| Component | Technology | Responsibility |
|---|---|---|
| Reverse Proxy | Nginx | SSL termination, load balancing |
| REST API | NestJS | HTTP endpoints, business logic |
| WebSocket Gateway | Socket.io | Real-time chat, presence |
| Message Queue | RabbitMQ | Async message delivery between clients |
| Cache | Redis | Cache layer, rate limiting, session |
| Database | PostgreSQL | Primary data store |
Core authentication system with stateless JWT access tokens and database-stored refresh tokens.
- Project scaffolding (NestJS, Drizzle, Docker)
- Email service (SMTP)
- OTP generation and verification
- JWT access tokens
- Refresh tokens (hashed, 90-day expiry)
- JWT Guard decorator
- Token rotation on refresh
- Seeder for locations
- Swagger setup
- API versioning
- Factory methods for integration tests
-
POST /auth/refreshendpoint -
POST /auth/logoutendpoint
- Global Exception Filter
- Image upload service
- NSFW filtering
Access Token: JWT, stateless
Refresh Token: Opaque string, hashed in DB, 90-day expiry
User identity and preferences system. Foundation for matching algorithm.
- Profile schema
- Profile CRUD endpoints
- Preferences schema
- Preferences CRUD endpoints
Property posting system with geospatial search capability.
- Posting schema based on location
- Posting create/updated CRUD endpoints
- Posting image update CRUD endpoints
- Posting delete/posting_status
- Pagination (posting lists)
- Location endpoint for getting neighborhoodsID
- Search and Filtering endpoints for lists
- Pagination GET bookmarks
- Preventing multiple postings in the same location
- Bookmark feature and count of it for posts
- Posting status (active/inactive/rented)
- Max postings constraint
Swipe-based discovery system with mutual matching.
-
swipestable -
matchestable -
POST /swipesendpoint -
GET /matchesendpoint (list matches) -
DELETE /matches/:idendpoint (unmatch)
-
GET /feedendpoint - Location-based filtering
- Gender preference filtering
- Budget/lifestyle preference filtering
- Exclude swiped profiles
- Exclude blocked users (bidirectional)
- Basic scoring system:
- Location match
- Preference compatibility
- Profile popularity
- Recent activity
- ORDER BY score logic
- Shuffle algorithm
- Redis cache for feed sets
- Query indexes on swipes table
- Archive old swipes (>3 months)
- Track swipe behavior (view duration, time to decision)
- Track match quality (unmatch rate, time to unmatch)
- Self-swipe prevention
- Duplicate swipe prevention
- Race condition on match creation
- Deleted/blocked user handling
- Re-match after unmatch
Phase 1: Location + basic filters
Phase 2: + Lifestyle preference scoring
Phase 3: + Collaborative filtering (Apache AGE extension?)
Phase 4: + ML recommendations (future)
End-to-end encrypted peer-to-peer messaging via WebSocket.
- WebSocket Gateway (Socket.io)
- JWT auth on connection
- Conversation per match or postings
- RabbitMQ integration
- E2EE implementation
- Offline message queue
- Temporary stored messages strategy
Messages are encrypted on sender's device and decrypted on receiver's device. Server only stores encrypted data it cannot read.
Key Exchange: Diffie-Hellman
Flow:
1. Users match → exchange encryption keys
2. Sender encrypts message on their phone
3. Server stores encrypted message (until it is delivered e.g. for offline users)
4. Receiver decrypts on their phone
Push notifications for matches and messages when users are offline.
-
user_devicestable (device_token, platform, user_id) -
notificationstable (user_id, type, title, body, read_at, created_at) -
POST /devices/registerendpoint -
GET /notificationsendpoint -
PUT /notifications/:id/readendpoint - RabbitMQ notification consumer
- FCM integration (Android push)
- APNs integration (iOS push)
- Firebase project setup
- APNs certificate setup
- Rate limiting (max 5 push/day per user)
- Auto-delete notifications older than 30 days
- New match (when offline)
- New message (when offline)
User safety features and abuse prevention.
- Block/unblock user endpoint
- Rate limiting (Redis)
- Bot prevention
Layer 1 - Nginx: IP-based throttling
Layer 2 - Redis: User-based limits
Layer 3 - App: Endpoint-specific limits
Limits:
├── Auth: 5 OTP requests/hour/email
Location services for postings and discovery.
- Geocoding service
- Reverse geocoding
Production deployment and DevOps setup.
- Docker Compose production config
- Nginx SSL configuration (Let's Encrypt)
- GitHub Actions CI
- GitHub Actions CD
- Health check endpoints
- Structured logging
- Backup strategy (cron)
services:
api: NestJS application
postgres: PostgreSQL
redis: Cache + Rate limiting
rabbitmq: Message queue
nginx: Reverse proxy + SSL
Optimization and caching strategies.
- Move refresh tokens to Redis
- Connection pooling
- Response caching