Userbase is the easiest way to add user accounts and data persistence to your static site. All Userbase features are accessible through a very simple JavaScript SDK, directly from the browser. No backend necessary.
Naive question maybe. If I get hold of an app ID and basically spam it, what happens? What if I create a phishing site and use the app ID to get the username, password and then on passing it to userbase using the same app ID, I could get more user information? Maybe I'm missing something in how this works...
@jumbld Userbase dev here. Sorry for the late response, not naive at all! These questions have come up multiple times and we discussed this topic while building it out.
--- If I get hold of an app ID and basically spam it, what happens?
Today, you could create a bunch of new users on that app and push the total amount of data stored for the app over the 1 GB limit. This is currently a soft limit however. From our FAQ on what happens if you exceed this limit:
>At the moment, Userbase is not metering data storage, and nothing will happen if you exceed it. In the future, Userbase will have other pricing plans that allow higher storage volumes. If you happen to be exceeding the limit when these new pricing plans become available, we will ask you to upgrade to the new plans.
Source: https://userbase.com/docs/faq/
If there is foul play involved in getting your app pushed over the limit, you would not be expected to upgrade.
We are also planning to add spam mitigation features (not a robot, captcha, rate limits by IP, email validation, etc.) to prevent someone from easily creating tons of accounts.
--- What if I create a phishing site and use the app ID to get the username, password and then on passing it to userbase using the same app ID, I could get more user information?
We’re planning to add an origin whitelist to protect against this threat.
More on this here: https://twitter.com/richcorbs/st...
Hey PH! 👋
Userbase is the easiest way to add user accounts and data persistence to your static site.
After almost 9 months of preparation, Userbase is ready for use, and I would be honored to have you try it.
Some highlight features:
- Super simple JavaScript SDK.
- User data is end-to-end encrypted.
- Predictable pricing. (You won't need a cost calculator.)
- 100% open source, MIT licensed.
The fastest way to get started is to create a free admin account and follow our Quickstart guide. And if you have any questions, please ask me anything.
Thank you! 🙏
@dvassallo From what I see, this product has great potential. Only thing I'm not too sure about is pricing: why can't we *grow* together?
On one hand, 49$/year is cheap; on the other, there is no decent free tier.
I'd love userbase to be a platform where I can test out small ideas (for free, Heroku style), build a userbase, and, if it goes big(-ish), or if it starts making money, upgrade to a paid plan.
I have a free Heroku app at the moment that just is starting to get revenue. About time I upgrade to the 7$/month (read: 84$/year) plan.
Report
@dvassallo@ronyfadel I actually like the fact that they immediately ask for money. If you want to try it out, you can self-host it.
I feel we all have been burned too many times by startups that have a free tier but charge way too much money after a while because they ran out of capital.
Report
Hi. I read through the docs and it looks like a lot of work has gone into it! How do you see this working in a production environment with no password reset ability given the key encryption implementation?
@tomfrazier Plenty of apps are starting to support end-to-end encryption, and they all require the password (or some other key) to get access to the account. We're seeing that users are starting to become accustomed to protect their password/key in exchange for a very high level of data privacy. Passwords managers are one type of app where this has been the case for a long time. And more recently, plenty to productivity tools, such as Bear.app, Standard Notes, Inkdrop, and others have added e2ee without the ability to reset the password.
That said, Userbase has a way to allow password resets if the user still happens to have access to a previously used device, and has also allowed the session to persist in local storage (after closing the window). We chose not to release this feature for now, but we can easily do it if we see that there's a need for it.
Report
@dvassallo Thanks for the response. Is the password reset method available that COULD be implemented via arbitration key or similar? I really like the userbase model but for my use case, and I'm sure many others, password reset is a 'must' requirement.
@tomfrazier What's an example that uses an arbitration key? (I'm not aware of this method.) But there's always going to be something that the user has to hold onto for end-to-end encryption to work. It doesn't have to be the password though.
I was working on a privacy-first app when I discovered this product that @dvassallo was building. I loved the idea of being able to build an application with user authentication and an end-to-end encrypted data store without having to write or host a single line of backend code.
The brilliance of this product is its simplicity. Daniel is a deep thinker (follow him on Twitter if you don't already) and was able to take two concepts fundamental to building an application, authentication and state, and distill them into a small, 10-function SDK. The end result is that you can now build an incredibly rich application in a single static HTML page. Incredible!
I also want to mention that I had the opportunity to help Daniel and the Userbase team a bit on the product and can't speak highly enough about their approach. I've seen plenty of smart people write great software but never have I seen such clarity of thought. No buzzwords or smoke and mirrors here, just a simple, built-from-first-principles service that can help you build great things.
@dvassallo This is a fantastic product. Client side apps are becoming more common but it always feels like the auth is a pain to implement. This is an elegant solution to an issue every dev runs into.
This is fantastic (cheers to the makers!)
I've been playing with it for a few hours. With Userbase and Svelte, I built a rudimentary version of an app idea I've had for a few years now. Userbase is insanely fast to build on.
Ran into no major issues – this thing is starting off quite strong. Usually these kinds of things launch with a few major gaps.
I absolutely love that everything is end-to-end encrypted. I tend to build stuff in the personal information management space, and being able to guarantee that no one can read users' PI is huge. The lack of this feature is why I have played with but ultimately avoided all other BaaS offerings.
Report
With the complexity of GDPR compliance, the Userbase team hit the nail on the head with this server-less product. I can’t wait to give this a go!
Userbase
Userbase
Kay
Userbase
Userbase
Userbase
Userbase
Jellyboard
Founder Thunder Round - #1 Premiere Episode - How Did You Know You Were On To Something Big?