Aquatravel.md

Technology stack

• Next.js 16 (App Router, Turbopack), React 19, TypeScript
• Tailwind CSS v4, Framer Motion (animations across 34 pages), lucide-react
• MongoDB + Mongoose (6 models), NextAuth v5 (Credentials + JWT)
• Node.js + PM2, Nginx (reverse proxy, HTTPS), Let’s Encrypt, Sharp

Security

A carefully designed set of production-grade protective measures.

• Protection against NoSQL injection — strict normalization of all input (lib/sanitize), stripping out objects like {$ne:null}
• 2FA/TOTP — a custom RFC 6238 implementation on Node crypto (base32, HOTP/TOTP, timingSafeEqual), the secret stored in the DB encrypted with AES-256-GCM, QR for enrollment
• bcrypt for passwords; recovery via a one-time token (only the SHA-256 hash kept in the DB, 1-hour TTL, identical response regardless of whether the email exists)
• Rate limiting on login/registration/orders/password reset; server-side recalculation of the order total
• HTTP security headers: HSTS preload, X-Frame-Options, CSP (frame-ancestors / base-uri / object-src / form-action), X-Powered-By disabled
• Role-based model (requireAdmin on the layout and on every mutating API endpoint), file-upload validation, DKIM signing of emails

SEO

• Dynamic sitemap.xml (static pages + tours from the DB) and robots.txt (/admin, /api and account sections disallowed)
• Centralized metadata (canonical, Open Graph, Twitter Cards), JSON-LD TravelAgency
• PWA manifest, apple-icon, LCP optimization (preconnect, next/image, WebP)
• Unique SEO copy for each section

Multilingual (i18n)

• 3 languages: Russian, English, Romanian — with a switcher that remembers the choice
• Tour content stored in the DB as multilingual tuples {ru, en, ro}
• Localized interface, order statuses, tour categories/difficulty and all emails

User-facing features

• Tour catalogue with filters, detail pages, routes, fleet, gallery, reviews, corporate tours
• Cart and checkout: tours, certificates, merch (t-shirts, caps) with options
• Gift certificates and merch as a full-fledged mini-store, booking with date and party-size selection
• Account area: order history and statuses, profile, enabling/disabling 2FA

Integrations

• A custom mail server (Postfix + OpenDKIM) — no third-party SaaS
• Transactional emails with a branded responsive HTML template in the user’s language (registration, order, status change, password reset)
• QR-code generation for 2FA, two payment methods (cash / card)

Admin panel

• Dashboard with analytics: orders and revenue by day/week/month/all time, users, tours, merch stock
• Tour CRUD (multilingual) with image upload and optimization, merch management
• Orders — status changes with an automatic email to the customer; gallery manager
• Built-in admin guide and a human-readable security audit

Design and infrastructure

• An original visual style on a water/nature theme (green, sand, orange), cinematic hero sections built with Framer Motion
• Unified brand components (Header, Footer, PageHero, TourCard), with the brand style carried into the emails
• Production server: PM2, Nginx, HTTPS (Let’s Encrypt), the mail.aquatravel.md subdomain
• Scripts for migration, seeding, OG-image/favicon generation and batch media optimization