BHMC Live
Features, How-To, and Security
east
north
west
Quick Start
- 1Sign in at /login with Google or demo password.
- 2Set up your profile at /profile. Add your cell, Venmo handle, Zelle email, and notification preferences.
- 3Post a tee time on the Tee Times tab. Pick date, time, course, spots.
- 4Add players. They can also join from the card.
- 5Add games. Skins, match play, nassau, wolf. Set buy-ins. Negotiate strokes.
- 6Change course if plans shift. Tap the course line to switch combos. Works until tee off.
- 7Tee Off. Locks the lineup, goes live. Can't score until you tee off.
- 8Score. Score tab, pick your group. +/- for strokes. Gear icon for FIR, GIR, putts, notes, photos.
- 9Watch it live. Leaderboard, skins, match play, nassau, bets, predictive scoring. All real time.
- 10Settle up. /settlements shows payouts with Venmo/Zelle links.
📊
Live Scoring
- •Hole-by-hole score entry for your entire group
- •Supabase Realtime: leaderboard updates instantly when anyone enters a score
- •Gross and net scoring with USGA handicap stroke allocation
- •Stableford scoring mode with point-based leaderboard
- •Score colors: birdie (red circle), bogey (blue square), eagle (gold), double bogey+ (dark square)
- •Track FIR, GIR, putts, and personal notes on every hole
- •Photo upload per hole: tap the camera to capture course conditions or shots
- •Predictive scoring: after 3 holes, see 'Trending toward 38' for each player
- •Premium scorecard with golf symbols, photo gallery, and game results
- •Push notifications on eagles, lead changes, and round completion
🎲
Games
- •Skins (gross and net) with automatic carryover (x2, x3 when holes tie)
- •Match play head-to-head with live score tracking (2-up, 3&2, AS)
- •Nassau: front 9, back 9, and overall displayed separately
- •Wolf: 4-player rotation with partner picking and lone wolf (3x points)
- •Stableford: point-based scoring as a game type
- •Best ball team format
- •Multiple games per round: stroke play for all, match play between two, nassau on the side
- •Stroke negotiation: before tee off, choose strokes (0-6), who gets them, which holes
- •Strokes applied to match play and nassau calculations automatically
- •Automatic skins payout: computes pot, per-skin value, net winnings per player
- •Games visible on player scorecard when you tap any player on the leaderboard
💰
Live Betting
- •7 bet types: Birdie Bet, Par or Better, Head-to-Head Hole, Over/Under, Closest to Pin, Longest Drive, Custom
- •Create bets from the admin Bets tab with proposer, accepter, amount, and hole number
- •Accept open bets, resolve with winner selection, or push
- •Admin controls live display: 'Show on Live' with confirmation dialog before broadcasting
- •Bets only appear on the leaderboard when admin approves them
- •Venmo and Zelle payment links on every payout with pre-filled amounts and handles
- •Auto-settle option in player profiles for automatic payment requests after rounds
⛳
Tee Times
- •Post tee times with date, time, front/back course selection, and open spots
- •Weather forecast on every card: high/low, rain chance, wind speed (14-day forecast)
- •Add games before teeing off: skins, match play, nassau, wolf, stableford
- •Change courses right up until tee off: tap the course line, pick a new combo
- •Tee Off button locks the lineup and goes live. No scoring until you tee off.
- •Tee time stabilizer: when someone backs out, push notification goes to all available players. First to claim gets the spot.
- •Backout fees: free before lock, $6 after, $12 no-show
- •Duplicate any tee time with one tap: copies players, games, and settings
- •Share score and live links to text your group
🏆
Season & Stats
- •Season points leaderboard: 1st=10pts, 2nd=7, 3rd=5, 4th=4, 5th=3, 6th=2, 7th+=1
- •Player profiles: career stats, avg score, best round, FIR%, GIR%, avg putts per hole
- •Round history per player with gross, to-par, and stat breakdown
- •Settlement tracker: automatic skins payouts, backout fees, bet settlements
- •Venmo/Zelle payment links with actual player handles from profiles
- •Social feed: auto-generated entries when rounds complete, visible at /feed
👤
Player Profiles
- •Edit profile: cell phone, bio, favorite course
- •Payment: Venmo handle, Zelle email, auto-settle toggle
- •Notification preferences: score updates, tee time activity, bets (each toggleable)
- •SMS notification opt-in (requires cell phone on file)
- •Sign out from profile page
- •Admin link visible only to admin users
- •View your stats and settlement history from profile
⚙️
Admin
- •Google OAuth login or demo password (env-var only, no hardcoded defaults)
- •Create player accounts: name, email, handicap, player/admin role
- •User management: set emails for Google login, Venmo handles, toggle roles
- •6 admin tabs: Events, Score, Players, Games, Bets, Settings
- •Create events with auto-open to setup screen (Add Players, Add Games, Tee Off)
- •Scoring permissions: admin only, everyone, designated scorer
- •Duplicate any event with one tap
- •Flight management by handicap range
- •Invite system with cryptographically secure codes
📱
Mobile First
- •PWA: installable on iPhone and Android from browser
- •Bottom tab navigation: Home, Live, Score, Games, Tee Times
- •Push notification bell in nav bar: subscribe with one tap
- •TV mode for clubhouse projector: auto-scroll, wake lock, hidden nav
- •Offline caching via service worker
- •GHIN export: copy formatted score to post
- •Home screen shows live events and upcoming tee times for 2 weeks
How Scoring Works
The flow: Create event or tee time. Add players. Add games. Change course if needed. Tee Off. Score. The Score tab only shows events that have teed off.
Permissions: Everyone scores their own, one designated scorer for the group, or admin only. Stats (FIR, GIR, putts, notes, photos) are always yours regardless of who enters strokes.
Net scoring: Handicap strokes auto-allocated by USGA hole difficulty ranking. Leaderboard toggles gross/net/stableford.
Skins carryover: Tied hole carries to the next. x2 = one carry, x3 = two. Can't win gross and net on the same hole.
Match play: Lower score wins the hole. "2-up" = leading by 2. "3&2" = clinched with 2 left. Nassau splits into front/back/overall.
Stroke negotiation: On match play and nassau, set strokes before tee off. Pick count (0-6), receiver, and specific holes. Strokes subtract from that player's score on those holes during match calculation.
Who Can Do What
| Action | Player | Admin |
|---|---|---|
| View leaderboard | Yes (no login) | Yes |
| Post tee time | Yes (logged in) | Yes |
| Join tee time | Yes (logged in) | Yes |
| Add games | Yes (own tee time) | Yes |
| Enter strokes | Per event permission | Always |
| Edit own stats/notes/photos | Always | Always |
| Edit own profile | Yes | Yes |
| Edit other profiles | No | Yes |
| Create player accounts | No | Yes |
| Create/resolve bets | Propose only | Full control |
| Show bets on live display | No | Yes (with confirmation) |
| Delete events/players | No | Yes |
| Change user roles | No | Yes |
Security
Audited April 10, 2026. 14 findings identified, 12 fixed, 2 planned for pre-payment release.
B
Current Security Grade
All write endpoints authenticated. Role-based access control. No hardcoded secrets. Cryptographic session management. Safe for real players. Payment features gated behind Tier 2 audit.
Security Checklist
✓
Authenticated API writes
All 14 API routes require session token for POST/PATCH/DELETE. Public GET preserved for leaderboard.
✓
Role-based access control
Admin actions (create players, delete events, manage bets) require admin role. Players can only edit own profile.
✓
No hardcoded secrets
No passwords, API keys, or secrets in source code. All sensitive values are environment variables on Vercel.
✓
Cryptographic session secret
32-byte random NEXTAUTH_SECRET generated via openssl. Not a placeholder, not guessable.
✓
Secure invite codes
Invite codes use crypto.randomBytes, not Math.random. 8 hex characters, 32 bits of entropy.
✓
Photo upload validation
Only image MIME types accepted (JPEG, PNG, WebP, GIF, HEIC). 10MB size limit enforced server-side.
✓
Scoring permission enforcement
Score API enforces event-level permissions. No unauthenticated bypass. Stats always editable on own holes.
✓
Profile edit isolation
Players cannot edit other players' profiles. Role changes require admin. Name/email changes require admin.
✓
Bet display gating
Bets only shown on live leaderboard when admin explicitly approves with confirmation dialog.
✓
Database RLS enabled
Row Level Security on all 15 tables. Public read policies. Writes go through API routes with auth, not direct DB access.
✓
HTTPS everywhere
Vercel enforces HTTPS. All API calls, auth redirects, and push subscriptions use TLS.
~
Input validation on uploads
Photo uploads validated. Full schema validation (Zod) planned for all API inputs before money features go live.
○
Rate limiting
Not yet implemented. Planned before payment features activate. Low risk for current user count.
○
Audit logging
Planned for Tier 2 before Venmo/Zelle auto-settlement. Will log bet resolutions, settlements, and role changes.
How We Compare
BHMC Live vs popular golf apps on security fundamentals.
| App | Auth | API Security | Data | Cost |
|---|---|---|---|---|
| Golf Genius | Email/password | Proprietary (closed) | Yes (enterprise) | $2,500+/year for clubs |
| 18Birdies | Email/Google | Proprietary | Yes | Free + $99/yr premium |
| TheGrint | Email/Google | Proprietary | Yes | Free + $79/yr premium |
| BHMC Live | Google OAuth + Demo | Auth on all writes, RBAC, RLS | Supabase TLS + RLS | Free (Supabase free tier) |
Golf Genius, 18Birdies, and TheGrint are proprietary. Their security details are not publicly audited. BHMC Live has been audited by automated security tools and manual code review.
Secured Now
- ✓All API write endpoints authenticated
- ✓Admin role required for destructive actions
- ✓No secrets in source code
- ✓32-byte cryptographic session secret
- ✓Crypto-secure invite codes
- ✓Photo upload type + size validation
- ✓Scoring permission enforcement
- ✓Profile edit isolation (own data only)
- ✓Bet display admin-gated with confirmation
- ✓Database RLS on all tables
- ✓HTTPS enforced on all traffic
Planned (Pre-Payment)
- ○Full input validation with Zod schemas
- ○Rate limiting on auth endpoints
- ○Audit log for bet/settlement actions
- ○Generic error messages (no DB details)
- ○VAPID key rotation
- ○Content-Security-Policy headers
- ○Server-side backout timing validation
Back to BHMC Live
Built for Bunker Hills Men's Golf Club, Coon Rapids MN
Security audit: April 10, 2026. 14 findings, 12 fixed, 2 planned.