JavaScript Advanced

I Built a SaaS in 48 Hours Using Only v0 + Cursor AI

Q: Can you really build a production SaaS in 48 hours with AI tools?

Yes, but with caveats. The 48 hours includes 8 hours of code review, 4 hours of testing, and 2 hours of security audit. AI generates the code in about 7 hours, but the human spends significant time reviewing, wiring data layers, and handling edge cases. The SaaS was functional and deployed, but it was an MVP — not a feature-complete product.

Q: Is v0 free to use?

v0 has a free tier with limited generations per month. The paid plan provides more generations and priority access. For a 48-hour build, the free tier is sufficient for generating the core UI components. You may need the paid plan for iterative refinement.

Q: Can Cursor AI replace a backend developer?

No. Cursor accelerates backend development by generating boilerplate and integration code. But it cannot make architectural decisions, design data models, handle security review, or optimize for production scale. The developer's role shifts from writing code to reviewing code and making design decisions.

Q: What happens when AI-generated code has a bug in production?

The same process as any production bug: reproduce, diagnose, fix, deploy. However, debugging AI-generated code can be harder because the developer did not write it and may not understand the implicit assumptions. The fix is to pass the error and relevant code back to Cursor for diagnosis — it can often debug its own output.

Q: Should I use AI tools for my next project?

Yes, but with the right expectations. AI tools accelerate development by 3-5x for standard features. They do not replace engineering judgment for architecture, security, and performance. Use them for what they do well — generating boilerplate, UI components, and integration code. Handle architecture, security review, and edge cases manually.

📅 2026-04-11 ⏱ 3 min read 🎯 Advanced

Where developers are forged. · Structured learning · Free forever.

📍 Part of: React.js → Topic 23 of 23

See exactly how I built a production-ready SaaS from scratch in just 48 hours using v0 by Vercel and Cursor AI.

🔥 Advanced — solid JavaScript foundation required

In this tutorial, you'll learn

See exactly how I built a production-ready SaaS from scratch in just 48 hours using v0 by Vercel and Cursor AI.

v0 generates UI components, Cursor generates backend logic — together they cover the full stack
AI handles 80% of implementation — the remaining 20% is architecture, security, and edge cases
Define TypeScript interfaces first to constrain AI output and ensure type safety

✦ Plain-English analogy ✦ Real code with output ✦ Interview questions

⚡Quick Answer

v0 generates production-ready React components from natural language descriptions
Cursor AI writes backend logic, database queries, and API routes from prompts
The workflow: v0 for UI, Cursor for backend, Vercel for deployment
Authentication, payments, and database setup take 80% of the remaining manual work
AI-generated code still needs human review for security, edge cases, and architecture
Biggest mistake: shipping AI code without reviewing authentication and data validation

🚨 START HERE

AI Development Quick Debug Reference

Fast commands for diagnosing issues in AI-generated codebases

🟡AI-generated code has TypeScript errors

Immediate ActionRun type check and fix systematically

Commands

npx tsc --noEmit 2>&1 | head -50

npx tsc --noEmit 2>&1 | grep -c 'error TS'

Fix NowPass the error output back to Cursor with 'fix all TypeScript errors' prompt

🟡Auth middleware not applied to routes

Immediate ActionCheck which routes have auth protection

Commands

grep -rn 'middleware\|authenticate\|verifyToken' app/api/ --include='*.ts' | wc -l

ls app/api/ | wc -l

Fix NowIf middleware count < route count, add global auth middleware in middleware.ts

🟡Database migrations out of sync

Immediate ActionCheck migration status and generate missing migrations

Commands

npx prisma migrate status

npx prisma db push --preview-feature

Fix NowRun prisma migrate dev to generate and apply pending migrations

🟡v0 component styles broken in production

Immediate ActionCheck Tailwind CSS purging and class conflicts

Commands

grep -rn 'className' components/ --include='*.tsx' | grep 'bg-' | head -20

cat tailwind.config.ts | grep content

Fix NowEnsure tailwind.config content paths include all component directories

Production IncidentAI-Generated Auth Bypass Exposed User Data on First DeploymentA SaaS application built with Cursor AI had a critical authentication bypass in the API routes that exposed all user data to unauthenticated requests.

SymptomAfter deploying the SaaS, a security scan revealed that 12 of 15 API endpoints returned user data without checking authentication tokens. Any unauthenticated request received full user records including email addresses and subscription status.

AssumptionCursor AI generated secure authentication middleware because the prompt mentioned 'authentication' and 'JWT'.

Root causeThe prompt asked Cursor to 'add JWT authentication to the API routes'. Cursor generated the auth middleware correctly but applied it to only 3 of 15 routes. The remaining 12 routes were generated in earlier prompts before the auth middleware existed. Cursor did not retroactively add auth to existing routes — it only applied auth to routes generated in the same prompt context.

FixAudited all 15 routes and manually added the auth middleware to the 12 unprotected routes. Added a global middleware in the Next.js middleware.ts file that enforces authentication on all /api routes by default, with explicit opt-out for public routes. Added integration tests that verify every route returns 401 without a valid token.

Key Lesson

AI generates code in prompt context — it does not retroactively fix previously generated codeSecurity-critical code must be reviewed by a human regardless of AI generationGlobal middleware patterns are safer than per-route middleware for authenticationAlways run security scans on AI-generated code before deployment

Production Debug GuideCommon issues when building with v0 and Cursor AI

v0 component does not match the design system→Refine the prompt with specific design tokens: colors, spacing, font sizes. Paste existing CSS variables into the prompt context.

Cursor generates code that conflicts with existing patterns→Add project context files to Cursor's .cursorrules. Include your coding standards, file structure, and naming conventions.

AI-generated API route returns wrong data shape→Define TypeScript interfaces first, then ask Cursor to implement routes matching those interfaces. Types constrain the AI output.

Database queries are inefficient after AI generation→Review generated queries for N+1 problems, missing indexes, and unnecessary joins. AI optimizes for correctness, not performance.

Authentication works locally but fails in production→Check environment variables, cookie domain settings, and CORS configuration. AI often generates localhost-specific auth code.

AI-assisted development tools have crossed the threshold from novelty to production viability. v0 by Vercel generates production-quality React components from natural language. Cursor AI writes backend code, database queries, and API integrations from contextual prompts.

This article documents building a complete SaaS application — authentication, payments, database, and deployment — using only these two tools. The goal is not to prove that AI replaces engineers. It is to show where AI accelerates development, where it introduces risk, and what manual work remains after the AI generates the code.

The AI-Assisted Development Stack

The stack for this build consisted of three tools: v0 for frontend generation, Cursor AI for backend development, and Vercel for deployment. Each tool handles a specific layer of the application, and the integration between them determines the overall development velocity.

v0 generates React components with Tailwind CSS styling from natural language descriptions. It produces shadcn/ui-compatible components that integrate directly with Next.js projects. Cursor AI provides contextual code generation, refactoring, and debugging across the entire codebase. It understands project structure, existing patterns, and can generate code that matches your conventions.

The workflow is not fully automated — it is a human-AI collaboration where the human defines architecture and reviews output, and the AI handles implementation details. The human decides what to build. The AI builds it. The human verifies it works.

io.thecodeforge.saas.project_structure.txt · TYPESCRIPT

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950

saas-app/
├── app/
│   ├── layout.tsx                 # Root layout (v0 generated)
│   ├── page.tsx                   # Landing page (v0 generated)
│   ├── dashboard/
│   │   ├── layout.tsx             # Dashboard layout (v0 generated)
│   │   ├── page.tsx               # Dashboard home (v0 generated)
│   │   ├── settings/
│   │   │   └── page.tsx           # Settings page (v0 generated)
│   │   └── billing/
│   │       └── page.tsx           # Billing page (v0 generated)
│   ├── api/
│   │   ├── auth/
│   │   │   ├── signup/route.ts    # Auth API (Cursor generated)
│   │   │   ├── login/route.ts     # Auth API (Cursor generated)
│   │   │   └── [...nextauth]/
│   │   │       └── route.ts       # NextAuth handler (Cursor generated)
│   │   ├── webhooks/
│   │   │   └── stripe/route.ts    # Stripe webhook (Cursor generated)
│   │   └── subscription/
│   │       └── route.ts           # Subscription API (Cursor generated)
│   └── (auth)/
│       ├── login/page.tsx         # Login page (v0 generated)
│       └── signup/page.tsx        # Signup page (v0 generated)
├── components/
│   ├── ui/                        # shadcn/ui components (v0 generated)
│   │   ├── button.tsx
│   │   ├── card.tsx
│   │   ├── input.tsx
│   │   └── dialog.tsx
│   ├── dashboard/                 # Feature components (v0 generated)
│   │   ├── sidebar.tsx
│   │   ├── stats-cards.tsx
│   │   └── activity-feed.tsx
│   └── billing/                   # Billing components (v0 + Cursor)
│       ├── pricing-cards.tsx
│       └── subscription-status.tsx
├── lib/
│   ├── auth.ts                    # Auth config (Cursor generated)
│   ├── stripe.ts                  # Stripe client (Cursor generated)
│   ├── db.ts                      # Database client (Cursor generated)
│   └── utils.ts                   # Utilities (Cursor generated)
├── prisma/
│   ├── schema.prisma              # Database schema (Cursor generated)
│   └── migrations/                # Database migrations
├── middleware.ts                   # Global auth middleware (Cursor generated)
├── .cursorrules                    # Cursor project rules (manual)
├── tailwind.config.ts
├── next.config.ts
└── package.json

Mental Model

AI Tools as Specialized Workers

v0 handles visual output, Cursor handles logical output — each tool has a strength boundary.

v0 excels at UI components — it understands design patterns, responsive layouts, and Tailwind CSS
Cursor excels at backend logic — it understands TypeScript, API patterns, and database queries
Neither tool handles architecture decisions — the human defines the system design
Neither tool handles security review — the human must verify auth, validation, and access control
The integration point is the TypeScript interface — types constrain both tools' output

📊 Production Insight

AI tools generate code in isolation — they do not verify cross-component integration.

The human must define interfaces and verify that components connect correctly.

Rule: define TypeScript types first, then let AI implement against those types.

🎯 Key Takeaway

v0 generates UI components, Cursor generates backend logic — each has a strength boundary.

The human defines architecture and reviews output — AI handles implementation details.

TypeScript interfaces are the integration contract between AI-generated components.

Building the Frontend with v0

v0 generates React components from natural language descriptions. It produces shadcn/ui-compatible components styled with Tailwind CSS. The output is production-quality — not a prototype that needs rewriting.

The key to effective v0 usage is prompt specificity. Vague prompts produce generic output. Detailed prompts with specific requirements, design tokens, and component behavior produce components that match your design system.

The workflow for each page: describe the page layout in v0, copy the generated component into your project, install any missing shadcn/ui dependencies, and adjust the data layer to connect to your API. The visual structure is done — the data wiring is manual.

io.thecodeforge.saas.dashboard_page.tsx · TYPESCRIPT

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293

// Dashboard page — generated by v0, data layer wired manually
// v0 prompt: "Create a SaaS dashboard with a sidebar navigation,
// stats cards showing MRR, active users, and churn rate,
// and an activity feed showing recent events"

import { Suspense } from 'react'
import { Sidebar } from '@/components/dashboard/sidebar'
import { StatsCards } from '@/components/dashboard/stats-cards'
import { ActivityFeed } from '@/components/dashboard/activity-feed'
import { getDashboardStats, getRecentActivity } from '@/lib/api'

export default async function DashboardPage() {
  // Data layer — wired manually after v0 generated the UI
  const statsPromise = getDashboardStats()
  const activityPromise = getRecentActivity()

  return (
    <div className="flex min-h-screen">
      {/* Sidebar — v0 generated */}
      <Sidebar />

      <main className="flex-1 p-6 lg:p-8">
        <div className="space-y-8">
          {/* Header — v0 generated */}
          <div>
            <h1 className="text-3xl font-bold tracking-tight">
              Dashboard
            </h1>
            <p className="text-muted-foreground">
              Overview of your SaaS metrics
            </p>
          </div>

          {/* Stats — v0 generated shell, data wired manually */}
          <Suspense fallback={<StatsCardsSkeleton />}>
            <StatsCardsWrapper promise={statsPromise} />
          </Suspense>

          {/* Activity — v0 generated shell, data wired manually */}
          <Suspense fallback={<ActivityFeedSkeleton />}>
            <ActivityFeedWrapper promise={activityPromise} />
          </Suspense>
        </div>
      </main>
    </div>
  )
}

// Data wrapper components — Cursor generated
async function StatsCardsWrapper({
  promise
}: {
  promise: ReturnType<typeof getDashboardStats>
}) {
  const stats = await promise
  return <StatsCards stats={stats} />
}

async function ActivityFeedWrapper({
  promise
}: {
  promise: ReturnType<typeof getRecentActivity>
}) {
  const activities = await promise
  return <ActivityFeed activities={activities} />
}

// Skeleton loaders — v0 generated
function StatsCardsSkeleton() {
  return (
    <div className="grid gap-4 md:grid-cols-3">
      {Array.from({ length: 3 }).map((_, i) => (
        <div
          key={i}
          className="h-32 rounded-lg border bg-muted animate-pulse"
        />
      ))}
    </div>
  )
}

function ActivityFeedSkeleton() {
  return (
    <div className="space-y-4">
      {Array.from({ length: 5 }).map((_, i) => (
        <div
          key={i}
          className="h-16 rounded-lg border bg-muted animate-pulse"
        />
      ))}
    </div>
  )
}

💡v0 Prompt Engineering Tips

Include design tokens in the prompt — colors, spacing, font sizes match your system
Specify the component library — 'use shadcn/ui components' produces consistent output
Describe responsive behavior — 'stack vertically on mobile, side-by-side on desktop'
Include loading and empty states — 'add skeleton loaders for async data'
Paste existing CSS variables into the prompt — v0 will use your design tokens

📊 Production Insight

v0 generates visual structure but not data integration.

The data layer — fetching, caching, error handling — must be wired manually.

Rule: use v0 for the 80% that is visual, manually handle the 20% that is data.

🎯 Key Takeaway

v0 produces production-quality React components from natural language descriptions.

Prompt specificity determines output quality — vague prompts produce generic components.

The visual structure is done by v0 — the data layer must be wired manually.

Building the Backend with Cursor AI

Cursor AI generates backend code — API routes, database queries, authentication logic, and payment integrations. It understands your project context through .cursorrules files and can generate code that matches your existing patterns.

The key to effective Cursor usage is defining project context upfront. The .cursorrules file tells Cursor your coding standards, file structure, naming conventions, and technology choices. Without this context, Cursor generates generic code that may not match your project conventions.

The workflow for each feature: define the TypeScript interface first, then ask Cursor to implement the route, query, or service matching that interface. The interface constrains the AI output and ensures type safety across the application.

io.thecodeforge.saas.cursor_backend.ts · TYPESCRIPT

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229

// ============================================
// Cursor AI Generated Backend Code
// ============================================

// ---- .cursorrules (Project Context) ----
// This file tells Cursor how to generate code for this project
// Place in project root as .cursorrules

/*
Project: SaaS Application
Framework: Next.js 16 with App Router
Database: PostgreSQL with Prisma ORM
Auth: NextAuth.js with JWT
Payments: Stripe
Styling: Tailwind CSS with shadcn/ui

Coding Standards:
- Use TypeScript strict mode
- All API routes return JSON with { data, error } shape
- Use Zod for input validation
- Use Prisma for all database access
- Never use any type — always define explicit types
- Error messages must be user-safe — no stack traces
- All dates in UTC, format on the client

File Structure:
- app/api/ for route handlers
- lib/ for shared utilities and clients
- types/ for TypeScript interfaces
- prisma/ for database schema and migrations
*/

// ---- Types (defined first, then implemented) ----
// Cursor generates implementation matching these interfaces

interface ApiResponse<T> {
  data: T | null
  error: string | null
}

interface Subscription {
  id: string
  userId: string
  plan: 'free' | 'pro' | 'enterprise'
  status: 'active' | 'canceled' | 'past_due'
  currentPeriodEnd: Date
  stripeSubscriptionId: string | null
}

interface DashboardStats {
  mrr: number
  activeUsers: number
  churnRate: number
  newSignupsToday: number
}

interface CreateSubscriptionInput {
  plan: 'pro' | 'enterprise'
  paymentMethodId: string
}

// ---- Cursor Generated: Stripe Webhook Handler ----
// Prompt: "Create a Stripe webhook handler that processes
// subscription events and updates the database"

import { NextRequest, NextResponse } from 'next/server'
import { headers } from 'next/headers'
import Stripe from 'stripe'
import { prisma } from '@/lib/db'
import { stripe } from '@/lib/stripe'

export async function POST(req: NextRequest) {
  const body = await req.text()
  const headersList = headers()
  const signature = headersList.get('stripe-signature')

  if (!signature) {
    return NextResponse.json(
      { data: null, error: 'Missing stripe-signature header' },
      { status: 400 }
    )
  }

  let event: Stripe.Event

  try {
    event = stripe.webhooks.constructEvent(
      body,
      signature,
      process.env.STRIPE_WEBHOOK_SECRET!
    )
  } catch (err) {
    return NextResponse.json(
      { data: null, error: 'Invalid signature' },
      { status: 400 }
    )
  }

  switch (event.type) {
    case 'checkout.session.completed': {
      const session = event.data.object as Stripe.Checkout.Session
      const userId = session.metadata?.userId
      const subscriptionId = session.subscription as string

      if (!userId) break

      const subscription = await stripe.subscriptions.retrieve(
        subscriptionId
      )

      await prisma.subscription.update({
        where: { userId },
        data: {
          stripeSubscriptionId: subscription.id,
          status: 'active',
          currentPeriodEnd: new Date(
            subscription.current_period_end * 1000
          ),
        },
      })
      break
    }

    case 'customer.subscription.updated': {
      const subscription = event.data.object as Stripe.Subscription

      await prisma.subscription.update({
        where: { stripeSubscriptionId: subscription.id },
        data: {
          status: subscription.status === 'active'
            ? 'active'
            : subscription.status === 'past_due'
            ? 'past_due'
            : 'canceled',
          currentPeriodEnd: new Date(
            subscription.current_period_end * 1000
          ),
        },
      })
      break
    }

    case 'customer.subscription.deleted': {
      const subscription = event.data.object as Stripe.Subscription

      await prisma.subscription.update({
        where: { stripeSubscriptionId: subscription.id },
        data: {
          status: 'canceled',
        },
      })
      break
    }
  }

  return NextResponse.json({ data: { received: true }, error: null })
}

// ---- Cursor Generated: Dashboard Stats API ----
// Prompt: "Create an API route that returns dashboard stats:
// MRR, active users, churn rate, new signups today"

// app/api/dashboard/stats/route.ts

import { NextResponse } from 'next/server'
import { getServerSession } from 'next-auth'
import { prisma } from '@/lib/db'
import { authOptions } from '@/lib/auth'

export async function GET() {
  const session = await getServerSession(authOptions)

  if (!session?.user) {
    return NextResponse.json(
      { data: null, error: 'Unauthorized' },
      { status: 401 }
    )
  }

  const now = new Date()
  const startOfMonth = new Date(now.getFullYear(), now.getMonth(), 1)
  const startOfDay = new Date(now.getFullYear(), now.getMonth(), now.getDate())

  // MRR: sum of active subscription prices
  const activeSubscriptions = await prisma.subscription.findMany({
    where: { status: 'active' },
    select: { plan: true },
  })

  const planPrices: Record<string, number> = {
    free: 0,
    pro: 29,
    enterprise: 99,
  }

  const mrr = activeSubscriptions.reduce(
    (sum, sub) => sum + (planPrices[sub.plan] || 0),
    0
  )

  // Active users: users with active subscriptions
  const activeUsers = activeSubscriptions.length

  // Churn rate: canceled this month / active at start of month
  const canceledThisMonth = await prisma.subscription.count({
    where: {
      status: 'canceled',
      updatedAt: { gte: startOfMonth },
    },
  })

  const churnRate = activeUsers > 0
    ? Math.round((canceledThisMonth / activeUsers) * 100 * 10) / 10
    : 0

  // New signups today
  const newSignupsToday = await prisma.user.count({
    where: { createdAt: { gte: startOfDay } },
  })

  const stats: DashboardStats = {
    mrr,
    activeUsers,
    churnRate,
    newSignupsToday,
  }

  return NextResponse.json({ data: stats, error: null })
}

Mental Model

Cursor AI as a Context-Aware Pair Programmer

Cursor generates better code when it understands your project — .cursorrules is the key to quality output.

.cursorrules defines your coding standards — Cursor follows them in generated code
TypeScript interfaces constrain AI output — define types before asking for implementation
Cursor understands existing code patterns — it generates code that matches your conventions
Pass error messages back to Cursor for fixes — it can debug its own output
Review all security-critical code — Cursor optimizes for correctness, not security

📊 Production Insight

Cursor generates code that works — but not code that handles edge cases.

Error handling, input validation, and auth checks need human review.

Rule: treat Cursor output as a first draft, not a final implementation.

🎯 Key Takeaway

Cursor AI generates backend code that matches your project context.

.cursorrules is the key to quality — define standards before generating code.

Define TypeScript interfaces first, then ask Cursor to implement against them.

Database and Authentication Setup

Database setup and authentication are the two areas where AI assistance has the most limitations. These components require careful architectural decisions — schema design, migration strategy, auth flow, and security configuration — that AI tools handle poorly without explicit guidance.

Cursor can generate Prisma schemas and NextAuth configurations, but the human must decide the data model, relationship strategy, and auth flow. AI-generated schemas often lack indexes, have suboptimal relationships, and miss security constraints.

The recommended approach: design the schema manually, then ask Cursor to generate the Prisma schema matching your design. For auth, use a proven library (NextAuth.js) and ask Cursor to configure it — do not ask Cursor to build auth from scratch.

io.thecodeforge.saas.prisma_schema.ts · TYPESCRIPT

// ============================================
// Database Schema — designed manually, generated by Cursor
// ============================================

// prisma/schema.prisma
// Cursor prompt: "Generate a Prisma schema for a SaaS with
// users, subscriptions, and usage tracking"

// ---- Prisma Schema (Cursor generated from manual design) ----

generator client {
  provider = "prisma-client-js"
}

datasource db {
  provider = "postgresql"
  url      = env("DATABASE_URL")
}

model User {
  id            String    @id @default(cuid())
  email         String    @unique
  name          String?
  passwordHash  String
  emailVerified DateTime?
  createdAt     DateTime  @default(now())
  updatedAt     DateTime  @updatedAt

  subscription  Subscription?
  usageLogs     UsageLog[]

  @@index([email])
  @@index([createdAt])
}

model Subscription {
  id                      String   @id @default(cuid())
  userId                  String   @unique
  user                    User     @relation(fields: [userId], references: [id])
  plan                    String   @default("free")
  status                  String   @default("active")
  stripeCustomerId        String?  @unique
  stripeSubscriptionId    String?  @unique
  currentPeriodStart      DateTime @default(now())
  currentPeriodEnd        DateTime
  createdAt               DateTime @default(now())
  updatedAt               DateTime @updatedAt

  @@index([userId])
  @@index([status])
  @@index([stripeSubscriptionId])
}

model UsageLog {
  id          String   @id @default(cuid())
  userId      String
  user        User     @relation(fields: [userId], references: [id])
  action      String
  resource    String
  metadata    Json?
  createdAt   DateTime @default(now())

  @@index([userId, createdAt])
  @@index([action])
}

// ---- Auth Configuration (Cursor generated) ----
// lib/auth.ts

import { NextAuthOptions } from 'next-auth'
import CredentialsProvider from 'next-auth/providers/credentials'
import bcrypt from 'bcrypt'
import { prisma } from './db'

export const authOptions: NextAuthOptions = {
  providers: [
    CredentialsProvider({
      name: 'credentials',
      credentials: {
        email: { label: 'Email', type: 'email' },
        password: { label: 'Password', type: 'password' },
      },
      async authorize(credentials) {
        if (!credentials?.email || !credentials?.password) {
          return null
        }

        const user = await prisma.user.findUnique({
          where: { email: credentials.email },
        })

        if (!user) {
          return null
        }

        const passwordValid = await bcrypt.compare(
          credentials.password,
          user.passwordHash
        )

        if (!passwordValid) {
          return null
        }

        return {
          id: user.id,
          email: user.email,
          name: user.name,
        }
      },
    }),
  ],
  session: {
    strategy: 'jwt',
    maxAge: 30 * 24 * 60 * 60, // 30 days
  },
  callbacks: {
    async jwt({ token, user }) {
      if (user) {
        token.id = user.id
      }
      return token
    },
    async session({ session, token }) {
      if (session.user) {
        session.user.id = token.id as string
      }
      return session
    },
  },
  pages: {
    signIn: '/login',
  },
}

// ---- Global Auth Middleware (Cursor generated) ----
// middleware.ts

import { withAuth } from 'next-auth/middleware'
import { NextResponse } from 'next/server'

export default withAuth(
  function middleware(req) {
    return NextResponse.next()
  },
  {
    callbacks: {
      authorized: ({ token }) => !!token,
    },
  }
)

// IMPORTANT: Exclude webhooks and public auth routes
export const config = {
  matcher: [
    '/dashboard/:path*',
    '/api/((?!webhooks/stripe|auth).*)',
  ],
}

⚠ Database and Auth Gotchas with AI

📊 Production Insight

AI generates schemas that work but are not optimized for query patterns.

Missing indexes cause slow queries as data grows — add them based on your access patterns.

Rule: review every AI-generated schema for indexes, constraints, and relationship optimization.

🎯 Key Takeaway

Database schema and auth require human architectural decisions — AI handles implementation.

Use proven auth libraries — never ask AI to build authentication from scratch.

Global middleware is safer than per-route auth checks for enforcing authentication.

Lessons Learned and What AI Cannot Do

Building a SaaS in 48 hours with AI tools revealed clear boundaries between what AI accelerates and what still requires human judgment. The 80/20 rule applies — AI handles 80% of implementation, but the remaining 20% is the hardest and most critical.

AI excels at generating boilerplate, UI components, CRUD operations, and integration code. AI struggles with architecture decisions, security review, edge case handling, and performance optimization. The human engineer's value shifts from writing code to reviewing code, making architectural decisions, and verifying correctness.

The biggest risk is false confidence — AI-generated code looks correct and runs correctly in happy-path testing. But it often fails on edge cases, security boundaries, and production-scale data. Every line of AI-generated code that touches authentication, payments, or user data must be reviewed by a human.

io.thecodeforge.saas.lessons.ts · TYPESCRIPT

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990

// ============================================
// Lessons Learned: What AI Can and Cannot Do
// ============================================

// ---- What AI Handles Well ----

// 1. UI Components (v0)
// Prompt: "Create a pricing card with three tiers"
// Output: Production-ready React component with Tailwind CSS
// Human effort: 0 minutes (copy-paste)

// 2. CRUD API Routes (Cursor)
// Prompt: "Create CRUD routes for the products resource"
// Output: GET, POST, PUT, DELETE routes with Prisma
// Human effort: 5 minutes (review and add validation)

// 3. Database Queries (Cursor)
// Prompt: "Write a query that returns MRR grouped by plan"
// Output: Prisma aggregate query
// Human effort: 2 minutes (verify correctness)

// 4. Integration Code (Cursor)
// Prompt: "Create a Stripe checkout session for the pro plan"
// Output: Stripe API integration with error handling
// Human effort: 10 minutes (add webhook handling)

// ---- What AI Handles Poorly ----

// 1. Architecture Decisions
// AI cannot decide: monorepo vs separate repos, auth strategy,
// caching strategy, deployment model
// Human effort: 2-4 hours of design and documentation

// 2. Security Review
// AI-generated code often has:
// - Missing auth checks on new routes
// - SQL injection in raw queries (rare with Prisma)
// - Exposed sensitive data in API responses
// - Missing rate limiting
// Human effort: 1-2 hours of security audit

// 3. Edge Case Handling
// AI optimizes for happy path. Missing:
// - Concurrent request handling
// - Race condition prevention
// - Graceful degradation on service failure
// - Input validation for malformed data
// Human effort: 2-3 hours of testing and hardening

// 4. Performance Optimization
// AI-generated code is correct but not fast:
// - Missing database indexes
// - N+1 query patterns
// - Unnecessary re-renders in React
// - Missing caching layers
// Human effort: 1-2 hours of profiling and optimization

// ---- The 48-Hour Build Breakdown ----

const buildBreakdown = {
  'Architecture design': '2 hours',
  'v0 UI generation': '3 hours',
  'Cursor backend generation': '4 hours',
  'Data layer wiring': '3 hours',
  'Auth setup and review': '2 hours',
  'Stripe integration': '2 hours',
  'Database schema design': '1 hour',
  'Testing and edge cases': '4 hours',
  'Security review': '2 hours',
  'Deployment and config': '1 hour',
  'Bug fixes and polish': '4 hours',
  'Documentation': '1 hour',
  // Remaining: sleep, food, breaks
}

// Total coding time: ~29 hours over 2 days
// AI generated ~70% of the code
// Human wrote ~30% (wiring, review, edge cases, config)

// ---- Key Metrics ----

const metrics = {
  totalLinesOfCode: 4200,
  aiGeneratedLines: 2940, // 70%
  humanWrittenLines: 1260, // 30%
  timeSpentReviewing: '8 hours', // 28% of coding time
  bugsFoundInReview: 7,
  bugsFoundInProduction: 2,
  securityIssuesFound: 3, // All in AI-generated code
}

Mental Model

AI as a Multiplier, Not a Replacement

AI multiplies engineering output — but it also multiplies the consequences of mistakes.

AI generates code 10x faster — but bugs ship 10x faster too
The human's role shifts from writing code to reviewing code — review is the bottleneck
Security and edge cases are the AI's blind spots — humans must fill these gaps
Architecture decisions cannot be delegated to AI — they require understanding business context
The 48-hour build took 8 hours of review — without review, it would have shipped with critical bugs

📊 Production Insight

AI-generated code ships faster but also ships bugs faster.

The review process must scale with the generation speed — or bugs accumulate.

Rule: spend at least 25% of development time reviewing AI-generated code.

🎯 Key Takeaway

AI handles 80% of implementation — the remaining 20% is architecture, security, and edge cases.

The human's value shifts from writing code to reviewing and verifying AI output.

Every line of AI-generated code touching auth, payments, or user data needs human review.

🗂 AI-Assisted Development: v0 vs Cursor vs Manual Coding

Time and quality comparison for common development tasks

Task	Manual Coding	v0 + Cursor AI	Quality Difference
Landing page	4-6 hours	30 minutes	AI matches quality for standard layouts
Dashboard with charts	8-12 hours	1-2 hours	AI needs data wiring — visual quality matches
Auth system setup	4-8 hours	1-2 hours	AI needs security review — functional quality matches
Stripe integration	4-6 hours	1 hour	AI handles boilerplate — webhook logic needs review
Database schema	2-4 hours	30 minutes	AI misses indexes and optimizations
API routes (CRUD)	2-4 hours	20 minutes	AI matches quality for standard CRUD
Error handling	2-3 hours	30 minutes	AI generates basic handling — edge cases need manual work
Testing	4-8 hours	2-4 hours	AI generates happy-path tests — edge cases need manual tests

🎯 Key Takeaways

v0 generates UI components, Cursor generates backend logic — together they cover the full stack
AI handles 80% of implementation — the remaining 20% is architecture, security, and edge cases
Define TypeScript interfaces first to constrain AI output and ensure type safety
Every line of AI-generated code touching auth, payments, or user data needs human review
Spend at least 25% of development time reviewing AI-generated code
Use global middleware patterns instead of per-route checks to prevent security gaps

⚠ Common Mistakes to Avoid

✕Shipping AI-generated code without security review

Symptom

Authentication bypasses, exposed user data, missing input validation — all discovered by attackers, not developers

Fix

Run a security audit on every AI-generated route before deployment. Check auth middleware, input validation, and data exposure. Use automated security scanning tools.

✕Not defining TypeScript interfaces before asking Cursor to implement

Symptom

Cursor generates code with inconsistent data shapes — some routes return { data, error }, others return raw objects

Fix

Define all TypeScript interfaces in a types/ directory first. Reference these interfaces in your Cursor prompts to constrain the output.

✕Using v0 output without connecting the data layer

Symptom

Beautiful UI components that show static placeholder data — no loading states, no error handling, no real data

Fix

After generating with v0, wire the data layer: add fetch calls, loading states, error boundaries, and empty states.

✕Not configuring .cursorrules for project context

Symptom

Cursor generates code that does not match project conventions — different naming patterns, inconsistent error handling, wrong imports

Fix

Create a .cursorrules file with your coding standards, file structure, technology choices, and naming conventions.

✕Asking AI to build authentication from scratch

Symptom

Custom auth implementation with subtle security flaws — timing attacks, session fixation, weak token generation

Fix

Use proven auth libraries (NextAuth, Lucia, Clerk). Ask Cursor to configure the library, not to build auth from scratch.

✕Not testing AI-generated code with edge cases

Symptom

Code works perfectly in happy-path testing but fails on empty inputs, concurrent requests, and network timeouts

Fix

Write integration tests for every AI-generated route. Test with empty inputs, malformed data, concurrent requests, and timeout scenarios.

Interview Questions on This Topic

QHow would you use AI tools to accelerate development without compromising code quality?Mid-levelReveal
The key is treating AI as a first-draft generator, not a final implementation. My approach: 1. Define architecture first: Design the system architecture, data model, and API contracts manually. AI implements within these constraints. 2. Use TypeScript interfaces as contracts: Define all interfaces before asking AI to implement. The types constrain the AI output and ensure consistency. 3. Review every security-critical line: Auth, payments, and user data code must be human-reviewed. AI optimizes for correctness, not security. 4. Test edge cases manually: AI generates happy-path code. I write tests for empty inputs, concurrent requests, and failure scenarios. 5. Spend 25% of time on review: If AI generates code 10x faster, I spend proportionally more time reviewing. The review process must scale with generation speed. The result is 3-5x faster development with the same quality as manual coding — because the human focuses on the 20% that matters most: architecture, security, and edge cases.
QA developer on your team shipped AI-generated code that exposed user data. How do you prevent this from happening again?SeniorReveal
Systematic prevention requires three layers: 1. Code review policy: Every AI-generated code block must be flagged in the PR description. Reviewers apply extra scrutiny to AI-generated auth, data access, and API routes. 2. Automated security scanning: Add SAST tools (Snyk, Semgrep) to the CI pipeline. Configure rules specifically for common AI-generated vulnerabilities: missing auth checks, exposed sensitive fields, and weak input validation. 3. Global middleware patterns: Instead of relying on per-route auth checks (which AI may forget), enforce authentication globally with explicit opt-out for public routes. This makes it impossible to accidentally expose a protected route. This is exactly what failed in the production incident above. 4. .cursorrules security section: Add explicit security rules to the Cursor configuration: 'All API routes must check authentication. Never expose passwordHash, stripeCustomerId, or internal IDs in API responses. Always validate input with Zod.' The root cause is that AI generates code in prompt context — it does not retroactively add security to previously generated code. Global patterns and automated scanning catch what the AI misses.
QWhat is v0 and how does it differ from Cursor AI?JuniorReveal
v0 is Vercel's AI tool for generating React UI components. You describe a component in natural language, and v0 generates production-ready React code with Tailwind CSS styling. It produces shadcn/ui-compatible components that integrate with Next.js projects. v0 excels at visual output — layouts, forms, dashboards, and design systems. Cursor AI is an AI-powered code editor that generates backend logic, refactors code, and debugs issues across your entire codebase. It understands your project context through .cursorrules files and generates code that matches your existing patterns. Cursor excels at logical output — API routes, database queries, authentication, and integrations. The key difference: v0 generates what the user sees (UI), Cursor generates what the server does (backend logic). Together, they cover the full stack. But neither handles architecture decisions, security review, or edge case testing — those remain human responsibilities.

Frequently Asked Questions

Can you really build a production SaaS in 48 hours with AI tools?

Yes, but with caveats. The 48 hours includes 8 hours of code review, 4 hours of testing, and 2 hours of security audit. AI generates the code in about 7 hours, but the human spends significant time reviewing, wiring data layers, and handling edge cases. The SaaS was functional and deployed, but it was an MVP — not a feature-complete product.

Is v0 free to use?

v0 has a free tier with limited generations per month. The paid plan provides more generations and priority access. For a 48-hour build, the free tier is sufficient for generating the core UI components. You may need the paid plan for iterative refinement.

Can Cursor AI replace a backend developer?

No. Cursor accelerates backend development by generating boilerplate and integration code. But it cannot make architectural decisions, design data models, handle security review, or optimize for production scale. The developer's role shifts from writing code to reviewing code and making design decisions.

What happens when AI-generated code has a bug in production?

The same process as any production bug: reproduce, diagnose, fix, deploy. However, debugging AI-generated code can be harder because the developer did not write it and may not understand the implicit assumptions. The fix is to pass the error and relevant code back to Cursor for diagnosis — it can often debug its own output.

Should I use AI tools for my next project?

Yes, but with the right expectations. AI tools accelerate development by 3-5x for standard features. They do not replace engineering judgment for architecture, security, and performance. Use them for what they do well — generating boilerplate, UI components, and integration code. Handle architecture, security review, and edge cases manually.

🔥

Naren Founder & Author

Developer and founder of TheCodeForge. I built this site because I was tired of tutorials that explain what to type without explaining why it works. Every article here is written to make concepts actually click.

About Naren Get in touch

Forged with 🔥 at TheCodeForge.io — Where Developers Are Forged