Events BD — event ticketing platform for Bangladesh

Problem

Booking an event in Bangladesh usually means a Facebook post, a bKash number, and a spreadsheet somewhere. Organisers lose money to duplicate sales and no-shows they can't verify at the door. Attendees get a receipt screenshot, not a ticket. The brief was a platform that could handle both sides — discovery and checkout for attendees, hosting and entry control for organisers — on a stack the client could afford to run in-country.

Approach

Two surfaces sharing one API. The attendee side is a Next.js App Router storefront: event discovery by category, event detail pages with live countdowns and seat counts, OTP-based checkout, digital ticket delivery. The organiser side is a host dashboard behind the same auth — event creation, tier pricing, sales reporting, attendee CSV export, door-scan mode.

Went with Express + MongoDB on the backend because the client's ops team already ran Mongo elsewhere and I didn't want to introduce a second database for operational reasons. Redux Toolkit on the client for cart and checkout state — old-school, but it makes the multi-step checkout (tier selection → attendee details → OTP → payment → confirmation) easy to reason about when each step needs to survive a refresh.

UI is Bootstrap 5 + SCSS, not Tailwind. Deliberate: the client wanted a dark purple brand palette they could tweak without touching components, and Bootstrap's variable-driven theming let them own the look through a single _variables.scss override file. Portfolio-me would pick Tailwind; client-me picks the tool that matches the handoff.

Technical deep-dive

• Ticket pipeline. On successful checkout, a background job generates a PDF per ticket with PDFKit, embeds a scannable QR code (qrcode → canvas → PDF), signs the ticket ID with a server secret, and emails the PDFs via Resend. At the door, the organiser app scans the QR, verifies the signature, and atomically marks the ticket as used in a single Mongo update — no double-entry even under flaky venue wifi.
• OTP auth over passwords. Almost every user enters on mobile and doesn't want another password. Login is phone number → 6-digit code (react-otp-input on the client, server-issued code hashed with bcrypt and expired after 5 minutes). Sessions are short-lived JWTs refreshed from a rotating cookie; rate limits are IP + phone-scoped so brute-force costs attackers money they won't spend.
• Event media & cropping. Organisers upload event posters from their phones. react-easy-crop runs client-side so the server only ever sees the final 16:9 crop, which then goes to S3 via a presigned POST. Presigning lets me keep the S3 bucket write-closed to everything except time-boxed one-shot uploads — cheap, and no proxy burden on the Express box.
• Scheduled work. node-cron jobs close sales when an event starts, fire reminder emails 24 hours before, and reconcile payment states for providers that callback late. All jobs are idempotent and re-safe — the instance can crash mid-run and nothing double-sends.
• Hardening. Helmet with a tight CSP, express-rate-limit in front of auth and checkout, Zod validation at every route boundary, Winston with daily rotation so a single bad day doesn't fill the disk.

Outcome

Shipped across six weeks of build + one week of soak. Organisers onboarded in the first week moved their ticketing off Facebook DMs onto the platform without retraining — the OTP-only flow meant no password support tickets on day one. QR entry control replaced the photocopied-list door process; double-entries dropped to zero by design.

Stack & handoff

Next.js 16 frontend, Express + TypeScript API on Node 20, MongoDB Atlas, S3 for media, Resend for transactional email. Everything behind a single reverse proxy. Admin role on the same dashboard for the client's ops team — no separate admin app to maintain.