My Place Cigar Lounge

// decisions

• One Next.js app for marketing + member portal + admin

  Could have shipped a separate static marketing site and a separate authenticated app. Instead one codebase serves public marketing routes, the auth-gated member dashboard, and the owner admin panel — shared components, shared design tokens, one deploy pipeline. Saves the ongoing tax of cross-app drift; trade-off is slightly larger first-load JS on public pages.

• Supabase + Auth.js instead of rolling auth

  Members-only feature was the riskiest scope. Supabase + Auth.js give me battle-tested auth, RBAC, and a Postgres I can query in 5 minutes, instead of a 2-week detour into JWT and session management. The cost is a $25/month line item; the saved week paid for years of that subscription.

• Three-tier RBAC (owner / admin / member) enforced server-side

  Easy approach: client-side role checks. Correct approach: middleware that gates every API route and page on role, with the client UI as a UX hint only. Worth the extra hour up front because the alternative — finding out a member can hit an admin endpoint — is a production incident.

• Test discipline: Vitest + Playwright + RLS policy tests

  Vitest covers auth helpers, RBAC role-resolution, and content schemas. Playwright runs an E2E pass on the public marketing site plus an authenticated flow for the member dashboard and admin actions. Supabase Row-Level-Security policies have a dedicated test suite that spawns service-role and user-role clients to assert every policy actually denies what it claims to. Lighthouse mobile ≥ 95 + axe-core zero-violation block the merge on every PR.

// highlights

• ✓Public marketing site with dark elegant theme — black, gold, serif typography
• ✓Authenticated member area — dashboard, cigar profile, directory, messaging
• ✓Full admin panel — members, events, RSVPs, invites, announcements
• ✓Role-based access control with owner / admin / member tiers