DEV Community: Konstantin The latest articles on DEV Community by Konstantin (@prontodev). https://dev.to/prontodev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3903100%2F892761b8-f18e-4be9-a149-4e4c4ff76914.png DEV Community: Konstantin https://dev.to/prontodev en How I built subdomain-based multi-tenancy with Next.js 14, Supabase RLS, and Cloudflare — for free Konstantin Wed, 06 May 2026 11:13:58 +0000 https://dev.to/prontodev/how-i-built-subdomain-based-multi-tenancy-with-nextjs-14-supabase-rls-and-cloudflare-for-free-2m02 https://dev.to/prontodev/how-i-built-subdomain-based-multi-tenancy-with-nextjs-14-supabase-rls-and-cloudflare-for-free-2m02 <p>Multi-tenancy is one of those things that sounds simple until you're three hours deep into middleware, wildcard DNS, and Row Level Security policies wondering where it all went wrong.</p> <p>I built it for Pronto — an open-source POS, CRM, and booking system for service businesses. Every business that signs up gets their own subdomain: <code>salon-maya.trypronto.app</code>. Fully isolated. One codebase.</p> <p>Here's exactly how I did it, what broke, and what I'd do differently.</p> <h2> The architecture in one diagram </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client request: salon-maya.trypronto.app ↓ Cloudflare (wildcard *.trypronto.app → DigitalOcean) ↓ Next.js Middleware (extract slug from hostname) ↓ Supabase RLS (row-level isolation per business_id) ↓ Tenant data </code></pre> </div> <p>Three layers. Each one solves a different problem.</p> <h2> Layer 1: Cloudflare wildcard DNS </h2> <p>This is the easiest part. In your Cloudflare dashboard, add one DNS record:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Type</span><span class="pi">:</span> <span class="s">A</span> <span class="na">Name</span><span class="pi">:</span> <span class="err">*</span> <span class="na">Content</span><span class="pi">:</span> <span class="s">your-server-ip</span> <span class="na">Proxy</span><span class="pi">:</span> <span class="s">✅ (orange cloud)</span> </code></pre> </div> <p>One record handles every subdomain. <code>salon-maya</code>, <code>barbershop-joe</code>, <code>cafe-lima</code> — all routed to the same server automatically.</p> <p>Then enable <strong>Universal SSL</strong> and make sure it covers wildcard <code>*.yourdomain.com</code>. Cloudflare's free plan does this.</p> <p>That's it for DNS. Cost: $0.</p> <h2> Layer 2: Next.js Middleware — extracting the tenant </h2> <p>Every request needs to know <em>which</em> tenant it belongs to. Middleware runs before any page renders, which makes it the right place for this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// middleware.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextRequest</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">middleware</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">hostname</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">host</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span> <span class="kd">const</span> <span class="nx">baseDomain</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_BASE_DOMAIN</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">trypronto.app</span><span class="dl">'</span> <span class="c1">// salon-maya.trypronto.app → slug = "salon-maya"</span> <span class="kd">const</span> <span class="nx">slug</span> <span class="o">=</span> <span class="nx">hostname</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="s2">`.</span><span class="p">${</span><span class="nx">baseDomain</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="c1">// Skip if it's the root domain</span> <span class="k">if </span><span class="p">(</span><span class="nx">slug</span> <span class="o">===</span> <span class="nx">baseDomain</span> <span class="o">||</span> <span class="nx">slug</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">www</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">()</span> <span class="p">}</span> <span class="c1">// Pass slug to the request via header</span> <span class="kd">const</span> <span class="nx">requestHeaders</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">)</span> <span class="nx">requestHeaders</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-tenant-slug</span><span class="dl">'</span><span class="p">,</span> <span class="nx">slug</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">next</span><span class="p">({</span> <span class="na">request</span><span class="p">:</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">requestHeaders</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">matcher</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">/((?!api|_next/static|_next/image|favicon.ico).*)</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> </code></pre> </div> <p>Then in any Server Component or API route, read it back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">headers</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/headers</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Page</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">headersList</span> <span class="o">=</span> <span class="nf">headers</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">slug</span> <span class="o">=</span> <span class="nx">headersList</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">x-tenant-slug</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">business</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">getBusinessBySlug</span><span class="p">(</span><span class="nx">slug</span><span class="p">)</span> <span class="c1">// ...</span> <span class="p">}</span> </code></pre> </div> <h2> Layer 3: Supabase RLS — the real isolation </h2> <p>Passing a slug through headers is fine for routing, but if your database queries don't enforce tenant isolation at the DB level, you have a security problem.</p> <p>Supabase Row Level Security fixes this.</p> <p><strong>Every tenant table has a <code>business_id</code> column:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">table</span> <span class="n">businesses</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">primary</span> <span class="k">key</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">slug</span> <span class="nb">text</span> <span class="k">unique</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">name</span> <span class="nb">text</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">owner_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="n">auth</span><span class="p">.</span><span class="n">users</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="p">);</span> <span class="k">create</span> <span class="k">table</span> <span class="n">appointments</span> <span class="p">(</span> <span class="n">id</span> <span class="n">uuid</span> <span class="k">primary</span> <span class="k">key</span> <span class="k">default</span> <span class="n">gen_random_uuid</span><span class="p">(),</span> <span class="n">business_id</span> <span class="n">uuid</span> <span class="k">references</span> <span class="n">businesses</span><span class="p">(</span><span class="n">id</span><span class="p">)</span> <span class="k">not</span> <span class="k">null</span><span class="p">,</span> <span class="n">client_name</span> <span class="nb">text</span><span class="p">,</span> <span class="n">starts_at</span> <span class="n">timestamptz</span> <span class="p">);</span> </code></pre> </div> <p><strong>Enable RLS and add a policy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">alter</span> <span class="k">table</span> <span class="n">appointments</span> <span class="n">enable</span> <span class="k">row</span> <span class="k">level</span> <span class="k">security</span><span class="p">;</span> <span class="k">create</span> <span class="n">policy</span> <span class="nv">"appointments_business_isolation"</span> <span class="k">on</span> <span class="n">appointments</span> <span class="k">using</span> <span class="p">(</span> <span class="n">business_id</span> <span class="o">=</span> <span class="p">(</span> <span class="k">select</span> <span class="n">id</span> <span class="k">from</span> <span class="n">businesses</span> <span class="k">where</span> <span class="n">owner_id</span> <span class="o">=</span> <span class="n">auth</span><span class="p">.</span><span class="n">uid</span><span class="p">()</span> <span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Now it's physically impossible for one tenant to read another tenant's data, even if there's a bug in your application layer.</p> <p><strong>Migration files — keep it simple:</strong></p> <p>I use numbered SQL files (<code>001_initial.sql</code>, <code>002_add_rls.sql</code>) and a Node script that applies them in order on startup. No ORM magic — just SQL tracked in git.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// scripts/migrate.js</span> <span class="kd">const</span> <span class="nx">migrations</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fs</span><span class="p">.</span><span class="nf">readdir</span><span class="p">(</span><span class="dl">'</span><span class="s1">./supabase/migrations</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">sorted</span> <span class="o">=</span> <span class="nx">migrations</span><span class="p">.</span><span class="nf">sort</span><span class="p">()</span> <span class="c1">// 001_, 002_, etc.</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">file</span> <span class="k">of</span> <span class="nx">sorted</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Check if already applied, skip if so</span> <span class="c1">// Execute if new</span> <span class="p">}</span> </code></pre> </div> <h2> The onboarding flow </h2> <p>When a new business registers, they pick their slug:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>What's your business URL? [ salon-maya ] .trypronto.app </code></pre> </div> <p>On submit:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Validate slug is URL-safe and available</span> <span class="kd">const</span> <span class="nx">slug</span> <span class="o">=</span> <span class="nx">input</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">().</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[^</span><span class="sr">a-z0-9-</span><span class="se">]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">existing</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">businesses</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">select</span><span class="p">(</span><span class="dl">'</span><span class="s1">id</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">eq</span><span class="p">(</span><span class="dl">'</span><span class="s1">slug</span><span class="dl">'</span><span class="p">,</span> <span class="nx">slug</span><span class="p">)</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">existing</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">This URL is already taken</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Create the business record</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">data</span><span class="p">:</span> <span class="nx">business</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">businesses</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nf">insert</span><span class="p">({</span> <span class="nx">slug</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="nx">businessName</span><span class="p">,</span> <span class="na">owner_id</span><span class="p">:</span> <span class="nx">userId</span> <span class="p">})</span> <span class="p">.</span><span class="nf">select</span><span class="p">()</span> <span class="p">.</span><span class="nf">single</span><span class="p">()</span> <span class="c1">// Redirect to their new subdomain</span> <span class="nf">redirect</span><span class="p">(</span><span class="s2">`https://</span><span class="p">${</span><span class="nx">slug</span><span class="p">}</span><span class="s2">.trypronto.app/onboarding`</span><span class="p">)</span> </code></pre> </div> <p>No DNS configuration needed on the customer's side. The wildcard handles it instantly.</p> <h2> What broke (and how I fixed it) </h2> <p><strong>Problem 1: Cookies don't cross subdomains by default.</strong></p> <p><code>salon-maya.trypronto.app</code> and <code>trypronto.app</code> are different origins. A session cookie set on the root domain won't be readable on the subdomain.</p> <p>Fix — set the cookie domain with a leading dot:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">response</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">sb-token</span><span class="dl">'</span><span class="p">,</span> <span class="nx">token</span><span class="p">,</span> <span class="p">{</span> <span class="na">domain</span><span class="p">:</span> <span class="dl">'</span><span class="s1">.trypronto.app</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// note the leading dot</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lax</span><span class="dl">'</span> <span class="p">})</span> </code></pre> </div> <p><strong>Problem 2: Middleware fired on static assets.</strong></p> <p>Without the <code>matcher</code> config, middleware runs on every <code>_next/static/...</code> request and adds latency to every image and JS chunk. The matcher I showed above fixes this.</p> <p><strong>Problem 3: Double-booking at the application layer.</strong></p> <p>Two concurrent requests could both pass the "is this slot free?" check before either wrote to the database. Fixed with a PostgreSQL trigger:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">create</span> <span class="k">or</span> <span class="k">replace</span> <span class="k">function</span> <span class="n">prevent_double_booking</span><span class="p">()</span> <span class="k">returns</span> <span class="k">trigger</span> <span class="k">as</span> <span class="err">$$</span> <span class="k">begin</span> <span class="n">if</span> <span class="k">exists</span> <span class="p">(</span> <span class="k">select</span> <span class="mi">1</span> <span class="k">from</span> <span class="n">appointments</span> <span class="k">where</span> <span class="n">business_id</span> <span class="o">=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">business_id</span> <span class="k">and</span> <span class="n">employee_id</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">DISTINCT</span> <span class="k">FROM</span> <span class="k">NEW</span><span class="p">.</span><span class="n">employee_id</span> <span class="k">and</span> <span class="n">status</span> <span class="o">!=</span> <span class="s1">'cancelled'</span> <span class="k">and</span> <span class="n">tstzrange</span><span class="p">(</span><span class="n">starts_at</span><span class="p">,</span> <span class="n">ends_at</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="n">tstzrange</span><span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">starts_at</span><span class="p">,</span> <span class="k">NEW</span><span class="p">.</span><span class="n">ends_at</span><span class="p">)</span> <span class="k">and</span> <span class="n">id</span> <span class="o">!=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">id</span> <span class="p">)</span> <span class="k">then</span> <span class="n">raise</span> <span class="n">exception</span> <span class="s1">'SLOT_CONFLICT'</span> <span class="k">using</span> <span class="n">errcode</span> <span class="o">=</span> <span class="s1">'P0001'</span><span class="p">;</span> <span class="k">end</span> <span class="n">if</span><span class="p">;</span> <span class="k">return</span> <span class="k">NEW</span><span class="p">;</span> <span class="k">end</span><span class="p">;</span> <span class="err">$$</span> <span class="k">language</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <p>The API returns HTTP 409 on conflict. No race condition possible.</p> <h2> Custom domains (bonus) </h2> <p>For customers who want <code>booking.their-salon.com</code> instead of a subdomain, Cloudflare for SaaS handles this. The first 100 custom domains are free.</p> <p>The customer adds a CNAME pointing to your domain, you verify ownership, Cloudflare provisions the SSL certificate automatically. From your app's perspective, it's the same middleware pattern — just match on the full hostname instead of extracting a slug.</p> <h2> The full cost breakdown </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Tool</th> <th>Cost</th> </tr> </thead> <tbody> <tr> <td>Wildcard DNS + SSL</td> <td>Cloudflare</td> <td>$0</td> </tr> <tr> <td>Subdomain routing</td> <td>Next.js middleware</td> <td>$0</td> </tr> <tr> <td>Tenant isolation</td> <td>Supabase RLS</td> <td>$0</td> </tr> <tr> <td>Custom domains</td> <td>Cloudflare for SaaS</td> <td>$0 (first 100)</td> </tr> <tr> <td>Hosting</td> <td>DigitalOcean</td> <td>~$20/mo</td> </tr> </tbody> </table></div> <p>The entire multi-tenancy infrastructure costs $20/month — just the server.</p> <h2> The code is open source </h2> <p>Pronto is MIT-licensed. If you're building something similar — a SaaS for service businesses, a booking system, anything with subdomain tenancy — the full implementation is there to read.</p> <p>⭐ <a href="https://github.com/SGrappelli/pronto" rel="noopener noreferrer">github.com/SGrappelli/pronto</a></p> <p>Live demo: <a href="https://trypronto.app" rel="noopener noreferrer">trypronto.app</a></p> <p>Questions about any layer? Drop them in the comments.</p> nextjs supabase opensource webdev How I built an open-source POS with Telegram, WhatsApp & Viber — one Docker command install Konstantin Wed, 29 Apr 2026 12:42:36 +0000 https://dev.to/prontodev/how-i-built-an-open-source-pos-with-telegram-whatsapp-viber-one-docker-command-install-3j25 https://dev.to/prontodev/how-i-built-an-open-source-pos-with-telegram-whatsapp-viber-one-docker-command-install-3j25 <p>A friend of mine runs a beauty salon. Every evening she manually texts appointment reminders to her clients. She tracks inventory in Excel. And she pays 20% commission to a booking platform — for clients she spent years building relationships with herself.<br> So I built Pronto: an open-source POS, CRM, booking system, inventory tracker, and omnichannel notification engine for service businesses. Self-hosted or cloud. Zero commission. One command to install.<br> This post is about the technical decisions that were actually hard.</p> <h2> The architecture in one paragraph </h2> <p>Next.js 14 API routes + Supabase (PostgreSQL + Auth) + Cloudflare R2 for file storage. Notifications via Resend/SMTP, Telegram Bot API, Meta WhatsApp Cloud API, and Viber Bot API. Docker Compose for self-hosting. PWA via next-pwa for offline POS. Multitenancy via Supabase Row Level Security.<br> <strong>Credential model:</strong> each self-hoster (or SaaS tenant) brings their own API keys — Telegram bot token, WhatsApp Phone Number ID + Access Token, Viber token. The platform owner pays nothing to the messenger providers.</p> <h2> Problem 1: The double-booking race condition </h2> <p>App-level booking conflict checks have a classic race condition. Two clients simultaneously pick the same slot → both pass the check → both get confirmed.<br> The fix: a PostgreSQL trigger that runs atomically at commit time.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">OR</span> <span class="k">REPLACE</span> <span class="k">FUNCTION</span> <span class="n">check_booking_conflict</span><span class="p">()</span> <span class="k">RETURNS</span> <span class="k">TRIGGER</span> <span class="k">AS</span> <span class="err">$$</span> <span class="k">BEGIN</span> <span class="n">IF</span> <span class="k">EXISTS</span> <span class="p">(</span> <span class="k">SELECT</span> <span class="mi">1</span> <span class="k">FROM</span> <span class="n">bookings</span> <span class="k">WHERE</span> <span class="n">business_id</span> <span class="o">=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">business_id</span> <span class="k">AND</span> <span class="n">employee_id</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">DISTINCT</span> <span class="k">FROM</span> <span class="k">NEW</span><span class="p">.</span><span class="n">employee_id</span> <span class="k">AND</span> <span class="n">status</span> <span class="k">NOT</span> <span class="k">IN</span> <span class="p">(</span><span class="s1">'cancelled'</span><span class="p">,</span> <span class="s1">'no_show'</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="k">NEW</span><span class="p">.</span><span class="n">start_time</span><span class="p">,</span> <span class="k">NEW</span><span class="p">.</span><span class="n">end_time</span><span class="p">)</span> <span class="k">OVERLAPS</span> <span class="p">(</span><span class="n">start_time</span><span class="p">,</span> <span class="n">end_time</span><span class="p">)</span> <span class="k">AND</span> <span class="n">id</span> <span class="o">!=</span> <span class="k">NEW</span><span class="p">.</span><span class="n">id</span> <span class="p">)</span> <span class="k">THEN</span> <span class="n">RAISE</span> <span class="n">EXCEPTION</span> <span class="s1">'Booking conflict: slot already taken'</span><span class="p">;</span> <span class="k">END</span> <span class="n">IF</span><span class="p">;</span> <span class="k">RETURN</span> <span class="k">NEW</span><span class="p">;</span> <span class="k">END</span><span class="p">;</span> <span class="err">$$</span> <span class="k">LANGUAGE</span> <span class="n">plpgsql</span><span class="p">;</span> </code></pre> </div> <p><code>IS NOT DISTINCT FROM</code> handles the NULL case — when <code>employee_id</code> is NULL (group bookings), it still works correctly. The API returns HTTP 409 on conflict, and the UI refreshes the slot grid automatically.</p> <h2> Problem 2: Docker broke auth callbacks </h2> <p>The app worked perfectly locally. Inside a Docker container, Supabase auth redirected back to <code>http://0.0.0.0:3000/auth/callback</code> — because <code>request.url</code> resolves to the container's internal address, not the real hostname.<br> The fix: read <code>NEXT_PUBLIC_SITE_URL</code> explicitly instead of deriving origin from the request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">siteUrl</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_SITE_URL</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">http://localhost:3000</span><span class="dl">'</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">data</span><span class="p">,</span> <span class="nx">error</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">supabase</span><span class="p">.</span><span class="nx">auth</span><span class="p">.</span><span class="nf">exchangeCodeForSession</span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">siteUrl</span><span class="p">}</span><span class="s2">/dashboard`</span><span class="p">)</span> </code></pre> </div> <p>This made the install truly one-command — no post-install auth debugging required.</p> <h2> Problem 3: WhatsApp's 24-hour window </h2> <p>Nobody documents this clearly upfront: Meta Cloud API only allows free-form text within a 24-hour window after the client initiates contact. Business-initiated messages — appointment reminders, birthday greetings, re-activation nudges — require pre-approved Message Templates (HSM) submitted through Meta Business Manager.<br> This matters if you're building anything that sends proactive notifications via WhatsApp. You either get your templates approved first, or your reminder system silently fails for business-initiated messages. I documented this honestly in the README as a known limitation.</p> <h2> Automatic migrations on startup </h2> <p>Self-hosters shouldn't have to run database migrations manually. I wrote a <code>scripts/migrate.js</code> that runs all Supabase migrations in order before the app starts, using the <code>pg</code> library directly.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.yml</span> <span class="na">services</span><span class="pi">:</span> <span class="na">migrate</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">command</span><span class="pi">:</span> <span class="s">node scripts/migrate.js</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">db</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">app</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="s">.</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">migrate</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_completed_successfully</span> </code></pre> </div> <p>The <code>service_completed_successfully</code> condition means the app won't start until all 18 migrations have run cleanly. <code>docker compose up -d</code> is now genuinely one command.</p> <h2> The full stack </h2> <p><strong>Frontend:</strong> Next.js 14 + Tailwind + shadcn/ui<br> <strong>Backend:</strong> Next.js API routes + Supabase<br> <strong>Database:</strong> PostgreSQL (Supabase), 18 migrations<br> <strong>Auth:</strong> Supabase Auth — Email + Google OAuth<br> <strong>Notifications:</strong> Resend, Telegram Bot API, Meta WhatsApp Cloud API, Viber Bot API<br> <strong>Storage:</strong> Cloudflare R2<br> <strong>Self-hosting:</strong> Docker Compose, multi-stage build, non-root user<br> <strong>PWA:</strong> next-pwa 5.6.0, IndexedDB for offline POS<br> <strong>i18n:</strong> next-intl 4.9.0 (EN active, more coming)</p> <h2> What's live in v1.0 </h2> <p><strong>POS</strong> — completes a sale in 3 clicks, works offline via PWA + IndexedDB<br> <strong>CRM</strong> — full client history, visit patterns, birthday, tags, notes<br> <strong>Booking calendar</strong> — drag &amp; drop, week view, staff columns<br> <strong>Public booking page</strong> — name + phone only, no client account required<br> <strong>Inventory</strong> — stock tracking, low-stock alerts via all channels<br> <strong>Notifications</strong> — all 4 channels fire automatically: booking confirmed → 24h reminder → 1h reminder → thank-you → 30-day re-activation → birthday → low-stock<br> <strong>Multitenancy</strong> — each business isolated via Supabase RLS, own subdomain.</p> <h2> Running costs at zero customers </h2> <p>~$20–25/month on an existing DigitalOcean server. One Starter customer ($19/mo) covers it. Two Pro customers ($39/mo) puts it in the green.</p> <h2> What I'm still figuring out </h2> <p>Payment processing as a solo founder based in Georgia (the country) is genuinely difficult. LemonSqueezy and Polar.sh both don't support bank payouts to Georgia. Paddle has been pending verification for two weeks. Currently testing Dodo Payments. If you've solved this from a non-Stripe-supported country, I'd genuinely appreciate knowing what worked.</p> <p>GitHub: <a href="https://github.com/SGrappelli/pronto" rel="noopener noreferrer">github.com/SGrappelli/pronto</a> — MIT, Docker Compose, CI/CD<br> Live cloud version: <a href="https://trypronto.app/" rel="noopener noreferrer">trypronto.app</a><br> Happy to answer questions about any of the technical decisions above.</p> opensource selfhosted docker webdev