tenant-slug</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">business</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getBusinessBySlug</span><span class="p">(</span><span class="nx">slug</span><span class="p">)</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <h2> Layer 3: Supabase RLS — the real isolation </h2> <p>Passing a slug through headers is fine for routing, but if your database queries don't enforce tenant isolation at the DB level, you have a security problem.</p> <p>Supabase Row Level Security fixes this.</p> <p><strong>Every tenant table has a <code>business_id</code> column:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">businesses</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">primary</span> <span class="k">key</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">slug</span> <span class="nb">text</span> <span class="k">unique</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">name</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">owner_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="p">);</span> <span class="k">create</span> <span class="k">table</span> <span class="n">appointments</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">primary</span> <span class="k">key</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">business_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="n">businesses</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">client_name</span> <span class="nb">text</span><span class="p">,</span> <span class="n">starts_at</span> <span class="n">timestamptz</span> <span class="p">);</span> </code></pre> </div> <p><strong>Enable RLS and add a policy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">alter</span> <span class="k">table</span> <span class="n">appointments</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"appointments_business_isolation"</span> <span class="k">on</span> <span class="n">appointments</span> <span class="k">using</span> <span class="p">(</span> <span class="n">business_id</span> <span class="o">=</span> <span class="p">(</span> <span class="k">select</span> <span class="n">id</span> <span class="k">from</span> <span class="n">businesses</span> <span class="k">where</span> <span class="n">owner_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Now it's physically impossible for one tenant to read another tenant's data, even if there's a bug in your application layer.</p> <p><strong>Migration files — keep it simple:</strong></p> <p>I use numbered SQL files (<code>001_initial.sql</code>, <code>002_add_rls.sql</code>) and a Node script that applies them in order on startup. No ORM magic — just SQL tracked in git.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// scripts/migrate.js</span> <span class="kd">const</span> <span class="nx">migrations</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readdir</span><span class="p">(</span><span class="dl">'</span><span class="s1">./supabase/migrations</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">sorted</span> <span class="o">=</span> <span class="nx">migrations</span><span class="p">.</span><span class="nf">sort</span><span class="p">()</span> <span class="c1">// 001_, 002_, etc.</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">file</span> <span class="k">of</span> <span class="nx">sorted</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check if already applied, skip if so</span> <span class="c1">// Execute if new</span> <span class="p">}</span> </code></pre> </div> <h2> The onboarding flow </h2> <p>When a new business registers, they pick their slug:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What's your business URL? [ salon-maya ] .trypronto.app </code></pre> </div> <p>On submit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Validate slug is URL-safe and available</span> <span class="kd">const</span> <span class="nx">slug</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[^</span><span class="sr">a-z0-9-</span><span class="se">]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">existing</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">businesses</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">slug</span><span class="dl">'</span><span class="p">,</span> <span class="nx">slug</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">existing</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">This URL is already taken</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Create the business record</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">business</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">businesses</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="nx">slug</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">businessName</span><span class="p">,</span> <span class="na">owner_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">})</span> <span class="p">.</span><span class="nf">select</span><span class="p">()</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="c1">// Redirect to their new subdomain</span> <span class="nf">redirect</span><span class="p">(</span><span class="s2">`https://</span><span class="p">${</span><span class="nx">slug</span><span class="p">}</span><span class="s2">.trypronto.app/onboarding`</span><span class="p">)</span> </code></pre> </div> <p>No DNS configuration needed on the customer's side. The wildcard handles it instantly.</p> <h2> What broke (and how I fixed it) </h2> <p><strong>Problem 1: Cookies don't cross subdomains by default.</strong></p> <p><code>salon-maya.trypronto.app</code> and <code>trypronto.app</code> are different origins. A session cookie set on the root domain won't be readable on the subdomain.</p> <p>Fix — set the cookie domain with a leading dot:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">response</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">sb-token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">token</span><span class="p">,</span> <span class="p">{</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">.trypronto.app</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// note the leading dot</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lax</span><span class="dl">'</span> <span class="p">})</span> </code></pre> </div> <p><strong>Problem 2: Middleware fired on static assets.</strong></p> <p>Without the <code>matcher</code> config, middleware runs on every <code>_next/static/...</code> request and adds latency to every image and JS chunk. The matcher I showed above fixes this.</p> <p><strong>Problem 3: Double-booking at the application layer.</strong></p> <p>Two concurrent requests could both pass the "is this slot free?" check before either wrote to the database. Fixed with a PostgreSQL trigger:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">prevent_double_booking</span><span class="p">()</span> <span class="k">returns</span> <span class="k">trigger</span> <span class="k">as</span> <span class="err">$$</span> <span class="k">begin</span> <span class="n">if</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="n">appointments</span> <span class="k">where</span> <span class="n">business_id</span> <span class="o">=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">business_id</span> <span class="k">and</span> <span class="n">employee_id</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">DISTINCT</span> <span class="k">FROM</span> <span class="k">NEW</span><span class="p">.</span><span class="n">employee_id</span> <span class="k">and</span> <span class="n">status</span> <span class="o">!=</span> <span class="s1">'cancelled'</span> <span class="k">and</span> <span class="n">tstzrange</span><span class="p">(</span><span class="n">starts_at</span><span class="p">,</span> <span class="n">ends_at</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">tstzrange</span><span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">starts_at</span><span class="p">,</span> <span class="k">NEW</span><span class="p">.</span><span class="n">ends_at</span><span class="p">)</span> <span class="k">and</span> <span class="n">id</span> <span class="o">!=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">id</span> <span class="p">)</span> <span class="k">then</span> <span class="n">raise</span> <span class="n">exception</span> <span class="s1">'SLOT_CONFLICT'</span> <span class="k">using</span> <span class="n">errcode</span> <span class="o">=</span> <span class="s1">'P0001'</span><span class="p">;</span> <span class="k">end</span> <span class="n">if</span><span class="p">;</span> <span class="k">return</span> <span class="k">NEW</span><span class="p">;</span> <span class="k">end</span><span class="p">;</span> <span class="err">$$</span> <span class="k">language</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <p>The API returns HTTP 409 on conflict. No race condition possible.</p> <h2> Custom domains (bonus) </h2> <p>For customers who want <code>booking.their-salon.com</code> instead of a subdomain, Cloudflare for SaaS handles this. The first 100 custom domains are free.</p> <p>The customer adds a CNAME pointing to your domain, you verify ownership, Cloudflare provisions the SSL certificate automatically. From your app's perspective, it's the same middleware pattern — just match on the full hostname instead of extracting a slug.</p> <h2> The full cost breakdown </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Tool</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td>Wildcard DNS + SSL</td> <td>Cloudflare</td> <td>$0</td> </tr> <tr> <td>Subdomain routing</td> <td>Next.js middleware</td> <td>$0</td> </tr> <tr> <td>Tenant isolation</td> <td>Supabase RLS</td> <td>$0</td> </tr> <tr> <td>Custom domains</td> <td>Cloudflare for SaaS</td> <td>$0 (first 100)</td> </tr> <tr> <td>Hosting</td> <td>DigitalOcean</td> <td>~$20/mo</td> </tr> </tbody> </table></div> <p>The entire multi-tenancy infrastructure costs $20/month — just the server.</p> <h2> The code is open source </h2> <p>Pronto is MIT-licensed. If you're building something similar — a SaaS for service businesses, a booking system, anything with subdomain tenancy — the full implementation is there to read.</p> <p>⭐ <a href="https://github.com/SGrappelli/pronto" rel="noopener noreferrer">github.com/SGrappelli/pronto</a></p> <p>Live demo: <a href="https://trypronto.app" rel="noopener noreferrer">trypronto.app</a></p> <p>Questions about any layer? Drop them in the comments.</p> nextjs supabase opensource webdev How I built an open-source POS with Telegram, WhatsApp & Viber — one Docker command install Konstantin Wed, 29 Apr 2026 12:42:36 +0000 https://dev.to/prontodev/how-i-built-an-open-source-pos-with-telegram-whatsapp-viber-one-docker-command-install-3j25 https://dev.to/prontodev/how-i-built-an-open-source-pos-with-telegram-whatsapp-viber-one-docker-command-install-3j25 <p>A friend of mine runs a beauty salon. Every evening she manually texts appointment reminders to her clients. She tracks inventory in Excel. And she pays 20% commission to a booking platform — for clients she spent years building relationships with herself.<br> So I built Pronto: an open-source POS, CRM, booking system, inventory tracker, and omnichannel notification engine for service businesses. Self-hosted or cloud. Zero commission. One command to install.<br> This post is about the technical decisions that were actually hard.</p> <h2> The architecture in one paragraph </h2> <p>Next.js 14 API routes + Supabase (PostgreSQL + Auth) + Cloudflare R2 for file storage. Notifications via Resend/SMTP, Telegram Bot API, Meta WhatsApp Cloud API, and Viber Bot API. Docker Compose for self-hosting. PWA via next-pwa for offline POS. Multitenancy via Supabase Row Level Security.<br> <strong>Credential model:</strong> each self-hoster (or SaaS tenant) brings their own API keys — Telegram bot token, WhatsApp Phone Number ID + Access Token, Viber token. The platform owner pays nothing to the messenger providers.</p> <h2> Problem 1: The double-booking race condition </h2> <p>App-level booking conflict checks have a classic race condition. Two clients simultaneously pick the same slot → both pass the check → both get confirmed.<br> The fix: a PostgreSQL trigger that runs atomically at commit time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">check_booking_conflict</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="n">IF</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">bookings</span> <span class="k">WHERE</span> <span class="n">business_id</span> <span class="o">=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">business_id</span> <span class="k">AND</span> <span class="n">employee_id</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">DISTINCT</span> <span class="k">FROM</span> <span class="k">NEW</span><span class="p">.</span><span class="n">employee_id</span> <span class="k">AND</span> <span class="n">status</span> <span class="k">NOT</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'cancelled'</span><span class="p">,</span> <span class="s1">'no_show'</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">start_time</span><span class="p">,</span> <span class="k">NEW</span><span class="p">.</span><span class="n">end_time</span><span class="p">)</span> <span class="k">OVERLAPS</span> <span class="p">(</span><span class="n">start_time</span><span class="p">,</span> <span class="n">end_time</span><span class="p">)</span> <span class="k">AND</span> <span class="n">id</span> <span class="o">!=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">id</span> <span class="p">)</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">EXCEPTION</span> <span class="s1">'Booking conflict: slot already taken'</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">NEW</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <p><code>IS NOT DISTINCT FROM</code> handles the NULL case — when <code>employee_id</code> is NULL (group bookings), it still works correctly. The API returns HTTP 409 on conflict, and the UI refreshes the slot grid automatically.</p> <h2> Problem 2: Docker broke auth callbacks </h2> <p>The app worked perfectly locally. Inside a Docker container, Supabase auth redirected back to <code>http://0.0.0.0:3000/auth/callback</code> — because <code>request.url</code> resolves to the container's internal address, not the real hostname.<br> The fix: read <code>NEXT_PUBLIC_SITE_URL</code> explicitly instead of deriving origin from the request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">siteUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SITE_URL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">http://localhost:3000</span><span class="dl">'</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">exchangeCodeForSession</span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">siteUrl</span><span class="p">}</span><span class="s2">/dashboard`</span><span class="p">)</span> </code></pre> </div> <p>This made the install truly one-command — no post-install auth debugging required.</p> <h2> Problem 3: WhatsApp's 24-hour window </h2> <p>Nobody documents this clearly upfront: Meta Cloud API only allows free-form text within a 24-hour window after the client initiates contact. Business-initiated messages — appointment reminders, birthday greetings, re-activation nudges — require pre-approved Message Templates (HSM) submitted through Meta Business Manager.<br> This matters if you're building anything that sends proactive notifications via WhatsApp. You either get your templates approved first, or your reminder system silently fails for business-initiated messages. I documented this honestly in the README as a known limitation.</p> <h2> Automatic migrations on startup </h2> <p>Self-hosters shouldn't have to run database migrations manually. I wrote a <code>scripts/migrate.js</code> that runs all Supabase migrations in order before the app starts, using the <code>pg</code> library directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.yml</span> <span class="na">services</span><span class="pi">:</span> <span class="na">migrate</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">command</span><span class="pi">:</span> <span class="s">node scripts/migrate.js</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">app</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">migrate</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> </code></pre> </div> <p>The <code>service_completed_successfully</code> condition means the app won't start until all 18 migrations have run cleanly. <code>docker compose up -d</code> is now genuinely one command.</p> <h2> The full stack </h2> <p><strong>Frontend:</strong> Next.js 14 + Tailwind + shadcn/ui<br> <strong>Backend:</strong> Next.js API routes + Supabase<br> <strong>Database:</strong> PostgreSQL (Supabase), 18 migrations<br> <strong>Auth:</strong> Supabase Auth — Email + Google OAuth<br> <strong>Notifications:</strong> Resend, Telegram Bot API, Meta WhatsApp Cloud API, Viber Bot API<br> <strong>Storage:</strong> Cloudflare R2<br> <strong>Self-hosting:</strong> Docker Compose, multi-stage build, non-root user<br> <strong>PWA:</strong> next-pwa 5.6.0, IndexedDB for offline POS<br> <strong>i18n:</strong> next-intl 4.9.0 (EN active, more coming)</p> <h2> What's live in v1.0 </h2> <p><strong>POS</strong> — completes a sale in 3 clicks, works offline via PWA + IndexedDB<br> <strong>CRM</strong> — full client history, visit patterns, birthday, tags, notes<br> <strong>Booking calendar</strong> — drag &amp; drop, week view, staff columns<br> <strong>Public booking page</strong> — name + phone only, no client account required<br> <strong>Inventory</strong> — stock tracking, low-stock alerts via all channels<br> <strong>Notifications</strong> — all 4 channels fire automatically: booking confirmed → 24h reminder → 1h reminder → thank-you → 30-day re-activation → birthday → low-stock<br> <strong>Multitenancy</strong> — each business isolated via Supabase RLS, own subdomain.</p> <h2> Running costs at zero customers </h2> <p>~$20–25/month on an existing DigitalOcean server. One Starter customer ($19/mo) covers it. Two Pro customers ($39/mo) puts it in the green.</p> <h2> What I'm still figuring out </h2> <p>Payment processing as a solo founder based in Georgia (the country) is genuinely difficult. LemonSqueezy and Polar.sh both don't support bank payouts to Georgia. Paddle has been pending verification for two weeks. Currently testing Dodo Payments. If you've solved this from a non-Stripe-supported country, I'd genuinely appreciate knowing what worked.</p> <p>GitHub: <a href="https://github.com/SGrappelli/pronto" rel="noopener noreferrer">github.com/SGrappelli/pronto</a> — MIT, Docker Compose, CI/CD<br> Live cloud version: <a href="https://trypronto.app/" rel="noopener noreferrer">trypronto.app</a><br> Happy to answer questions about any of the technical decisions above.</p> opensource selfhosted docker webdev