CP/DEV
es
Inventory Management System

2024 · Full-stack developer (Laravel)

Inventory Management System

Multi-warehouse inventory with QR codes, roles and per-user isolation in Laravel

  • Laravel 10
  • PHP 8.2
  • Alpine.js
  • Tailwind CSS
  • Cloudinary
  • PHPUnit
  • Docker
Multi-tenant
Isolated per user
Identification
Unique QR per product
Quality
PHPUnit tests + Pint
Live demo Source code

The problem

Tracking stock spread across several physical warehouses without scattered spreadsheets: knowing which product exists, where, in what state, and being able to locate it by scanning a label. The target users are small and medium businesses (retail, logistics, depots) where each manager needs their own inventory, isolated from everyone else’s.

Architecture decisions

  • Laravel 10 + Blade + Alpine.js, no heavy SPA. Vite for asset bundling. Just-enough interactivity (filters, scanner) handled with Alpine, without a client framework’s cost.
  • Multi-tenancy by user_id: every query is scoped to the user instead of a schema-per-tenant setup. Simple to reason about and to test.
  • Cloudinary for product images: external storage and CDN, automatic transformations, no load on the app server.
  • Unique QR codes generated on the model’s creating hook, exportable to PNG/SVG and scannable from the browser camera to locate a product instantly.
  • Auth with Passport + Sanctum: OAuth2 tokens with a future mobile client in mind, plus sessions for the web panel.
  • SQLite in development, MySQL/PostgreSQL in production; reproducible deploy with Docker (PHP 8.2 + Apache) and automatic migrations.

Data model

Users (with admin or operator role) own products, warehouses and categories. Each product belongs to a warehouse (N:1), is classified into several categories (N:M via a pivot table), has a state (in stock, with incident…), a unique QR and its images on Cloudinary.

Security hardening

The most interesting work wasn’t adding features — it was closing gaps. I documented and fixed a batch of findings:

  • IDOR: edit, detail and status-change queries are scoped by id_user so nobody can reach another user’s products.
  • Cross-tenant contamination: an isolation test (CrossTenantIsolationTest) verifies a user never sees another’s data.
  • Controlled mass assignment ($request->only(...), id_user outside $fillable), rate limiting on login/signup/QR, and token revocation on logout.

Result

An app that manages real multi-warehouse inventory, with physical QR identification and strict data separation between users, covered by feature tests (auth, QR, roles, isolation) and reproducibly deployable with Docker. The emphasis: secure by default, not just functional.

← Selected work