Auditing an Entire Next.js App: 27 Issues Found, 26 Fixed
Full security and reliability audit of a Next.js 16 + Prisma + Stripe app — IDOR, session validation, webhook transactions, and 23 more fixes.
The Definitive Guide to Dopemail Campaigns
Complete technical reference for the Dopemail campaign system — every model, flow, job, and third-party integration from draft to delivered.
The Trailing Space That Broke User Invites
A trailing space in an email field cascaded through Devise callbacks, silent ActiveRecord failures, and a DB unique constraint to break user invites.
Building the "Your DOPE Team" Contact Modal — From Design to Polish
Building a self-service contact modal with avatars, calendar links, and graceful fallbacks — plus lessons on Rails serialization gotchas and async state semantics.
Skip CC vs credit_card_bypass — Two Paths to No Credit Card
A deep dive into the two mechanisms that let Dopemail users operate without a credit card, how they differ, and where the gaps are.
The Race Condition Hiding in the Signup Flow
Adding a simple ?plan=free URL param uncovered a timing bug between async component wrappers and auth guards.
When Users Can't Reset Their Passwords: Building Redundant Delivery Channels
Adding SMS and admin-copyable reset links to a Rails + React app after email delivery proved unreliable. A deep dive into Devise token mechanics, deferred persistence patterns, and the small decisions that prevent security bugs.
Deep-Diving Into the New Home Buyers Feature: An Architecture Audit
A comprehensive audit of a real estate data integration feature — from MongoDB pipelines to SQL injection risks, with 20+ findings across backend, frontend, and infrastructure.
Following the Money: How Dopemail Handles Refunds (Spoiler — It Doesn't Touch Stripe)
A full audit of refund handling across a Rails + React direct mail platform — turns out, Stripe refunds don't exist. It's all credits.
The Invisible Character That Broke Our CRM Import
A null byte hiding in CRM data survived MongoDB but crashed PostgreSQL — fixed with defense-in-depth sanitization on both sides of the pipeline.
When 404 Means "Reload Everything Forever"
Debugging an infinite reload loop caused by a 404 response triggering a full query reload that remounted the polling component.
The 2AM Cron That Didn't Exist — A DST Debugging Story
Our nightly mail batch skipped a day. The culprit? Daylight Saving Time erased the 2:00 AM hour, and the cron job with it.