Password-less login using Stripe. Crazy?
Hi,
The other day, out of frustration, I had an idea for a product that uses Stripe as a backend for user authentication and authorization.
I feel like user management is unnecessarily complex, and I dread every time I need to implement it in my products, mainly because it's outside the scope of what they should do, and I think I'm not alone.
I hacked a quick prototype to validate my idea, and it works pretty well, but before going all-in, I was hoping to learn a bit from other indie hackers and hear your comments or feedback.
If you want to read more about it, I flushed out my thinking behind it and published it on https://neologin.co.
So what do you think? Would you use a service like that?
Cheers.
Trending on Indie Hackers
To me, this idea doesn't make sense at all.
There are ways that are waaay easier. I do understand that user management is a pain, but the way Stripe handles users is for its own usecase -- namely, for payment(s).
You need user management for your own app - your own extra information about the user. Thus, your own database, tables, and so on.
Not to mention that if you make any mistake on implementing the Stripe integration, and someone steals your private Stripe key, it's bye bye business for you.
The whole point of integrating stripe into a website is to be a blackbox, and touch that code as few times as possible.
So yeah, to me this sounds like a very bad idea.
I should have added more details but the idea is that if needed you can still have your own user table to store extra info, also Stripe supports metadata in the customer object that can be used to store things like api keys and so on.
Neologin will just facilitate login using email only and matching that against Stripe to check if the user has an active subscription. After that a JWT token gets saved as a secure first party cookie that you can use either via backend or frontend to check if the user is logged in or not so you can grant access depending on whatever flow you have in your app.
Also with Stripe connect I don't need access to your API keys, if you grant access to Neologin with Stripe connect I can have read access to Stripe on your behalf.
Thanks for your feedback!
If you think this is a good idea, go ahead.
Or, you could simply create a solution that deals with user management without Stripe.
Personally I'm still skeptical whether this is a good idea -- and I for one would never give read Stripe access to anyone.
I thought about doing that, though with Gumroad instead of Stripe because Stripe isn’t a merchant of record. I think at the end of the day, it just won’t cover your needs. You’ll end up needing to store additional information for users. Then, maybe you’ll need relationships between your users and organizations or other models. Finally, there’s the doomsday scenario of having your application with a single point of failure on Stripe.
Most applications end up needing a relational database—looking at you MongoDB! And as nice as it would be to completely avoid that complexity, you will be able to develop better products because you learned it and can use it.
Afterthoughts: ahh, I see that conflicts with your premise of neologin. I think you have found a painpoint. I think you see the appeals of using something like Stripe to handle authentication and launch quickly. Is this an open source project or a SaaS offering? Either way, probably not for me.
Right, it could've been Gumroad as well or actually any other place where you store your users. I narrowed it to Stripe because it's almost ubiquitous for indie hackers and small SaaS products.
The idea is that with Neologin you use Stripe to make sure the user is valid and has an active subscription then from that on you'll have a JWT going around to identify that a particular user has logged in and from that point on you can do whatever you want to grant or restrict access to certain features or pages etc in your product.
You can still have your own DB, could be mongo, rds but the premise is that you don't need to worry about setting up all the auth part of it, Neologin will handle it.
As for the single point of failure I think if Stripe is down you have bigger problems, also the same thing can happen with MongoDB and others.
Neologin will be a SaaS. I only have a proof of concept at this point. Code is open source for now https://github.com/eduardosasso/neologin
Thanks for your input.
True very true, I'm not sure if services like https://chartmogul.com/ let you handle account management or if they are analytics.. the truth is a lot of us here probably handle user management the old fashioned way
Frankly stripe should launch their own backend management tool, but I guess they have more important things to do .
a integrated tool for user admin that is secure with certain read access for user management could work, however I do know that the stripe api is limiting , its either all access or none, and some fields like meta fields don't get sent over. -- Rishi
good luck Eduardo.
Yeah, that's how I use to do it. The old fashion way but sometimes it takes almost as much time as building the app itself.
Stripe has the customer portal to allow you to update your billing, plans etc but that requires you to generate a dynamic URL so you need code for that and its something that Neologin will do automatically for example.
Like I mention in the other comments the idea is that you're not restricted to have a user database of some sort, you'll just have Neologin to help you with passwordless login and user auth using Stripe as the source of truth. From there you can do whatever you want in your app.
Thank you.
From what I grasp, it sounds like an abstraction over validating subscription state with Stripe as a source of truth to determine authorization state through a JWT claim. I'll admit, you can accomplish this quite easy with a typical IAM platform like Okta or Auth0.
Therefore, I could see this as a cross-platform integration for a pre-existing IAM platform (Okta, Auth0, etc) to a payment platform (Square, Stripe, etc) or a stand-alone service similar to magic.link.
If you are passing back a JWT to the application, you'll slowly be pressed to develop IAM like features, so perhaps an approach similar to magic.link would be needed here.
You're right these tools provide the complete package but you need to get your hands dirty to make it happen and that's what I want to address with Neologin.
Like you said Neologin will abstract everything for you not only the implementation but also the UI to signin and emails and will also have a default admin page for the user with at least access to Stripe customer portal to manage your billing.
With a JWT secure token floating around you can just verify if the token is valid and not expired and grant or deny access to features based on your use case.
Thanks for your feedback.
The JWT works nicely if it's a boolean (subscribed/not subscribed), but how would you handle custom subscription tiers or roles without allowing customization of scopes and claims during the JWT minting process. Perhaps, I'm thinking of a bit of a more advance customer here.
I'm trying to focus initially on common use cases but I imagine the JWT having claims like the name of your subscription for example and then on your backend you map that to a specific role or something.
As a developer I think it's fun to think of creative ideas like this to solve problems, so kudos for thinking outside of the box!
If it's passwordless does that mean someone just needs to know my email and as long as its in Stripe it will log them into my account?
They might know your email but they don't have access to your inbox. With a Passwordless login you will receive an email with a magic link that is valid for a short period so you can auto login to your account when you click on it.
There's also other security measures in place to make sure people don't steal your authentication token and etc.
Thanks for your feedback.
Love it! Thanks for clarifying that Eduardo