DEV Community: P The latest articles on DEV Community by P (@xinwza007x). https://dev.to/xinwza007x https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3899708%2F2d76e42f-52be-4e27-b159-0c5aad002b69.jpeg DEV Community: P https://dev.to/xinwza007x en Building CoC Meet Room: A Full-Stack Room Booking System with Next.js, Server Actions & Prisma P Mon, 27 Apr 2026 06:36:05 +0000 https://dev.to/xinwza007x/building-coc-meet-room-a-full-stack-room-booking-system-with-nextjs-server-actions-prisma-59no https://dev.to/xinwza007x/building-coc-meet-room-a-full-stack-room-booking-system-with-nextjs-server-actions-prisma-59no <blockquote> <p>A deep dive into the architecture, design decisions, and implementation details of a real-world room booking system built for the College of Computing, PSU Phuket Campus.</p> </blockquote> <p>If you've ever tried to build a room or resource booking system, you know it's one of those deceptively tricky domains. On the surface it sounds simple — <em>"just let people pick a time slot"</em> — but the moment you layer in role-based access, conflict detection, automated status transitions, and audit history, complexity compounds fast.</p> <p>This post walks through <strong>CoC Meet Room</strong>, a mobile-first, responsive booking system built for the College of Computing at Prince of Songkla University, Phuket Campus. I'll focus on the <em>why</em> and <em>how</em> behind each key decision so you can apply these patterns to your own projects.</p> <h2> What Is CoC Meet Room? </h2> <p>CoC Meet Room is a web-based meeting room reservation system that allows students and staff to:</p> <ul> <li>Check real-time room availability in a visual timeline view</li> <li>Book meeting rooms in hourly slots (up to 3 hours/day per account)</li> <li>Manage reservations through role-scoped dashboards</li> <li>Automatically sync booking statuses via a scheduled cron job</li> </ul> <p>The system supports three roles — <strong>USER</strong>, <strong>STAFF</strong>, and <strong>SUPERUSER</strong> — each with clearly scoped capabilities. The UI is built mobile-first and is fully responsive, making it practical for students quickly checking availability on their phones between classes.</p> <h2> The Modern Tech Stack </h2> <p>Here's a quick overview of what powers the system:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Layer</th> <th>Technology</th> </tr> </thead> <tbody> <tr> <td>Framework</td> <td>Next.js (App Router)</td> </tr> <tr> <td>UI Library</td> <td>React 19 + TailwindCSS</td> </tr> <tr> <td>Server Logic</td> <td>Next.js Server Actions</td> </tr> <tr> <td>ORM</td> <td>Prisma ORM</td> </tr> <tr> <td>Database</td> <td>PostgreSQL</td> </tr> <tr> <td>Validation</td> <td>Zod</td> </tr> <tr> <td>Scheduling</td> <td>cron-job.org</td> </tr> <tr> <td>External API</td> <td>Open-Meteo (weather)</td> </tr> </tbody> </table></div> <p>Each choice was deliberate. Let's unpack the most important ones.</p> <h3> Why Next.js App Router? </h3> <p>The App Router unlocks <strong>React Server Components</strong> and <strong>Server Actions</strong> natively. This means we can co-locate data fetching, mutations, and UI in a way that drastically reduces boilerplate — no need for a separate Express server, no Redux for async state, no fetch-on-mount patterns for most pages.</p> <h3> Why Prisma + PostgreSQL? </h3> <p>Prisma gives you type-safe database access with zero-friction schema management. For a system where data integrity matters — overlapping bookings are a hard business rule — having TypeScript types generated directly from your schema eliminates an entire class of bugs.</p> <h3> Why Zod? </h3> <p>Validation is enforced at <em>two</em> levels:</p> <ol> <li> <strong>Frontend</strong> — HTML attributes (<code>required</code>, <code>minLength</code>, <code>type="email"</code>) for a fast first layer of UX feedback.</li> <li> <strong>Backend</strong> — Zod schemas inside Server Actions re-validate every input independently, because you can never trust the client. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Example: Booking validation schema with Zod</span> <span class="kd">const</span> <span class="nx">bookingSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">roomId</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">cuid</span><span class="p">(),</span> <span class="na">startTime</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">datetime</span><span class="p">(),</span> <span class="na">endTime</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">datetime</span><span class="p">(),</span> <span class="p">}).</span><span class="nf">refine</span><span class="p">(</span><span class="nx">data</span> <span class="o">=&gt;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">endTime</span> <span class="o">&gt;</span> <span class="nx">data</span><span class="p">.</span><span class="nx">startTime</span><span class="p">,</span> <span class="p">{</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">End time must be after start time</span><span class="dl">"</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">endTime</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>This dual-validation strategy means both your users <em>and</em> your database are protected.</p> <h2> Architecture Highlight: Server Actions Over Internal APIs </h2> <p>One of the most impactful architectural decisions was using <strong>Server Actions</strong> for all core business logic — authentication, booking creation, user management, and room operations.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app/ └── actions/ ├── auth.ts // login, register, session ├── bookings.ts // create, cancel, update status ├── rooms.ts // create room, fetch queue └── users.ts // profile updates, role changes </code></pre> </div> <h3> The Traditional Approach vs. Server Actions </h3> <p>In a typical Next.js + Express setup, you'd have:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client → fetch('/api/bookings', { method: 'POST', body: ... }) → API Route → DB </code></pre> </div> <p>With Server Actions, the flow collapses to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Client → &lt;form action={createBooking}&gt; or direct call → DB </code></pre> </div> <p><strong>Why this matters for a booking system:</strong></p> <ul> <li> <strong>No network round-trip overhead</strong> for internal mutations — Server Actions execute on the server directly.</li> <li> <strong>No API route boilerplate</strong> to write and maintain for each operation.</li> <li> <strong>Automatic CSRF protection</strong> — Server Actions are natively protected against cross-site request forgery.</li> <li> <strong>Simpler error handling</strong> — you return structured results from the action, no need to decode HTTP status codes.</li> </ul> <p>The <em>one</em> place we did use an API Route is the cron endpoint:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/cron/bookings/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">authHeader</span> <span class="o">!==</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CRON_SECRET</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">Response</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// ... status sync logic</span> <span class="p">}</span> </code></pre> </div> <p>This is intentional — external services like cron-job.org need a real HTTP endpoint to call, so this is the appropriate place for a traditional API route.</p> <h2> Database Design &amp; the Soft Delete Strategy </h2> <h3> The Data Model </h3> <p>The database is organized around four core entities with clear separation of concerns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User (1) ──────── (0..1) Person User (1) ──────── (many) Booking Room (1) ──────── (many) Booking Booking belongs to one User and one Room </code></pre> </div> <p>The key insight here is splitting <strong>User</strong> and <strong>Person</strong>:</p> <ul> <li> <strong>User</strong> holds authentication data: <code>studentId</code>, <code>email</code>, <code>phone</code>, <code>password</code>, <code>role</code>, <code>refreshToken</code> </li> <li> <strong>Person</strong> holds profile data: <code>name</code>, <code>major</code>, <code>instagram</code>, <code>facebook</code> </li> </ul> <p>This separation follows the single-responsibility principle at the data layer. Auth logic never has to touch profile fields, and profile updates never risk corrupting credential data.</p> <h3> The Soft Delete Philosophy </h3> <p>Here's where things get interesting for booking systems. When a user cancels a booking, <strong>we do not delete the record</strong>. Instead, we transition its <code>status</code> to <code>CANCELLED</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Hard delete — data gone forever</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="k">delete</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">bookingId</span> <span class="p">}</span> <span class="p">});</span> <span class="c1">// ✅ Soft delete — record preserved for audit history</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">bookingId</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">CANCELLED</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <p><strong>Why does this matter?</strong></p> <ol> <li> <strong>Audit trail</strong> — You can always answer "who booked what, when, and what happened to it?"</li> <li> <strong>Conflict resolution</strong> — Staff can verify whether a disputed booking was cancelled before or after a conflict arose.</li> <li> <strong>Reporting</strong> — Usage statistics remain accurate even after cancellations.</li> <li> <strong>No data loss</strong> — A <code>CANCELLED</code> record is still a historical fact worth keeping.</li> </ol> <p>The four booking statuses form a clear state machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>PENDING ──── (time arrives) ────► ACTIVE ──── (time ends) ────► COMPLETED │ │ └── (cancelled by user/staff) ────┴────────────────────────► CANCELLED </code></pre> </div> <p><code>CANCELLED</code> records are excluded from conflict detection but remain visible in History for all roles.</p> <h2> Smart Business Logic </h2> <h3> The 3-Hour Daily Limit </h3> <p>One of the core fairness rules: <strong>each account can book a maximum of 3 hours per day across all rooms</strong>. This is enforced server-side before any booking is committed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Pseudo-code: Enforcing the daily booking limit</span> <span class="kd">const</span> <span class="nx">todaysActiveBookings</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="p">{</span> <span class="na">in</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">PENDING</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ACTIVE</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="na">startTime</span><span class="p">:</span> <span class="p">{</span> <span class="na">gte</span><span class="p">:</span> <span class="nf">startOfDay</span><span class="p">(</span><span class="k">new</span> <span class="nc">Date</span><span class="p">())</span> <span class="p">},</span> <span class="na">endTime</span><span class="p">:</span> <span class="p">{</span> <span class="na">lte</span><span class="p">:</span> <span class="nf">endOfDay</span><span class="p">(</span><span class="k">new</span> <span class="nc">Date</span><span class="p">())</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">totalHoursBooked</span> <span class="o">=</span> <span class="nx">todaysActiveBookings</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">acc</span><span class="p">,</span> <span class="nx">booking</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">acc</span> <span class="o">+</span> <span class="nf">differenceInHours</span><span class="p">(</span><span class="nx">booking</span><span class="p">.</span><span class="nx">endTime</span><span class="p">,</span> <span class="nx">booking</span><span class="p">.</span><span class="nx">startTime</span><span class="p">);</span> <span class="p">},</span> <span class="mi">0</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">totalHoursBooked</span> <span class="o">+</span> <span class="nx">requestedHours</span> <span class="o">&gt;</span> <span class="mi">3</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">You have reached the 3-hour daily booking limit.</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Key nuances:</p> <ul> <li> <code>CANCELLED</code> bookings are <em>not</em> counted toward the limit — a fair policy that doesn't punish users for cancelling.</li> <li>The check happens inside the Server Action, making it impossible to bypass from the client.</li> <li>A user can select up to 3 consecutive 1-hour slots from the Overview page in a single booking session.</li> </ul> <h3> Conflict Detection </h3> <p>Before a booking is created, the system also verifies no <code>PENDING</code> or <code>ACTIVE</code> booking exists for the same room in an overlapping time range:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">conflict</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">roomId</span><span class="p">:</span> <span class="nx">input</span><span class="p">.</span><span class="nx">roomId</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="p">{</span> <span class="na">in</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">PENDING</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">ACTIVE</span><span class="dl">'</span><span class="p">]</span> <span class="p">},</span> <span class="na">AND</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">startTime</span><span class="p">:</span> <span class="p">{</span> <span class="na">lt</span><span class="p">:</span> <span class="nx">input</span><span class="p">.</span><span class="nx">endTime</span> <span class="p">}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">endTime</span><span class="p">:</span> <span class="p">{</span> <span class="na">gt</span><span class="p">:</span> <span class="nx">input</span><span class="p">.</span><span class="nx">startTime</span> <span class="p">}</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">conflict</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">This room is already booked for the selected time.</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Automated Status Management with Cron Jobs </h2> <p>A booking system that requires manual status updates is broken by design. CoC Meet Room uses <strong><a href="https://cron-job.org" rel="noopener noreferrer">cron-job.org</a></strong> to call a protected API endpoint every hour, automating the <code>PENDING → ACTIVE → COMPLETED</code> lifecycle.</p> <h3> Setting It Up </h3> <p><strong>On cron-job.org:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">URL</span><span class="pi">:</span> <span class="s">https://your-domain.com/api/cron/bookings</span> <span class="na">Method</span><span class="pi">:</span> <span class="s">GET</span> <span class="na">Schedule</span><span class="pi">:</span> <span class="s">Every 1 hour</span> <span class="na">Headers: Authorization</span><span class="pi">:</span> <span class="s">Bearer &lt;CRON_SECRET&gt;</span> </code></pre> </div> <p><strong>The endpoint logic:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// app/api/cron/bookings/route.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 1. Validate the secret</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">authHeader</span> <span class="o">!==</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">CRON_SECRET</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">Response</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Unauthorized</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">now</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="c1">// 2. PENDING → ACTIVE: booking window has started</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="nf">updateMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">PENDING</span><span class="dl">'</span><span class="p">,</span> <span class="na">startTime</span><span class="p">:</span> <span class="p">{</span> <span class="na">lte</span><span class="p">:</span> <span class="nx">now</span> <span class="p">},</span> <span class="na">endTime</span><span class="p">:</span> <span class="p">{</span> <span class="na">gt</span><span class="p">:</span> <span class="nx">now</span> <span class="p">},</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ACTIVE</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// 3. ACTIVE → COMPLETED: booking window has ended</span> <span class="k">await</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="nf">updateMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ACTIVE</span><span class="dl">'</span><span class="p">,</span> <span class="na">endTime</span><span class="p">:</span> <span class="p">{</span> <span class="na">lte</span><span class="p">:</span> <span class="nx">now</span> <span class="p">},</span> <span class="p">},</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">COMPLETED</span><span class="dl">'</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">Response</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Why an external cron service instead of a serverless timer?</strong></p> <p>On most Vercel/serverless deployments, there's no persistent process to run background jobs. Using cron-job.org means:</p> <ul> <li>No infrastructure to manage</li> <li>A free, reliable external trigger</li> <li>Easy monitoring via the cron-job.org dashboard</li> <li>The secret header ensures only authorized callers can trigger the update</li> </ul> <p>There's also a bonus: if a user books a time slot that is <em>currently happening</em>, the Server Action immediately syncs its status to <code>ACTIVE</code> right after creation — no waiting for the next cron cycle.</p> <h2> External API Integration: Live Campus Weather </h2> <p>The Overview dashboard displays real-time weather for the PSU Phuket area, fetched from the <strong><a href="https://open-meteo.com/" rel="noopener noreferrer">Open-Meteo API</a></strong> — a free, no-auth-required weather API.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/campus-weather.ts</span> <span class="kd">const</span> <span class="nx">PSU_PHUKET_LAT</span> <span class="o">=</span> <span class="mf">8.076</span><span class="p">;</span> <span class="c1">// Approximate coordinates</span> <span class="kd">const</span> <span class="nx">PSU_PHUKET_LON</span> <span class="o">=</span> <span class="mf">98.298</span><span class="p">;</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getCampusWeather</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">url</span> <span class="o">=</span> <span class="s2">`https://api.open-meteo.com/v1/forecast?latitude=</span><span class="p">${</span><span class="nx">PSU_PHUKET_LAT</span><span class="p">}</span><span class="s2">&amp;longitude=</span><span class="p">${</span><span class="nx">PSU_PHUKET_LON</span><span class="p">}</span><span class="s2">&amp;current_weather=true`</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="p">{</span> <span class="na">next</span><span class="p">:</span> <span class="p">{</span> <span class="na">revalidate</span><span class="p">:</span> <span class="mi">3600</span> <span class="p">},</span> <span class="c1">// Cache for 1 hour — matches our cron interval</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="c1">// Validate the shape of the API response with Zod</span> <span class="kd">const</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">weatherSchema</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="nx">raw</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">parsed</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// Graceful degradation if the API response changes shape</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">parsed</span><span class="p">.</span><span class="nx">data</span><span class="p">.</span><span class="nx">current_weather</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>Design decisions worth noting:</strong></p> <ul> <li> <strong><code>revalidate: 3600</code></strong> — Next.js caches the fetch result for an hour, meaning we're not hammering the Open-Meteo API on every page load.</li> <li> <strong>Zod validation on the API response</strong> — External APIs can change. By parsing the response through a Zod schema, we fail gracefully and never crash the dashboard if Open-Meteo changes its response shape.</li> <li> <strong>Graceful degradation</strong> — If weather data is unavailable, the dashboard simply hides the widget rather than erroring out.</li> </ul> <h2> Security: RBAC and Password Hashing </h2> <h3> Role-Based Access Control (RBAC) </h3> <p>Every data-access function in <code>lib/dal.ts</code> (the Data Access Layer) checks the session role before returning data. There is no "just filter on the frontend" — the server never sends data the role isn't allowed to see.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>USER</th> <th>STAFF</th> <th>SUPERUSER</th> </tr> </thead> <tbody> <tr> <td>View own bookings</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>View all bookings</td> <td>❌</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Cancel own booking</td> <td>✅</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Update any booking status</td> <td>❌</td> <td>✅</td> <td>✅</td> </tr> <tr> <td>Create rooms</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> <tr> <td>Change user roles</td> <td>❌</td> <td>❌</td> <td>✅</td> </tr> </tbody> </table></div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Example from lib/dal.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">getBookings</span><span class="p">(</span><span class="nx">session</span><span class="p">:</span> <span class="nx">Session</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">USER</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">session</span><span class="p">.</span><span class="nx">userId</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">role</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">STAFF</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// STAFF sees all USER bookings, but not SUPERUSER bookings</span> <span class="k">return</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="nf">findMany</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">right</span><span class="p">:</span> <span class="dl">'</span><span class="s1">USER</span><span class="dl">'</span> <span class="p">}</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// SUPERUSER sees everything</span> <span class="k">return</span> <span class="nx">prisma</span><span class="p">.</span><span class="nx">booking</span><span class="p">.</span><span class="nf">findMany</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h3> Password Hashing </h3> <p>Passwords are hashed before storage (using bcrypt or Argon2) and the system supports <strong>on-the-fly migration</strong>: if a user logs in with a legacy hash format, their password is automatically re-hashed to the current standard and saved. This enables zero-downtime security upgrades.</p> <h2> Project Structure at a Glance </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>app/ ├── actions/ # Server Actions (auth, booking, room, user) ├── api/ │ └── cron/ │ └── bookings/ # Cron endpoint for status sync ├── dashboard/ │ ├── bookings/ # Booking management UI │ ├── rooms/ # Room queue (STAFF/SUPERUSER) │ ├── users/ # User management (STAFF/SUPERUSER) │ └── profile/ # Profile + logout ├── login/ # Auth pages ├── register/ └── schedule/ # Booking history lib/ ├── dal.ts # Data Access Layer (role-scoped queries) ├── campus-weather.ts # Open-Meteo integration └── form-validation.ts # Zod schemas </code></pre> </div> <h2> 💡 Key Takeaways for Fellow Developers </h2> <p>Building CoC Meet Room surfaced several patterns that translate well to any booking or scheduling system:</p> <ol> <li> <strong>Server Actions reduce boilerplate</strong> without sacrificing control — use them for all internal mutations.</li> <li> <strong>Soft delete isn't just "best practice"</strong> — for booking systems, it's a <em>business requirement</em>. Audit history has real value.</li> <li> <strong>Validate twice</strong> — once on the client for UX, once on the server for security. Never skip the server layer.</li> <li> <strong>Automate state transitions</strong> — a booking system without automated status management will drift out of sync. External cron services are a pragmatic solution on serverless platforms.</li> <li> <strong>Parse external APIs with Zod</strong> — API response shapes change. Zod <code>safeParse</code> lets you fail gracefully instead of crashing in production.</li> <li> <strong>Separate auth data from profile data</strong> — <code>User</code> and <code>Person</code> as separate models keeps concerns clean and makes each simpler to reason about.</li> </ol> <h2> 🚀 Getting Started </h2> <p>If you want to run the project locally:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Install dependencies</span> pnpm <span class="nb">install</span> <span class="c"># 2. Set your environment variables</span> <span class="nb">cp</span> .env.example .env <span class="c"># Fill in DATABASE_URL and CRON_SECRET</span> <span class="c"># 3. Generate Prisma client and push schema</span> pnpm prisma generate pnpm prisma db push <span class="c"># 4. Start the development server</span> pnpm dev </code></pre> </div> <p>For the cron job, register a free account on <a href="https://cron-job.org" rel="noopener noreferrer">cron-job.org</a>, create a new job pointing to <code>https://your-domain.com/api/cron/bookings</code> with a <code>GET</code> method, hourly schedule, and your <code>Authorization: Bearer &lt;CRON_SECRET&gt;</code> header.</p> <h2> Final Thoughts </h2> <p>CoC Meet Room started as a class project but ended up as a solid reference architecture for full-stack Next.js applications. The combination of Server Actions, Prisma, and Zod creates a remarkably tight and type-safe development experience — and the cron + soft-delete patterns address real operational concerns that most tutorials skip entirely.</p> <p>If you have questions about any part of the implementation — the state machine, the role-based DAL, or the cron setup — drop them in the comments. Happy to go deeper on any section. 🙌</p> <p><em>Built with Next.js · Prisma · PostgreSQL · Zod · Open-Meteo · cron-job.org</em></p> nextjs webdev prisma typescript