Back to Portfolio
Healthcare ERPGraphQLFull-StackRBAC

MediFlow
Pro

A comprehensive, enterprise-grade Hospital Management System built on a full-stack GraphQL architecture. Manages patient lifecycles from onboarding to clinical consultation — with Role-Based Access Control across four distinct user levels and Prisma transaction guarantees on every critical operation.

GraphQL
Architecture
4 Levels
User Roles
Prisma
ORM
RBAC
Access Model

Tech Stack

React.jsTypeScriptNestJSGraphQLApollo ServerPostgreSQLPrisma ORMJWTBcryptTailwind CSSGqlAuthGuardRBAC

Architecture

React Frontend
TypeScript
Apollo Server
GraphQL API
NestJS Core
Service Layer
persisted via
Prisma ORM
$transaction blocks
·
PostgreSQL
Relational DB
·
AuditLog
Every mutation
Single GraphQL endpoint for the entire app. Clients query exactly the fields they need — no over-fetching, no versioned REST routes.
GqlAuthGuard + @Roles() decorators enforce access at the resolver level — cross-role access is blocked in code, not convention.
Prisma $transaction wraps every booking and billing operation — if any step fails, the entire operation rolls back atomically.

User Roles

System Modules

Key System Flows

1

Receptionist searches by NIC. Prisma upsert checks if patient exists — updates their record if found, creates a new one if not.

2

Regex validators run on every field: no numeric data in name fields, no letters in phone fields. Invalid inputs are rejected before DB write.

3

Appointment is booked against a DoctorSchedule. System checks bookedCount vs maxPatients — returns an error if the session is full.

4

Receptionist confirms the booking. Prisma $transaction wraps the appointment insert + bookedCount increment — both succeed or neither does.

5

Patient receives an Appointment ID. Bill record is created with status NOT_PAID and linked to the appointment for downstream settlement.

Engineering Highlights

🔐
Role-Based Access Control
GqlAuthGuard + custom decorators enforce access at the resolver level. A Receptionist cannot touch financial reports; a Doctor cannot alter staff accounts — enforced in code, not convention.
⚛️
Single GraphQL endpoint
Apollo Server exposes one endpoint for the entire app. Clients request exactly the fields they need — no over-fetching, no versioned REST routes to maintain.
🔒
Prisma transactions
Appointment booking + capacity increment and billing + status update are both wrapped in $transaction blocks. If any step fails, the entire operation rolls back — zero partial writes.
📋
Security audit logging
Every critical action — logins, staff creation, billing settlements — writes to an AuditLog table. Super Admin has a live feed of every system event with actor ID and timestamp.
🧬
End-to-end type safety
TypeScript runs from the Prisma schema to the NestJS resolvers to the React components. A schema change propagates type errors up the stack at compile time, not at runtime.
Optimistic UI via Apollo
The Admin dashboard uses Apollo polling and cache refetch to show live appointment counts and today's revenue — no WebSocket infrastructure needed for near-real-time updates.

View Source

View on GitHub