TheSkinProof — Multi-vendor eCommerce platform
Bangladesh's first verified skincare marketplace — 124 API endpoints, 26 database tables, 779 tests passing, 4 distinct portals, and a verification-first product pipeline built from scratch with QA-first engineering.
1 / 4
Challenge
Bangladesh's online skincare market is flooded with counterfeit and expired products — an estimated 30-40% of products sold online in South Asia are fake, posing serious health risks. Existing marketplaces treat skincare like any other product with no invoice verification, no batch tracking, and no expiry monitoring. Building a multi-vendor skincare marketplace required handling complex vendor onboarding, product catalog management with variants, independent vendor dashboards with real-time order routing, commission calculations, and a unified checkout — all while maintaining data integrity, preventing cross-vendor data leaks, and solving the COD fraud problem that plagues Bangladesh's e-commerce.
Solution
We architected TheSkinProof as a verification-first multi-vendor marketplace with four distinct portals (Buyer, Seller, Admin with 30+ pages, Warehouse). The core Product Verification Pipeline requires every listing to pass invoice checks, Certificate of Analysis (COA) validation, batch tracking, and expiry monitoring before going live. An AI-powered 8-question Skin Quiz generates personalized product recommendations with match-score explanations (90% test coverage). The platform features row-level security for vendor isolation, an automated commission engine (15% default, configurable per-vendor), real-time order splitting and routing, multi-signal fraud detection with a 0-100 risk scoring system, granular RBAC with 15+ permission modules and 50+ discrete actions, and full Bangladesh localization with bKash/Nagad/SSLCommerz payments and Pathao courier integration.
Result
Delivered a production-grade platform with 124 RESTful API endpoints, 26 database tables, 779 passing tests across 37 test suites, 75+ React components, and 45+ page-level views. The system handles multi-vendor checkout with zero data cross-contamination, processes commission splits in real-time, and maintains sub-200ms API response times under load. Security architecture includes OTP-based login with HMAC-SHA256 signed cookies, Redis-backed sliding-window rate limiting (8 presets), auto-logout with inactivity detection, and immutable audit trails. The architecture has been validated to scale to 100+ vendors without schema changes.
Technical Architecture
Row-level security for vendor isolation. Verification-first product pipeline with admin review queue. AI skin quiz with 5-stage scoring algorithm. Event-driven order routing with idempotent processing. Commission engine with configurable rate tiers. Multi-signal fraud detection (velocity abuse, name mismatch, rapid-fire orders, high-value guest COD) with COD eligibility engine. HMAC-SHA256 session auth with nonces. Redis sliding-window rate limiting with 8 presets. Faceted search using PostgreSQL full-text search with tsvector indexes. Cart system supporting items from multiple vendors with split-payment logic. Zustand 5 for 6 persistent client stores. FIFO warehouse batch allocation with expiry tracking.
Problem Statement
Bangladesh's skincare market has grown rapidly, but online platforms have failed to keep pace with consumer trust expectations.
Counterfeit Products
An estimated 30-40% of skincare products sold online in South Asia are counterfeit or expired, posing serious health risks.
No Verification Standard
Existing marketplaces treat skincare like any other product — no invoice verification, no batch tracking, no expiry monitoring.
Decision Paralysis
Consumers struggle to choose products suited to their specific skin type and concerns without professional guidance.
COD Fraud
Cash-on-delivery orders are plagued by velocity abuse, fake names, and rapid-fire ordering that create significant operational losses.
Key Features Deep Dive
Purpose-built systems designed for Bangladesh's skincare market — from verification pipelines to AI-powered recommendations.
Product Verification Pipeline
Every product undergoes invoice checks, Certificate of Analysis (COA) validation, batch tracking, and expiry monitoring before going live. Admin review queue with approve/reject workflow.
AI-Powered Skin Quiz
8-question quiz generating complete skin profiles and personalized product recommendations with match-score explanations. 90% test coverage on the scoring engine.
Fraud Detection & COD Risk
Multi-signal fraud detection: velocity abuse (5+ orders/24h), name mismatch, rapid-fire orders, high-value guest COD. Risk scoring 0-100, blocks COD above 75.
Technology Decisions
| Layer | Technology | Rationale |
|---|---|---|
| Framework | Next.js 16 (App Router) | SSR for SEO, API routes colocation |
| Language | TypeScript 5 (strict) | Type safety across 6,500+ lines |
| Database | PostgreSQL 14+ | Relational integrity, UUID, full-text search |
| Cache | Redis 4.7 | Sliding-window rate limiting, session cache |
| State | Zustand 5 | Lightweight persistent stores (6 stores) |
| Payments | bKash + Nagad + SSLCommerz | 95%+ of BD digital payments |
| Courier | Pathao API | Largest courier in Bangladesh |
| Styling | Tailwind CSS v4 | Utility-first, custom design tokens |
Security Architecture
- OTP-based login with 6-digit codes (10-min expiry)
- HMAC-SHA256 signed cookies with nonces
- Redis-backed sliding-window rate limiting (8 presets)
- Auto-logout after 5 min inactivity with warning
- Immutable audit trail on every admin action
- Security headers: CSP, HSTS, X-Frame-Options, etc.
Testing Strategy
| Area |
|---|
Ready to build something similar?
Let's discuss your project and create a custom plan for your success.