Web
SaaS
Lands Authority Platform
Full Stack Engineer — frontend, API routes, auth, Prisma models, and Aspire-local delivery
Enterprise employee time tracking and admin platform for a government / corporate client: Azure AD B2C SSO, punch in/out APIs, RBAC, SQL Server via Prisma, Web Worker timers, and .NET Aspire orchestration.

Overview
Lands Authority is a secure time-tracking and employee management system. Admins manage employees, departments, flags, and reports. Employees punch in/out from a self-service dashboard with an accurate session timer. Identity is Azure AD B2C (government e-ID capable). Data lives in SQL Server through Prisma. Local services run under .NET Aspire.
Problem
The client needed auditable punch in/out, department-level admin controls, and SSO that fits a government identity stack—not a generic timesheet SaaS with weak auth.
Solution
Shipped a Next.js 15 App Router product with authenticated admin and employee areas, NextAuth v4 + Azure AD B2C, Prisma against SQL Server, punch and configuration APIs, cron-driven missed-punch flags, Web Workers for the active timer, and Aspire for container orchestration.
Frontend
Next.js 15 + React 19 App Router UI with separate admin and employee shells, 25+ Tailwind components, and a Web Worker–backed session timer.
Next.js 15
React 19
TypeScript
Tailwind CSS 4
Web Workers
Jest + RTL
- App Router split: (authenticated)/admin for employees, departments, reports, settings; (authenticated)/employee/dashboard for punch and history
- Design system around teal primary (#00A997) with Inter typography and reusable modals, tables, headers, and layouts
- SessionTimer uses a Web Worker so punch duration stays accurate without blocking the main thread
- Client services (adminApiService, punchHistoryService, reportService, etc.) call typed API routes
- Middleware + route-guards.ts enforce admin vs employee access before render
Backend
Next.js API routes + server cron tasks on Prisma/SQL Server, with NextAuth JWT validation on every endpoint.
Next.js Route Handlers
Prisma (SQL Server)
NextAuth.js v4
Azure AD B2C
Cron service
.NET Aspire
- POST /api/punch for punch in/out; configuration, employees, flags, and reports routes for admin operations
- Prisma models: Employee, Role, Department, PunchHistory, WorkingHours, DailyWorkingHours, Configuration, FlagConfiguration, EmployeeFlag, plus NextAuth Account/User
- cronService + tasks auto-flag employees who miss punch confirmations
- DAL under lib/dal and server operations keep query logic out of UI
- Aspire AppHost orchestrates Dockerized SQL Server and the web app for local parity
Modules
Admin · Employees
CRUD for staff profiles, roles, and department assignment
Admin · Departments & flags
Org units plus lateness/absence flag rules and applied flags
Employee · Punch dashboard
Punch in/out, live timer, and punch history
Reports & configuration
Exports/analytics and grace-period / alert configuration
API & integration highlights
- POST /api/punch — punch in/out with session timing
- GET/POST /api/employees — admin employee list and create
- GET/PUT /api/configuration — alert and grace settings
- GET/POST /api/flags — flag configuration
- GET /api/reports — report generation
Challenges
- Wiring NextAuth v4 to Azure AD B2C across admin and employee roles with server route guards
- Punch API design plus accurate client timers via Web Workers
- Cron flags for missed confirmations without blocking interactive UI
- Keeping Prisma SQL Server models aligned with Aspire-local services
Impact
Enterprise SSO for time tracking and admin operations
Clear RBAC separating admin and employee workflows
Reliable punch sessions with isolated timer work
Typed Next.js surface ready to grow with Aspire-backed services
Architecture
Tech
React
Next.js 15
TypeScript
Tailwind CSS 4
Prisma
SQL Server
NextAuth.js v4
Azure AD B2C
Web Workers
.NET Aspire
Jest
Docker