Frontend Architecture Document Frontend Architecture Document Project: Drop — Fintech Payment App Version: 0.1.0 Date: 2026-02-23 Author: John (AI Director, ALAI) Status: In Review Reviewers: Alem Bašić (CEO) Document History Version Date Author Changes 0.1 2026-02-23 John Initial draft from source code analysis 1. Purpose & Scope This document defines the frontend architecture for Drop , a fintech payment app for all residents of Norway/Scandinavia. It covers the Next.js web application ( src/drop-app/ ) and the static marketing site ( landing/ ). Intended readers: Frontend engineers, mobile engineers, architects, product managers. In scope: Next.js App Router web application ( src/drop-app/ ) Static HTML marketing landing page ( landing/index.html ) Expo React Native mobile app ( src/drop-mobile/ ) — details in mobile-architecture.md Out of scope: Backend API (Hono v4), infrastructure, CI/CD pipelines. 2. Framework Choice & Rationale Criterion Weight Next.js 15 Nuxt 3 SvelteKit Remix Team expertise 30% 9 5 4 6 Ecosystem maturity 25% 9 7 6 7 Performance 20% 9 8 9 8 DX / tooling 15% 9 7 7 7 License / cost 10% 10 10 10 10 Selected Framework: Next.js 15 (App Router) + React 19 Rationale: Next.js was selected because the entire team (AI-driven) operates in TypeScript + React. The App Router supports a hybrid rendering model essential for Drop: Server Components for the marketing landing page (fast, SEO-friendly), and Client Components for the authenticated payment flows (real-time, user-specific). Code sharing between the Next.js web app and the Expo mobile app is maximized — shared hooks, types, and validation logic. The Vercel deployment model provides zero-config CDN, edge middleware for auth protection, and ISR for marketing pages without managing infrastructure. Node/runtime version: Node.js 20 LTS Package manager: pnpm 3. Project Folder Structure src/drop-app/ ├── src/ │ ├── app/ # Next.js App Router (file-based routing) │ │ ├── page.tsx # / — Marketing home (Server Component) │ │ ├── layout.tsx # Root layout — fonts, PWA, cookie consent │ │ ├── login/page.tsx # /login — Client Component │ │ ├── register/page.tsx # /register — Multi-step onboarding │ │ ├── dashboard/page.tsx # /dashboard — Auth required │ │ ├── accounts/page.tsx # /accounts — Bank account linking │ │ ├── transactions/page.tsx # /transactions — Transaction history │ │ ├── scan/page.tsx # /scan — QR payment │ │ ├── send/page.tsx # /send — Remittance flow │ │ ├── profile/ # /profile and sub-routes │ │ ├── notifications/page.tsx # /notifications │ │ ├── cards/page.tsx # /cards — Feature-flagged (future) │ │ ├── fees/page.tsx # /fees — Public fee disclosure │ │ ├── privacy/page.tsx # /privacy — GDPR policy │ │ ├── terms/page.tsx # /terms — Terms of service │ │ ├── complaints/page.tsx # /complaints — Finansavtaleloven §3-53 │ │ ├── withdrawal/page.tsx # /withdrawal — Angrerettloven │ │ └── api/ # API routes (BFF layer) │ │ ├── auth/ # login, logout, me, register │ │ ├── transactions/ # remittance, qr-payment │ │ ├── recipients/ # CRUD recipients │ │ ├── rates/ # Exchange rates │ │ ├── cards/ # Feature-flagged │ │ ├── merchants/ # Merchant dashboard │ │ ├── settings/ # User preferences │ │ ├── notifications/ # Push notifications │ │ └── consents/ # Cookie consent │ ├── components/ │ │ ├── ui/ # shadcn/ui primitives (Radix-based) │ │ ├── bottom-nav.tsx # Fixed bottom navigation (5 tabs) │ │ ├── drop-logo.tsx # DropLogo, DropWordmark, DropLogoFull, DropAppIcon │ │ ├── drop-icons.tsx # 9 custom domain-specific icons │ │ ├── cookie-consent.tsx # GDPR cookie consent banner + modal │ │ ├── pre-payment-disclosure.tsx # PSD2 pre-payment disclosure modal │ │ └── pwa-register.tsx # Service Worker registration │ ├── lib/ │ │ ├── use-auth.ts # useAuth() — auth hook with redirect │ │ ├── feature-flags.ts # Feature flag system (env-var based) │ │ └── middleware/ # auth-middleware, error-handler, validation │ └── middleware.ts # Next.js middleware (auth protection) ├── public/ │ ├── sw.js # Service worker (PWA) │ └── manifest.json # Web app manifest ├── landing/ # Static marketing site (separate from Next.js) │ ├── index.html # Main landing page (~646 lines, pure HTML/CSS/JS) │ └── pages/ # 12 sub-pages (priser, personvern, vilkar, etc.) ├── globals.css # CSS custom properties (brand tokens) ├── next.config.ts └── package.json 4. Rendering Strategy Page Type Strategy Rationale / — Marketing home Server Component (SSG) SEO-critical, no auth, static content /fees , /privacy , /terms , /complaints , /withdrawal Client Component (CSR) Public pages, no auth required /login , /register Client Component (CSR) Form state, client-side validation /dashboard , /accounts , /transactions Client Component (CSR) Auth-gated, personalized, real-time data /scan , /send Client Component (CSR) Multi-step flows, camera access, form state /profile , /notifications , /cards Client Component (CSR) Auth-gated, user-specific /api/** API Routes BFF layer — cookie-to-bearer proxy Hydration approach: Full hydration. Server Components used for the marketing page ( page.tsx ). All authenticated app pages are Client Components using "use client" directive. Note: The marketing landing page ( landing/index.html ) is a completely separate pure HTML/CSS/JS file served statically. It does not use the Next.js framework. 5. Routing Architecture 5.1 Route Organization / → Marketing home (Server Component) /login → Login (Client) /register → Registration / Onboarding (Client, 4-step) /dashboard → Dashboard (Client, auth required) /accounts → Bank accounts via AISP (Client, auth required) /transactions → Transaction history (Client, auth required) /scan → QR scanner (Client, auth required) /send → Remittance flow (Client, auth required) /profile → Profile (Client, auth required) /profile/personal → Personal info — BankID-verified, read-only /profile/security → Security settings — 2FA, active devices /profile/notifications → Notification preferences /profile/language → Language selection (nb, en, bs, sq) /notifications → Notifications center (Client, auth required) /cards → Card management (Client, auth required, feature-flagged) /fees → Fee disclosure (Public) /privacy → Privacy policy / GDPR (Public) /terms → Terms of service (Public) /complaints → Complaint form — Finansavtaleloven §3-53 (Public) /withdrawal → Right of withdrawal — Angrerettloven (Public) /api/** → API routes (BFF — cookie auth proxy to Hono backend) 5.2 Route Guards / Middleware Auth is enforced at two levels: Level 1 — useAuth() hook (per-page): // src/lib/use-auth.ts // Default: redirectIfUnauthenticated = true const { user, loading } = useAuth(); // On 401: redirects to /login Level 2 — Middleware (future): Middleware execution order: 1. Request logging 2. Authentication check (JWT cookie validation) 3. Redirect unauthenticated → /login 4. Feature flag gate (returns 404 if flag disabled) Protected routes: All routes under /dashboard , /accounts , /transactions , /scan , /send , /profile/** , /notifications , /cards . Public routes: / , /login , /register , /fees , /privacy , /terms , /complaints , /withdrawal . 6. Build & Bundle Configuration 6.1 Key Config Options Option Value Reason Output standalone Docker-optimized deployment Image optimization next/image WebP conversion, lazy loading Bundle analyzer ANALYZE=true On-demand local analysis Source maps Production: hidden Upload to Sentry only Compression gzip + brotli CDN-level compression PWA Service Worker at /sw.js Offline capability (basic) 6.2 Code Splitting Strategy Route-level splitting: Automatic per App Router segment Component-level splitting: dynamic() for heavy components (Dialog, QR scanner UI) Feature flags: Cards page components lazy-loaded (all flags default to false ) 7. Performance Budget Metric Target Tool LCP (Largest Contentful Paint) < 2.5s Lighthouse, CrUX INP (Interaction to Next Paint) < 200ms CrUX CLS (Cumulative Layout Shift) < 0.1 Lighthouse TTFB (Time to First Byte) < 600ms WebPageTest Total JS bundle (compressed) < 200 KB Bundlesize CI check First page load (mobile 4G) < 3s WebPageTest Lighthouse Performance Score ≥ 90 Lighthouse CI Note: The marketing page ( / ) is the primary SEO and performance target. The app pages (dashboard, send) accept slightly higher bundle sizes due to shadcn/ui + Radix dependencies. 8. Asset Management 8.1 Images Format: WebP primary, JPEG fallback, SVG for vectors (logos, icons) Optimization: next/image with defined domains Lazy loading: Native loading="lazy" via next/image 8.2 Fonts Fraunces (variable, 400-900) — loaded via next/font/google in layout.tsx DM Sans (variable, 400-700) — loaded via next/font/google in layout.tsx Geist Mono — loaded via next/font/google in layout.tsx CSS variables: --font-fraunces , --font-dm-sans , --font-geist-mono font-display: swap on all faces (handled by next/font ) 8.3 Icons Primary library: lucide-react (inline SVG via React components) Custom icons: components/drop-icons.tsx — 9 domain-specific icons (IconSendMoney, IconQrScan, IconVirtualCard, IconShield, IconFastTransfer, IconCorridors, IconWallet, IconHistory, IconTopUp) Social auth icons: Inline SVG (BankID green, Vipps orange) Delivery: Inline SVG via component (no icon font, no sprite) 9. Internationalization (i18n) Strategy Item Decision Library None (Phase 1 — Norwegian only) Default locale nb (Norwegian Bokmål) Supported locales nb (launch), en , bs , sq (Phase 2) Language selection /profile/language — PATCH /api/settings with { language: string } Translation format TBD — requires i18n library selection RTL support No Phase 1: All UI text hardcoded in Norwegian Bokmål. Language setting stored in user preferences ( /api/settings ) but not yet applied to UI translation. Phase 2: Introduce next-intl or i18next with per-locale JSON translation files for nb , en , bs , sq . 10. Error Boundary Strategy Level Scope Behavior Global error.tsx Full page crash Show branded error page Auth failure API 401 useAuth() redirects to /login Form submission Mutation failure Inline error message ( text-[#EF4444] ) + retry Data fetch useEffect fetch failure Caught in .catch() , silent or empty state Feature flag Flag disabled Returns 404 or "Feature not available" message Error reporting: TBD — Sentry integration planned for production. 11. Environment Configuration Variable Dev Staging Prod Description NEXT_PUBLIC_API_URL http://localhost:3000/api https://drop-app-staging.vercel.app/api https://drop-app.vercel.app/api Backend API base URL (mobile uses this) NEXT_PUBLIC_APP_ENV development staging production Runtime environment flag NEXT_PUBLIC_FF_VIRTUAL_CARDS false false false Cards feature flag NEXT_PUBLIC_FF_PHYSICAL_CARDS false false false Physical cards flag NEXT_PUBLIC_FF_NOTIFICATIONS true true true Notifications feature flag NEXT_PUBLIC_FF_MERCHANT_DASHBOARD true true true Merchant dashboard flag SENTRY_DSN optional required required Error reporting (server-side) Feature flag convention: NEXT_PUBLIC_FF_ + SCREAMING_SNAKE_CASE flag name. Secrets management: All non-public secrets in Vaultwarden ( vault.basicconsulting.no ). Never committed. 12. Dependency Management Policy Rule Detail Allowed licenses MIT, Apache-2.0, ISC, BSD-2, BSD-3 Security audit pnpm audit in CI — fail on high/critical Update cadence Monthly Renovate PRs for minor/patch; major = manual Banned patterns No moment.js (use date-fns ), no lodash (use native) Key dependencies: next@15 , react@19 — framework shadcn/ui + @radix-ui/* — component primitives lucide-react — icon library tailwindcss — styling class-variance-authority , clsx , tailwind-merge — class utilities 13. Architecture Diagram graph TB subgraph "Client Browser / Mobile" Browser["User Browser (PWA)"] Mobile["Expo Mobile App"] end subgraph "Frontend — Next.js 15 App Router" CDN["Vercel CDN (Static Assets + Edge)"] Marketing["Marketing Page (Server Component, SSG)"] AppPages["App Pages (Client Components, CSR)"] BFF["BFF API Routes (/api/*)\nCookie → Bearer proxy"] Middleware["Next.js Middleware\n(Auth guard)"] Components["shadcn/ui + Custom Components\nBottomNav, DropLogo, drop-icons"] AuthHook["useAuth() Hook\nGET /api/auth/me"] FeatureFlags["Feature Flags\nenv-var based"] end subgraph "Backend — Hono v4" HonoAPI["Hono REST API\n/v1/* — Bearer auth"] OpenBanking["Open Banking (PSD2)\nAISP + PISP"] BankID["BankID OIDC\nAuthentication"] end Browser --> CDN Browser --> Marketing Browser --> Middleware Middleware --> AppPages AppPages --> Components AppPages --> AuthHook AppPages --> FeatureFlags AuthHook --> BFF BFF --> HonoAPI HonoAPI --> OpenBanking HonoAPI --> BankID Mobile --> HonoAPI Approval Role Name Date Signature Author John (AI Director) 2026-02-23 Tech Lead Architect Engineering Manager