A developer-focused breakdown of CoreOps Solutions's architecture, subsystems, and capabilities. Intended as a reference for engineers evaluating, extending, or deploying the platform.
Application Architecture
Built on Next.js 15 with React 19 and TypeScript for a modern, type-safe foundation
Clean separation between public (unauthenticated) and protected (authenticated) routes
Server-side rendering for fast initial loads; interactive elements handled client-side
Form submissions processed server-side — no separate API calls needed from the UI
Tailwind CSS with a comprehensive component library for a consistent, accessible UI
Dark and light theme support with server-side resolution — no flash on page load
Built-in analytics support for production environments
Authentication
Encrypted cookie-based sessions — no server-side session store required
Passwords hashed using industry-standard algorithms before storage
Sessions automatically invalidated when a user changes their password
Configurable session lifetime from 1 hour up to 90 days via admin settings
New accounts start inactive — users activate via a time-limited email link
Accounts temporarily locked after too many failed login attempts (configurable)
Time-based one-time password (TOTP) MFA with QR code setup and 10 backup codes
Access to protected pages always verified server-side on every navigation
Authorisation & RBAC
Three built-in groups: Admin, User, and Guest — each with distinct access levels
Admins have full platform access; other groups are restricted to assigned permissions
Policy engine: define which roles can access which resources and perform which actions
Default group for new self-registrations is configurable
MFA setup is always user-initiated — admins cannot enable it on behalf of a user
MFA enforcement can be switched on globally; users who have not completed setup are blocked after a configurable grace period (in days) expires — a grace period of zero enforces immediately on next login
Blocked users are shown a dedicated page with a direct link to complete MFA setup — the profile page remains accessible so they can resolve it without admin intervention
The admin group is a protected system group and cannot be deleted
User Management
Accounts can be created by admins or via self-registration (can be enabled or disabled)
Invite flow: admin creates the account, activation link emailed, user sets their own password
Admins can enable or disable accounts, change groups, reset passwords, and disable MFA
Full sign-in history per user: logins, failures, lockouts, and MFA events
Email address changes require verification — new address confirmed before it takes effect
Users manage their name, email, password, and display theme from their profile
Per-user API access tokens available when the REST API feature is enabled
Rate Limiting & Lockout
Automatic rate limiting per IP address on login, registration, password reset, MFA, and contact
All thresholds are adjustable from the admin settings — no code changes needed
Accounts lock automatically after a configurable number of consecutive failed password attempts
Lockout state is stored persistently — survives server restarts
Works alongside network-level rate limiting at the reverse proxy layer
CAPTCHA protection on public-facing forms to block automated submissions
Email
SMTP email delivery with settings fully configurable at runtime via the admin panel
Change your mail provider, credentials, or sender address without restarting the server
Five built-in templates: account welcome, password changed, password reset, email update, and test
Email failures never interrupt user-facing actions — delivery is handled in the background
Every email attempt is logged — always see what was sent, to whom, and whether it succeeded
Send a test email directly from admin settings to verify your configuration
REST API
Full REST API available at /api/* for programmatic and third-party integrations
API access toggled on or off from admin settings — no deployment required
All API requests require authentication; permissions mirror those of the web interface
Allowed origins configurable for cross-origin access
Full request validation on all endpoints
Per-user API access tokens for external tooling and automation
Monitoring & Metrics
Prometheus-compatible metrics endpoint at /api/metrics — ready to scrape with any standard collector
Node.js runtime metrics included by default: GC pause, heap usage, event loop lag, CPU usage, and process uptime
API request counter tracks total requests broken down by HTTP method, route, and response status
API request duration histogram measures response time in milliseconds across a spread of latency buckets
Route labels use matched route patterns rather than raw paths — keeps metric cardinality low regardless of the number of unique resource IDs
Endpoint protected by Bearer token authentication, managed through the platform's RBAC policy engine
Metrics are only exposed when the REST API feature is enabled — disabled by default
Compatible with Prometheus, Grafana, and any other OpenMetrics-compatible monitoring stack
Database
Embedded SQLite database — no external database server required
Designed for safe concurrent access in multi-worker environments
Schema upgrades applied automatically on startup — no manual migration steps
Runtime settings cached in memory for performance; live values always available for critical checks
Default data seeded safely on every startup — no risk of duplicating existing records
Full database backup and restore available from the admin panel
Logging & Observability
Authentication log: every login, logout, failure, lockout, rate limit event, and MFA attempt
Email log: every send attempt with recipient, delivery status, and full message content
System log: platform-level events across backup, API, settings, email, and calendar processes
Traffic log: every visit to public pages — path, IP address, browser, referrer, and timestamp
All log writes are non-blocking — a logging failure never affects the primary operation
Log pages are paginated and filterable by event type, process, or status
Configuration & Feature Flags
All platform settings stored in the database — changes take effect immediately without a restart
Feature flags control: self-registration, password reset, MFA, and API access
Configurable landing page for unauthenticated visitors: login, welcome, or maintenance
Session lifetime configurable from 1 hour to 90 days
Maximum file upload size configurable
Default group for new users is configurable
Password complexity rules: minimum length, uppercase, lowercase, numbers, and special characters
Application name, description, and SEO metadata all editable from the admin panel
Security
Clickjacking protection — prevents the platform being embedded in another website