Shamratha G

All Projects
Full-Stack

CollabBoard — Real-Time Project Board

A collaborative, real-time project board — a mini Linear/Trello where multiple people work on the same board at once. Lists, cards, and drag-and-drop reorders appear instantly for every viewer over Socket.io, every action lands in a live activity feed, and simultaneous edits are reconciled with optimistic concurrency control instead of silently clobbering each other. Backed by 55 passing server tests.

React Node.js Express MongoDB Socket.io Tailwind CSS

Problem Statement

  • Collaboration tools live or die on sync — polling feels sluggish, but naive socket broadcasting lets clients drift out of sync with the database.
  • Two people editing the same card at once will silently overwrite each other unless the server detects and surfaces the conflict.
  • Reordering cards by re-indexing every sibling costs O(n) writes per drag — ordering needs a smarter scheme.
  • Auth tokens readable by page JavaScript are an XSS liability; sessions need to work without localStorage.

System Overview

React SPA (Vite)REST API (rate limit · Zod · RBAC)MongoDB commitSocket.io room broadcastall clients reconcile
  • React + Vite SPA with @dnd-kit drag-and-drop, axios over an httpOnly cookie, and a shared socket.io-client
  • Express REST API with rate limiting, Zod validation, requireAuth, and per-board RBAC middleware in front of controllers
  • MongoDB as the single source of truth — User, Board, List, Card, and Activity models; a whole board loads in one indexed query
  • Socket.io with JWT-authenticated handshakes and per-board rooms; controllers emit change events only after the DB commit
  • Optional Redis pub/sub adapter fans broadcasts out across multiple server instances
  • npm-workspaces monorepo; production runs as one Render service serving API and built SPA on a single origin

What I Built

  • Full MERN board app: boards, lists, and cards with drag-and-drop, owner/member RBAC, and JWT auth stored in an httpOnly SameSite cookie (XSS-safe).
  • “Commit then broadcast” real-time sync: REST mutations commit to MongoDB first, then emit to the board's Socket.io room; clients apply events idempotently by id so every viewer converges on server state.
  • Optimistic concurrency control: every card carries a version; a stale edit gets HTTP 409 and a merge prompt (keep theirs / overwrite) instead of silently clobbering.
  • Fractional-position ordering — moving a card writes one float (the midpoint of its neighbors) and never re-indexes siblings.
  • Durable live activity history per board with cursor pagination, streamed into a slide-in History panel in real time.
  • Production hardening: Zod validation on every mutating request, per-IP rate limiting on auth routes, transactional cascade deletes, and a Redis pub/sub adapter for multi-instance Socket.io.
  • Reconnect resync: on socket reconnect the client re-joins the room and re-fetches board + history, so events missed while offline are recovered.
  • 55 passing server tests across auth, boards/RBAC, lists/cards, conflicts, activity, cookie sessions, validation, and pagination.

Key Decisions & Tradeoffs

  • Sockets carry notifications of committed changes, never the writes themselves — the REST layer stays the single source of truth.
  • Content edits use version-checked optimistic concurrency, but card moves are deliberately last-writer-wins — the right semantics for reordering.
  • JWT lives in an httpOnly cookie rather than localStorage, trading CORS/credentials setup for XSS safety; bearer headers still accepted for API and test clients.
  • Float positions instead of integer indexes make every drag-and-drop reorder an O(1) write.
  • Production runs as a single Render service serving both API and built SPA, keeping the auth cookie first-party on one origin.

Why It Matters

Real-time collaboration is where most CRUD apps fall apart. This one demonstrates the hard parts done right — convergence without desync, conflicts surfaced instead of swallowed, and security hardening that survives more than a demo.

What I'd Improve Next

  • Member-invite UI — the API exists, the front-end is pending
  • Password reset and email verification flows
  • Refresh-token rotation for longer-lived sessions
  • Presence indicators (who's viewing the board right now) on top of the existing socket rooms
  • Card comments and attachments to widen the collaboration surface