ODAY.ENGINEER

Technical Narrative

A fully dynamic, CMS-style portfolio platform built with Next.js and TypeScript. Features a role-based access control system (Admin / Visitor) powered by Supabase Auth with JWT tokens — roles are persisted in the database and enforced server-side via Next.js Server Actions, making UI-layer bypasses impossible. Admins have full CRUD access across all content domains: summary, education, projects, technologies, and media. Visitors can browse the dashboard in read-only mode. Zero redeployment needed for content updates.

• 01 //Architected a dual-layer authorization system — Next.js middleware refreshes Supabase JWTs on every /dashboard request via @supabase/ssr, while a reusable requireAdmin() guard re-validates the user and asserts their role inside every mutating Server Action, ensuring route-level and action-level authorization never drift apart.
• 02 //Eliminated silent privilege escalation risk by enforcing RBAC exclusively at the Server Action boundary — a deliberate choice, since the Drizzle client connects via DATABASE_URL and bypasses Supabase RLS entirely; requireAdmin() is the only authorization layer and is documented as such.
• 03 //• Designed a CMS-style Postgres data model using Drizzle ORM across six domain tables (profiles, summary, projects, technologies, education, section_order), with a section_order.sections text array making homepage layout fully database-driven rather than hard-coded.
• 04 //Hardened media uploads by routing all FormData through a Server Action that enforces a MIME allowlist (png/jpeg/webp/gif/pdf), a size cap, filename sanitization, and Date.now() prefixing before writing to Supabase Storage — preventing arbitrary file-type uploads and path collisions.
• 05 //Optimized cache invalidation surgically with revalidatePath() scoped to only affected routes after each mutation (/, /projects, /dashboard/projects), paired with Next.js Image remote-pattern allowlisting locked to the project's Supabase subdomain — keeping stale content windows narrow and blocking unauthorized image hosts.
• 06 //Guaranteed atomic drag-reorder operations by wrapping multi-row order updates in a Drizzle db.transaction() — ensuring project, technology, and education reordering never produces partial writes even under large batch submissions.