Picture this scenario
You click “Withdraw” in a business management system. The system generates a confirmation, moves the withdrawal to history, but… doesn’t reset the employee’s balance. The employee clicks again. And again. And the system lets it happen.
A client came to me with exactly this kind of critical bug. The system was built on a no-code/low-code platform. But that was just the tip of the iceberg.
What I uncovered during the audit
I ran a full audit of the system (Studio Manager) and, beyond the “financial leak”, I found three more critical issues:
1. Telegram webhooks cut off
The platform’s built-in middleware was blocking Telegram API webhooks, cutting the company off from notifications. The platform simply wasn’t designed to handle external webhooks with a non-standard structure.
Solution: I built an external, independent microservice on Deno Deploy that bypasses the platform’s limitations and safely routes traffic from the Telegram API.
2. OAuth gap — anyone could get in
Login via Google (OAuth) gave new employees instant access to the system, bypassing the verification process. Zero control — anyone with a Google account could log in and see company data.
Solution: Implementation of a 3-state access control mechanism (RBAC). A new user lands in a waiting room → admin verifies → assigns a role → only then access.
3. Double-billing of fees
The algorithms calculating daily fees (Tax/Restaurant) doubled costs in specific edge cases. The problem was only visible under particular combinations of dates and transaction types.
Solution: A complete rewrite of the transactional logic plus an audit panel for the owner that allows tracking every operation.
Takeaway
No-code tools deliver an MVP quickly. But once the application starts handling real money and security processes, you need engineering, not “click-to-configure” features.
Your system throws strange errors? Describe the problem to AI — diagnosis within 48h.