Wallet Management System
Solo full-stack project — a digital wallet with MongoDB transactions, RBAC, and a senior-level security decision to remove OAuth for a financial app.

Overview
The Wallet Management System is a solo full-stack digital wallet application demonstrating financial-domain modeling with MongoDB transactions. The backend exposes a robust REST API with role-based access control (USER / AGENT / ADMIN / SUPER_ADMIN), agent commission tracking, configurable fees, and virtual/physical card management. The frontend is a React 19 + Vite SPA with Redux Toolkit + RTK Query.
A senior-level security decision I made and documented: I deliberately removed Google/Facebook OAuth from a financial app. The reasoning — OAuth introduces dependency on external providers (outages = locked-out users), complicates account recovery (which provider owns this account?), expands the attack surface (token leaks, callback hijacking), and creates a fuzzier threat model. For a wallet handling real money, the simpler password + JWT rotation + email verification flow is the safer choice.
The frontend showcases a token refresh queue — when multiple RTK Query mutations fire simultaneously and the access token has expired, only the first refresh request goes through; the rest queue and replay once the new token arrives. This prevents the "race condition" where multiple refreshes invalidate each other (since each refresh rotates the refresh token, invalidating the previous one).
I also shipped one-click demo login for portfolio reviewers — three buttons (User / Agent / Admin) that auto-fill seeded demo credentials, so reviewers don't need to remember logins.
Highlights
- 01Solo full-stack build — MongoDB ACID transactions for send-money / cash-in / cash-out / withdrawals, with agent commission tracking and configurable fees.
- 02Granular RBAC (USER / AGENT / ADMIN / SUPER_ADMIN) + JWT access/refresh token rotation with Redis-backed blacklisting.
- 03Deliberate security decision: removed OAuth for this financial app (documented reasoning — reduces external-provider dependency, account-recovery complexity, and attack surface).
- 04Frontend token refresh queue prevents concurrent-refresh race conditions; one-click demo login (User/Agent/Admin) for portfolio reviewers.
Key Features
- JWT auth with access/refresh token rotation + email verification + password reset
- RBAC: USER / AGENT / ADMIN / SUPER_ADMIN
- Wallet management (create, balance tracking, block/unblock, agent cash-in/out)
- Transactions: send money, cash-in, cash-out, withdrawals with MongoDB transactions
- Service purchases with 1.5% transaction fee (fee → system wallet)
- Agent commission tracking + agent dashboard (balance, total commission, success rate)
- Service management CRUD with search/filter/rating-sort/pagination
- Virtual and physical card management (copy, freeze/unfreeze)
- System configuration (configurable fees, agent commission rate, daily/monthly limits)
- User management (profile, admin creation, agent approval/suspension)
- Token refresh queue on the client (prevents concurrent refresh race conditions)
- One-click demo login (User / Agent / Admin via env-configured credentials)
- Light/dark/system theme with persisted preference
- Mobile-responsive with collapsible sidebar
- Animated charts (income/expense area chart, animated counter stat cards)
- Deliberate removal of OAuth for financial-app security (documented reasoning)
Challenges Faced
Future Improvements & Plans
- Add Prometheus metrics and observability (currently lean — only basic logging).
- Implement webhook-based reconciliation for an actual payment gateway integration.
- Add two-factor authentication (TOTP) for high-value transactions.
- Build a transaction dispute and refund workflow.
- Migrate to PostgreSQL for stricter consistency guarantees on financial data.
- Add a public-facing landing page describing the wallet product.
Interested in this project?
Check out the code, try the live demo, or get in touch to discuss similar work.