Building Today's Stash: A Full Stack Local Deals Platform

Supabase Auth with Multi Provider Support

• Email OTP Users sign in with a one time password sent to their email, handled natively through Supabase's signInWithOtp and verifyOtp flows.
• Phone OTP (Australian) A custom backend flow (/api/auth/start, /api/auth/verify) calls Twilio Verify directly. All phone numbers are strictly normalised to E.164 Australian format (+614xxxxxxxx) to prevent duplicate accounts and ensure carrier compatibility.
• Google OAuth Fully branded with the app name and logo in the Google Cloud Console OAuth consent screen. The production domain (todaysstash.com.au) is whitelisted in both Google Cloud and Supabase redirect configuration.
• Apple OAuth Integrates with Apple's private relay email system. Resend is configured with the production domain to ensure verification emails reach Apple relay addresses.

Identity Linking and Unlinking

Middleware Level Route Protection

• Creates a Supabase server client with cookie based session management.
• Validates the user's session on every route.
• Checks for email confirmation or phone confirmation status.
• Redirects unverified users to a verification page while allowing auth related routes to pass through.
• Uses a mutable response pattern to synchronise refreshed session tokens across the request lifecycle via setAll().

Row Level Security (RLS)

• profiles Users can only read and update their own profile record (user_id = auth.uid()). Admins get full access.
• notification_preferences Restricted to the record owner, with a unique constraint on (user_id, merchant_id) to prevent duplicates.
• applications Anonymous users can INSERT (for the public merchant registration form), but only admins can SELECT.
• verification_codes Fully locked down to admin/service role only. Consumer access is handled through SECURITY DEFINER RPC functions.
• merchants Owners can update their own records (matched through their profile's merchant_id), while admins retain full management access.

Security Definer Functions

Additional Security Measures

• View Security The legacy public.me security definer view was completely dropped to eliminate critical security warnings. public.success_stories_view uses security_invoker = true to ensure RLS is checked against the calling user.
• Idempotent Migrations All security migrations use the DROP POLICY IF EXISTS / CREATE POLICY pattern, allowing migration scripts to be re run safely.
• Leaked Password Protection Supabase's built in leaked password protection is enabled, blocking users from selecting commonly compromised passwords.

Core Tables

• profiles Extends auth.users with role, subscription plan, subscribed towns (stored as a text[] array for efficient filtering), notification preferences, strike counts, and suspension status.
• towns Geographic areas with image support. Towns can be free or subscription gated.
• merchants Business entities linked to towns, with operating hours stored as JSONB, branding assets (logo and banner URLs), street addresses, and a randomly generated 6 digit merchant PIN for in person redemptions.
• offers The deals themselves. Pricing uses integer cents (price_cents, original_price_cents) to avoid floating point rounding errors, a critical detail for financial accuracy. Scheduling uses a dual system: valid_from/valid_until for campaign level validity and recurring_schedule (JSONB array) for weekly time slots.
• reservations Tracks user commitments with a status lifecycle: pending, redeemed, missed, or cancelled.
• redemptions Records of completed deal uses, linked to both users and optional reservations.
• applications Public merchant lead capture with nullable user_id for anonymous submissions.
• notification_preferences Granular per merchant notification settings with unique constraints and automated timestamp triggers.

Pricing in Cents

The Problem

The Solution: reserve_offer RPC with Row Locking

1. 1Authentication Check. Verifies the calling user via auth.uid().
2. 2Suspension Check. Queries the profiles table to ensure the user is not suspended.
3. 3Daily Limit Enforcement. Checks for existing reservations on the same Sydney timezone calendar day, ignoring cancelled ones.
4. 4Row Lock. Locks the offers row with FOR UPDATE to prevent concurrent modifications.
5. 5Stock Validation. Verifies redeemed_count < total_limit.
6. 6Reservation Creation. Inserts a pending reservation.
7. 7Immediate Stock Decrement. Increments redeemed_count at reservation time (not redemption time) to hold the spot.

The Strike System

• No Show Detection The check_missed_reservations() function runs on an hourly pg_cron schedule. It identifies pending reservations where the slot time has passed by more than 12 hours and marks them as missed.
• Strike Issuance Each missed reservation increments profiles.strikes.
• Automatic Suspension At 3 strikes, profiles.is_suspended is set to true, blocking the user from all reservation and redemption activities.
• Admin Override Administrators can lift suspensions via the admin_lift_suspension RPC, which is gated to the admin role and resets both strikes and the suspension flag.

Frontend Implementation

• Date Selection A pill based button grid showing the next 7 days, filtered to only days that match the deal's recurring_schedule.
• Time Slots Generated in 30 minute increments within the deal's operating window, with past times filtered out for same day bookings.
• 12 Hour Format All times are converted from 24 hour internal format to user friendly 12 hour display.
• Suspension Handling If the RPC fails due to a suspended account, the modal captures the specific error code and displays a user friendly "Account Suspended" message.

How It Works

1. 1The merchant describes their deal in natural language (e.g., "Tuesday morning coffee special" or "Happy hour 4 to 6pm craft beers").
2. 2The system sends this to the OpenAI API, which generates three creative deal concepts, each with a marketing optimised title, compelling description, and inferred scheduling data.
3. 3The AI processes time related language intelligently: "Mornings" maps to open to 11:00 AM, "Afternoon" maps to 1:00 PM to 5:00 PM, "Evening" maps to 5:00 PM to close. Abstract tokens like open and close are resolved against the merchant’s actual operating hours.
4. 4The merchant reviews three consumer aligned previews rendered in a high fidelity CouponPreview component that mirrors the exact styling of the live deal cards.
5. 5The merchant selects their preferred concept, adjusts pricing (which the AI never touches; pricing authority stays with the merchant), and publishes.

Architecture

Verification Flow

• Phone Uses Twilio Programmable SMS to deliver a 6 digit OTP. The number is stored in pending_phone during verification and only moved to the active phone column after successful code entry. Phone numbers are deduplicated across the entire user base using E.164 normalisation with multiple format variations.
• Email Uses Resend to deliver a 6 digit OTP. Upon successful verification, the system also updates the user's primary email in auth.users via the Supabase Admin API to keep authentication and profile data synchronised.

Deal Alert Broadcasting

Carrier Compliance (Hard Opt Out)

Performance Optimisation (N+1 Prevention)

TGTG Inspired Design

• Hero Images Fixed 192px height for layout consistency.
• Physical Card Textures Applied as background layers with independent opacity and zoom control via CSS variables.
• Scalloped Edges CSS mask gradient to simulate physical tear off coupons.
• Dynamic Status Badges Strict visual hierarchy: Closed Business > Sold Out > Expired > Active > Starting Today > Tomorrow.
• Smart Countdown Timers 60 second refresh intervals, showing "Expires in 2h 15m" or "Active in 42m" with pulse animations on state changes.

Sophisticated Availability Logic

Feed Filtering and Sorting

• Near Term Visibility Policy Only shows deals active today or scheduled for tomorrow.
• Dynamic Sort Hierarchy Available Now (Rank 1) > Coming Soon (Rank 2) > Tomorrow (Rank 3) > Sold Out (Rank 4) > Expired (Rank 5) > Closed Business (Rank 10).
• Hybrid Filter UI Persistent "All Deals" and "My Towns" pill tabs with a dropdown for specific town selection.
• Daily Redemption Quotas Each user limited to one redemption per deal per calendar day, resetting at midnight AEST.

• Main Feed (8 columns) Performance stats, active deals with split "Edit" and "Restock" actions, expired deals with a "Re use" template button, and a 50 entry redemption ledger.
• Context Sidebar (4 columns) Venue settings (operating hours, banner upload, address), QR poster generation, and quick actions.
• Inventory Restocking Instead of requiring merchants to calculate total limits manually, the "Restock" feature asks for the desired remaining quantity. The system computes new total_limit = current redemptions + desired remaining, instantly reactivating sold out deals.
• PIN Based and QR Based Redemption Both methods flow through secure RPC functions that validate authentication, check stock limits, link to existing reservations, and record the savings amount.

• Town Management Create and configure geographic areas.
• Application Review Monitor incoming merchant applications with status tracking (Unread, Read, Pending, Approved, Denied).
• Global Deals Table Scheduling aware validity display that calculates and shows "Scheduled" days for recurring deals and "Today Only" status for one off promotions.
• No Deal Backdoors All deal creation and merchant injection code has been excised from the admin panel. The components were physically deleted from the codebase, not just hidden. This ensures absolute sovereignty for merchants over their own data.

1. 1Public Lead Form (/venue register). Anyone can submit a business application without creating an account. No OTP verification required. RLS allows anonymous inserts.
2. 2Admin Review. Applications appear in the admin dashboard as "unread" leads.
3. 3Manual Outreach. The sales team contacts applicants offline to verify legitimacy and discuss terms.
4. 4Developer Activation. Only after manual approval is the merchant record created and linked to a user account.
5. 5Dashboard Access. The business owner logs in to access the full merchant dashboard.

• Large text (minimum 16px) and high contrast styling throughout.
• Generous touch targets for all interactive elements.
• Card based method selection instead of tiny radio buttons.
• Inline verification flows with clear step by step progression.
• Name editing with character limits (20 chars), title case enforcement, and number filtering.
• Pre verified identity matching: if a user's profile email matches their authenticated session email, email_verified is automatically set to true.
• Silent background refresh using window.focus event listeners to keep data current without disruptive loading states.

• Local development with npm run dev (bindable to 0.0.0.0 for network wide mobile testing).
• Schema sync via npx supabase db push to apply local migrations to production.
• Production build verified locally with npm run build before pushing.
• Git based deployment; pushing to main triggers automatic Vercel builds.
• Environment variable management through Vercel's project settings (Supabase URL/keys, Twilio credentials, Resend API key, app URL).
• Post deployment verification covers authentication flows, data fetching, merchant dashboard access, and notification delivery.