The project emphasizes practical full-stack execution: secure multi-tenant data access, real authentication flows, API guardrails, testing, and production deployment on Vercel.
- Marketing landing page (Next.js App Router) aligned with the fintech template system.
- Email/password authentication UI wired to Supabase Auth:
signInWithPasswordon/loginsignUpon/signup
- Auth callback route for OAuth/magic-link style flows:
- code exchange via
exchangeCodeForSession - safe redirect sanitization (
nextpath validation)
- code exchange via
- Auth error fallback page (
/auth/auth-error). - Protected dashboard access with authenticated user resolution.
- Plaid link token API with auth and rate-limiting controls.
- Core finance server actions and data retrieval modules.
- Unit and E2E test suites running in CI.
- Complete English-only copy across all dashboard and table labels.
- Add explicit unit tests for
app/auth/callback/route.tssuccess/failure branches. - Expand dashboard from current foundational views to full CRUD workflows.
- Improve local/offline font strategy to avoid Google Fonts dependency during restricted-network builds.
- Next.js (App Router)
- TypeScript
- Tailwind CSS
- Prisma ORM
- PostgreSQL (Supabase)
- Supabase Auth
- Plaid
- Vitest + Playwright
- Vercel
- Authentication (email/password + callback flow)
- Dashboard (authenticated access, filtering, pagination)
- Transaction data retrieval and finance server actions
- Plaid link token endpoint
- Marketing pages (home, pricing, features, legal pages)
app/: routes, server components, server actions, API handlerscomponents/: UI and feature components (landing,marketing,transactions,ui)lib/: integrations (supabase,prisma,plaid) + security/data modulesprisma/: schema and migration artifactstests/: unit and E2E tests
- Shared hooks:
lib/hooks/useReducedMotion.ts
- Shared landing constants:
lib/landing/constants.tslib/landing/animations.ts
- Shared tracking utility:
lib/analytics/tracking.ts
- Landing organisms:
components/landing/Hero.tsxcomponents/landing/Features.tsxcomponents/landing/Pricing.tsxcomponents/landing/Testimonials.tsxcomponents/landing/Footer.tsx
- Global interaction layer:
components/landing/MicroInteractions.tsx
- Design system:
docs/design-system/landing-design-system.md - Animation timing:
docs/design-system/animation-timing-reference.md - Component notes:
docs/components/landing-components.md
- Tenant isolation based on
userId - Monetary fields as
Decimal(14,2) - Soft-delete via
deletedAt - Indexed read paths for tenant/time access patterns
- Supabase RLS policies for defense in depth
- App-layer tenant scoping (
where: { userId: ... }) - Supabase RLS for protected tables
- Auth-required Plaid endpoint access
- Rate limiting with
429+Retry-After - Controlled usage of
SUPABASE_SERVICE_ROLE_KEY
References:
docs/security/data-access-policy.mdprisma/validation/rls_smoke.sqlapp/api/plaid/link/route.ts
/login-> SupabasesignInWithPassword/signup-> SupabasesignUpwithemailRedirectTo/auth/callback->exchangeCodeForSession(code)+ safe redirect/auth/auth-error-> fallback page for failed auth exchanges
Key files:
app/(marketing)/login/page.tsxapp/(marketing)/signup/page.tsxapp/auth/callback/route.tsapp/auth/auth-error/page.tsxlib/supabase/actions.tslib/supabase/client.ts
- Clone and install:
git clone https://github.com/paulopacifico/finance-saas.git
cd finance-saas
npm ci- Configure environment:
cp .env.example .env- Run dev server:
npm run dev- Open
http://localhost:3000
Core variables:
DATABASE_URLDIRECT_URLNEXT_PUBLIC_SUPABASE_URLNEXT_PUBLIC_SUPABASE_ANON_KEYorNEXT_PUBLIC_SUPABASE_PUBLISHABLE_DEFAULT_KEYSUPABASE_SERVICE_ROLE_KEYPLAID_CLIENT_IDPLAID_SECRETPLAID_ENVPLAID_COUNTRY_CODESPLAID_PRODUCTSPLAID_REDIRECT_URINEXT_PUBLIC_SITE_URL
npm run prisma:generate
npm run prisma:migrate:dev
npm run prisma:migrate:deploynpm run lint
npm run test:unit
npm run test:e2e
npm run testPreview authenticated smoke:
PREVIEW_BASE_URL="https://your-preview-url" \
PREVIEW_AUTH_COOKIE_NAME="sb-your-project-ref-auth-token" \
PREVIEW_AUTH_COOKIE_VALUE="your-auth-cookie-value" \
npm run test:e2e:previewRecommended release flow:
- Configure production environment variables.
- Run
prisma migrate deploy. - Run RLS smoke validation.
- Confirm CI checks (
lint,unit,e2e,build). - Promote deployment.
Operational runbook:
docs/operations/deploy-runbook.mddocs/operations/production-checklist.mddocs/operations/analytics-event-schema.md
- Open Graph and Twitter metadata configured in
app/layout.tsx. - Global error boundary:
app/error.tsx. - Custom 404 page:
app/not-found.tsx. - Conversion tracking hooks are wired through
lib/analytics/tracking.ts. - Forms include loading/success/error handling (
components/landing/Footer.tsx).
- Why combine app-level tenant checks with database RLS?
- How do you prevent open redirect vulnerabilities in auth callbacks?
- What are the next reliability/compliance steps for production?
- Which parts are MVP shortcuts vs. production-grade controls?
This repository includes core technical controls, but full production compliance still needs legal and operational processes:
- Public Privacy Policy and Terms
- DSR workflows (access/correction/deletion)
- Data retention/disposal process
- Auditable sensitive access controls
- Legal review for applicable Canadian obligations
References:
docs/compliance/canada-compliance-checklist.mddocs/operations/deploy-runbook.md
app/
components/
lib/
prisma/
tests/
public/
Private project. Add an explicit license before public distribution.