System architecture
The platform consists of three main layers:Frontend layer
React-based SPA with Vite and Tailwind CSS
Backend layer
Express.js REST API with JWT authentication
Database layer
MongoDB with Mongoose ODM
Communication flow
All client-server communication happens through REST APIs with JSON payloads:Core design principles
Role-based access control
The system supports three user roles with distinct permissions:- Student/Faculty: Browse stores, place orders, track deliveries
- Store Employee: Manage menu, process orders, verify OTP pickups
- System: Automated tasks like order timeouts and no-show tracking
authenticate middleware verifies tokens on protected routes (backend/src/middleware/auth.js:5).
Authorization checks use the
authorize(...roles) middleware to restrict endpoints by role (backend/src/middleware/auth.js:49).Data flow patterns
CampusBite implements several key data flow patterns:Authentication flow
Authentication flow
- User submits credentials to
/api/auth/login - Backend validates credentials and generates JWT access + refresh tokens
- Frontend stores tokens in localStorage
- Axios interceptor attaches JWT to all subsequent requests
- On 401 response, interceptor automatically refreshes token
- If refresh fails, user is redirected to login
Order placement flow
Order placement flow
- Customer adds items to cart (stored in React Context)
- On checkout, frontend sends POST to
/api/orders - Backend creates order with
pendingpayment status - System generates UPI deep link for payment
- Customer pays via UPI app
- Store employee manually confirms payment
- Order progresses through states: placed → accepted → processing → ready
- OTP generated when order marked ready
- Customer shows OTP for pickup verification
Real-time updates
Real-time updates
The system uses two mechanisms for real-time updates:
- HTTP polling: Frontend polls
/api/orders/:id/poll-statusevery 3 seconds for order status updates - Server-Sent Events (SSE): Stores receive SSE notifications at
/api/notificationsfor new orders
Security measures
The backend implements multiple security layers:Helmet.js
Sets security-related HTTP headers
CORS
Restricts origins to configured frontend URLs
Rate limiting
Three-tier strategy: global, auth, and per-user order limits
JWT tokens
Access tokens (1h) + refresh tokens (7d) with auto-refresh
Rate limiting uses a campus-aware strategy with high IP limits (3000 req/15min) since all students share a few NAT-ted campus WiFi IPs. Individual abuse is caught via user-keyed order limits (backend/src/index.js:84).
Campus-specific features
OTP-based pickup verification
To prevent order fraud, CampusBite generates a 6-digit OTP when orders are marked ready. The customer must show this OTP to the store for pickup verification.No-show tracking
The system tracks customers who don’t pick up ready orders:- Orders have a pickup window (30 minutes by default)
- If not picked up, customer’s
no_show_countincrements - After 3 no-shows, user is restricted from ordering temporarily
- Trust tiers:
good→watch→restricted
UPI payment integration
India-specific payment flow using UPI deep links:- Backend generates payment links for GPay, PhonePe, Paytm, BHIM
- Links open native UPI apps on mobile devices
- Store manually confirms payment receipt (no payment gateway integration)
Deployment architecture
CampusBite supports multiple deployment configurations:Development mode
/api requests to the backend automatically.
Production mode
The backend serves the built frontend as static files:For production deployments with file uploads, mount a persistent volume at
/data/uploads to prevent uploaded images from disappearing on container restarts.Next steps
Tech stack
Explore the technologies and dependencies used
Project structure
Understand the codebase organization