Hacker News new | comments | show | ask | jobs | submit login
Cloud-based User Management for Web Apps (userapp.io)
109 points by typerandom on Oct 5, 2013 | hide | past | web | favorite | 78 comments

Why? Honestly, how can you "outsource" such a vital part of your web app to a third party? Not only is this a privacy disaster but also, if this user service goes down or has a temporary downtime, your own business is effectively unusable.

I understand that it makes sense to not write these types of user functions and management things over and over again. The solution however, is not a SaaS, but a library or a little framework. And from what I remember, major Web development frameworks offer exactly these types of functionality.

I don't want to be a downer and you guys probably spend a lot of time on the product, but from my perspective, any business owner using a third party to handle user data acts irresponsibly. You OWE it to your users to keep their data as tight and as centralized in one spot as possible – a spot only you and employees have access to and servers only you rented and have access to and not a third party.

I'd even rather use Wordpress as a basic user management platform than use a third party service. This way, it is at least fully under my control and I'm the only one responsible if things get broken or data gets stolen.

One possible use case: Let's say you are building a new app and you don't know if it will be successful. At this point you are supposed to be working on the core. You are supposed to be talking with the users as soon as possible. You are not supposed to spend your time on things that don't matter such as registration, email delivery, forgot password.

If the app becomes successful you can always implement these things in house later.

Right. So instead of working in creating a user system, you integrate your core to another system.

Or you could, well, let's say, use a library or framework and spare you the work of integration too!

Please , in every languages there are a tons of libraries dealing with these stuffs, Starter projects with these functionalities ...

    At this point you are supposed to be working on the core

Invoicing, Price Plans and Payment. These are not normally built in. Basic user management is, but not those things.

I don't have a dog in this fight, but sometimes, companies are left with no other solutions. We had some websites hosted with Wordpress VIP. Because of their full page caching and just general restrictions, creating a login and user registration system like we wanted was not possible. We had to use a 3rd party hosted solutions that loaded with javascript(we used Gigya). Before that, I thought exactly as you do.

There is a reason Gigya just raised 25mm more dollars. Granted, they do more than just user login as a service.

Gigya looks to be a lot closer to a DMP in an advertising world than a SaaS login service. They help getting visitors to identify themselves, that's a completely different positioning and feature set.

Knowing my audience and being able to monetize that is not the same as managing billing.

That said, it does sound kind of interesting, but from my own experience, I'd probably choose to build payments and billing myself.

OP here.

Exactly because of this reason, you should use us. We have built a low-latency HA platform. And it's our core business. This means that we will do it the best way possible.

I can understand your concerns, but you could try us out on a smaller project to begin with. Or wait until we launch our licensed version which will allow you to install the system in your own environment. I.e. keeping the data safe with you and under your control :)

But it might cost a little bit more than $9 :)

Honestly HA doesn't really tell anyone anything about what would be my bigger concern... security of the platform.

What kinds of IDS solution do you currently have in place for starters? Are you using a software or hardware IDS? How are you doing monitoring of the IDS logs and reporting?

Have you done penetration tests beyond some sort of SaaS utility and hired a third party company to run them with a skilled analyst? How are you sanitizing input from external applications as you have to assume the incoming requests are suspect, etc.

Being marketed as a HA management platform doesn't really help me... If my server isn't stable enough to handle user management, it sure isn't stable enough to handle my actual service.

Because we need can spend that energy on product development. Once your product takes off, we can migrate. But a service such as this (I use dailycred.com ) is very useful for MVPs.

Great job guys! I have a feature request: is it possible to also save private keys through your service?

I would like to run Javascript on the client that gets a user's private key from you, and decrypts their data on the client.

Do you have thoughts for something like this?

I do see the appeal of this kind of service. I understand enough about security to know that it is diffiult to get right.

The library approach that I have tried with things like django etc. tend to need plugins for a lot of use cases, and I do not understand what pieces of code are intereactig with each other which is a big red flag. More complex SSO systems seem massively overcomplicated and difficult to configure.

I want something with the simplicity and definitiveness of an apache htpasswd file with a freindly user interface and assurances about security/hashing etc.

You could say that about ANY cloud product though.

Yes, you could.

If it's apart of my service, I want it on my servers.

Which is an expensive way to run a company.

Very few startup start with their own server rooms, because part of the "failing fast" is failing cheap. And if you are making infrastructure investments before you find product market fit - well you aren't failing cheap.

I do think there is inherent value in controlling your whole stack, and running all things on your own servers, but I think this is a bit of a luxury most young companies can't afford.

I don't understand this comment.

On digitalocean you can get 4G RAM for 40/month, 8G for 80. Running nginx and your favorite backend of choice, you will be able to handle any traffic your startup is getting. If you can't, you are already so successful that paying more won't matter....

This is a simple enough misunderstanding

I don't think that you own a digital ocean or ec2 instance - you rent them the same way you are renting the service this thread talking about. Given that chrismonsanto, is taking an even more hard line approach to controlling his stack than I do, I'm assuming he agrees (I know - dangerous).

When I talk about my servers I'm talking about things sitting in my racks (possibly in my server room), that I can rip components out of and upgrade. I'm talking about very expensive things, if not in terms of purchase price, certainly in terms of care and maintenance.


And to tie it back up to my other comment, I think there is value in owning your own servers, and in coding your stack from top to bottom, and having no external dependencies. But I think these are both very expensive choices - and the kinds of choices, most startups don't have the time/money for.

> Given that chrismonsanto, is taking an even more hard line approach to controlling his stack than I do, I'm assuming he agrees (I know - dangerous).

I'm actually OK with using something like EC2, because I control what runs on it. If I feel I can't trust EC2, or that it is too expensive, I can purchase my own hardware and move my stack to that. However, if I outsource my user management, I imagine the interfaces will be proprietary, and I will have to tear up my stack quite a bit to switch. I don't like that risk.

> I think there is value ... in coding your stack from top to bottom, and having no external dependencies

I'm also OK with having dependencies on other people's work, I just want the source code available so I can fix up things if necessary. I don't even require that the software is 'open source' or 'free software', since I don't plan to redistribute my changes. I do currently have one component in my stack that is proprietary (with source) and I have very much appreciated the ability to fix up things that didn't fully integrate with the rest of my service.

Ah, okay I get it. Thanks for explaining.

Of course, there are levels of dependence, and I think hosting on amazon or DO represents a much, much smaller risk than outsourcing your user management to a startup (or even a well-established company, for that matter).

I don't know anything about 'failing fast' or other startup methodologies (I'm here for the hacker part of this community, not the startup part).

Is this product designed specifically for startups? Is it intended to be removed later when you have 'found product market fit'? Isn't it more expensive to be locked in to this platform, which you don't have the source to, and can't modify if it doesn't 100% meet your needs?

" can't modify if it doesn't 100% meet your needs?" And its even more expensive to spend developer time doing it, then finding out no one wants your product.

That's what meant by failing fast. Find a quick way to validate your product in the market, then fail. Don't spend ages working on a product that will never work.

Exactly. His point applies to those other cloud services too.

This is why OAuth.io is open source, and you can choose to have a commercial license if you want to avoid GPL.

I wish you the best of luck with this. It's really well designed.

I launched a very similar service named Accthub about 18 months ago and unfortunately it didn't fare well. Now, there's Mozilla Persona, Stormpath, Userapp, and probably several other in the same space.

Hope you can turn it into a legit business, but the general issue developers had was:

1) This is not a legit issue I have, my framework can handle this in the matter of a few minutes, maybe an hour or two if I want something really complex. 2) Privacy concerns. 3) High availability issues.

Best of luck, I will be monitoring your service closely because I want it to do well.

Looks intriguing and I can tell you guys have spent a lot of time on the feature-set. But the biggest thing that will hold me back(and may be others) is a lack of clarity about security and my data(what happens in the event that you are down? in the event that you close shop?)

OP here.

This is something that we are very aware of. We only have good intentions and want our users to feel 100% secure with us. If you don't, please let us know how we can change that! :) We don't have it now, but we will make it possible to export all of the data in UserApp at any time.

Regarding security and privacy we have written a section about it here: https://help.userapp.io/customer/portal/topics/550128-securi...

Additionally, everything is SSL and passwords are stored using bcrypt. And we will make it possible to login using 3rd party providers later (OAuth). From a personal perspective, we will run this ship to the end of the world if we have to. Since we're developing quite a few other services (www.amail.io to mention one) we are also basing all our services on UserApp.

This sounds pretty good at a first look - so why do you bury it somewhere deep in the help section?

Yeah its the number one concern with this type of product. So it might even be good to have a security section on the front page, to ease nerves.

OP here.

I totally agree. Don't know how we could miss putting it up there. I will see to it that this gets the attention it needs on the front page. Thanks! :)

Could you do nightly SCP backup of my entire user database to my own server?

Seconded. How is user information stored? What's your crypto scheme? Can I get all my data out of the system if you go down or I want to change platforms?

Exactly what I thought! I find it nice, but why would I let a third party manage the most critical part of my platform : my users? You close shop unexpectedly, I close shop. You are down? I am down too.

The dependency between my system and this one would be way too great to consider the option.

Yes, same here. Where and how is the data stored, whats about security? After all, their business model means that they are dealing with one of the most precious parts of other businesses, so I would expect way more information here.

I am on the same boat and I'd suggest that apart from answering here you should put the relevant information on the front page of your project also. It'd be a pity to lose customers because of lack of clarification.

Would be interesting to see the comparison of this against https://www.dailycred.com/

DailyCred cofounder here.

We do not (currently) manage pricing and plans for you, so that's a plus for UserApp.

We are more focused on user management, oauth simplification (FB, Twitter), auth, and user analytics.

We're also VC backed (Google Ventures) and are storing millions of accounts. Because we have a few larger clients bringing in real revenue, we're not going anywhere anytime soon.

Some unsolicited advice for UserApp:

* You need to address lock-in. It's the first thing everyone asks us. We designed our platform for zero lock-in and account portability for this very reason.

* This space can be a hard sale. People are reticent to store their user data in the cloud. (As they should be!) Compare that to the next social/mobile app that people will try on a whim. That's the bad news, but the good news is once you've "wowed" a customer, they will likely be a customer for a very long time -- even if you make export easy.

* Lastly: good luck!

This looks great! For me as a developer, who considers using it for a side project, I would even bother to spend the 9$ for the development version. Would be great to have a (user limited?) forever free account.

Good luck. I have been using http://dailycred.com/ for an year now and very happy with it. They have free account available too which is definitely needed to try a product such as yours.

You could consider "Bring Your Own Database."

Meaning give developers the nice UI and added features but connect to the database of the developer's choice to actually store User data. That might address security and what if you close shop issues.

A SaaS app that does something similar conceptually is CushyCMS -- you give them your FTP information and they provide an interface without storing or hosting your content.


Looks great! Will surely use it for my next project.

Few suggestions:

1. Implement multiple ways to login (and charge accordingly) e.g Keyfile based, Color combination based, Biometric based, etc.

2. Do cross-platform API. I know you might think that BB is a sinking ship but to be ubiquitous you service needs to have an API on EVERY platform.

3. (This is more technical) Shard your db based on the location of your customers and accordingly replicate your data. e.g. If I launch a webapp hosted in India, I obviously don't want my customers to hit sweden or US every time they login (with the undersea cable breaking every now and then). If the India mirror of your service goes down then there will be graceful degradation (users will login slowly by hitting the other replicas) but not a full downtime. Basically for a customer X running webapp W, the primary replica should reside in the vicinity of where W is hosted but backed up by replicas in other locations.

4. Introduce a free development tier for upto 4-10 users.

Hey, this looks like a nice time-saver for those of us starting up side projects. Not everybody wants to build out this stuff over and over, and working with OAuth is a pain. So, thanks!

Now, I know it's on your roadmap, but I would really like to see sample code integrating with one or more payment providers or recurring billing management services. Stripe and Recurly would be top of my list. Would love it if you could get that up soon.

Would also like more docs about the differences between permissions and features. I mean, I think I get it, but more specific text would make me feel more sure.

Minor bug: in my own account information, when I went to go edit it, you have separate fields for given/first name and surname, but you refer to both in the info/help text as a surname or last name.

Anyway, nice job!

Looks good. I think the 'hours saved' under 'save time with userapp' is exaggerated a little :)

If i were to use it, I'd want some easy way to export the users though. I know i could iterate through them all and get the data (maybe not password hashes??), but at one point a web app would probably need something custom enough that i'd just want to have all the data myself.

I think things like stopping invalid signups, good spam protection etc could push people to use this. Also integrating login via facebook/google/twitter and making it work seamlessly out of the box would be a big plus. For those small website projects it would be much easier/quicker to plug this in, and focus on the core of the app, rather than all the user backend crap.

Since I've built user/admin systems for the majority of my career, this is really interesting to me. The site looks great and the Family Guy stuff is funny ("No,n0_p4ssword!") Hah.

I agree with the lion share of what WA said.

The MVP/prototype argument is a valid one, but remembering that nothing lasts forever, it's probably wise to think of these services as temporary tools and not permanent solutions.

I believe that user management is such an important (and basic) thing, that you should own it. For the hackers out there, feel free to checkout my Drywall project, which is a website user system build for node. https://news.ycombinator.com/item?id=4951605

My gut's telling me this tool is going to be successful. But you'll definitely need to grow some thicker skin. Disregard skeptics (unless it's constructive criticism), keep building your product, and keep pushing.

Good luck.

This would be cool as an extension of the Mixpanel API. So instead of just tracking users you’d have all these features as well. I’ll agree with the criticism of this being a point of failure too big for mission critical systems, but if it gets proof of concepts off the ground sooner, who knows? Could be a great way to save time. I would suggest thinking carefully how you would eventually grow out of each component. That’d be my main concern. I want to be able to switch out components one at a time.

Nice work guys. I especially like the integrated pricing system. Adding a means of payment is a tricky aspect of a product. If that is taken care of well it saves a lot of time.

Would not use this. If I want saas I'll use open id (facebook/google login), its free and people are already using it.

If I want ownership of code, I'll use existing frameworks.

I would honestly just use this to start off and save time, but once things start picking up, data export and in house user mgmt would be the move.

Really neat idea, and seems well built this far.

However, I feel like it needs a bit more until I try it out. Right now it would be a compromise between saving some hours in a few areas, and use those hours to learn Userapp and integrate it.

Anyhow, hope it moves along well – will check back on the progress in a few months and see if it have improved with more features, demos and examples.

This is a great idea. I've been thinking of developing something similar. But you cannot sell it as SaaS. It needs to be a one-time self hosted project so that startups and download, install and be ready in minutes. At the same time there are no security/privacy issues that most users here are worried about.

I agree strongly. Ideally this would be a self-hosted project.

This would eliminate most of the potential privacy issues that might inhibit usage of this.

I'd love to see something like this take off because its time wasted that prevents you from working on a core product idea.

Can anyone recommend a service similar to this (a backend framework) but which allows you to keep your own data?

We just launched UserApp after 9 months of hard work. Please try it out and let us know what you think :)

I suggest that you provide easy one year purchases. It is much easier for my manager to sign off on one purchase than a recurring bill. Also, number of users is unlikely to be my purchase level decider. Perhaps you could differentiate the levels on another factor to get me out of your lowest tier.

Have you done any A/B testing on including text like "That's about 4 cups of coffee" in pricing pages?

I found this: https://news.ycombinator.com/item?id=4394114

Hi, I'm the "front-end dev" of UserApp. No, I just went on my feeling on this one :) I actually got the idea from wrapbootstrap (e.g. https://wrapbootstrap.com/theme/ace-responsive-admin-templat...). Thanks for the link btw, I will check it out later!

I'm working on something like this, but installable on your own server. Subscribe here if you want to know when I release it: https://lists.codingrobots.net/?p=subscribe&id=3

Nice. I have subscribed to your mailing list. Will be interesting to see how you approach it :)

Thanks, and good luck with UserApp!

This is actually a pretty good idea, solves a legitimate annoyance. Obviously there is privacy concerns.

You claim it's a low-latency, HA platform. What does that mean? Details are the only way to make your users feel secure that you won't be going down when they need you the most.

good idea, but coming from a privacy startup this is obviously a no-go..

and distributing a web-app would equal to just open source it.. I know, it's a dilemna

I need to integrate something like this in an open source platform. Is there anything even close as an open source project? Or do we need to develop the same thing as FOSS ourselves?


edit: I seem to have been voted down. It was a serious suggestion though - did I misunderstand the question?

It wasn't me. Someone down voted me too. Sometimes the HN crowd is a bit negative against open source as they are focused on making money and there is some who think there is a conflict in that.

It does feel like they are running their user credentials and other "critical" stuff in MongoDB. I wouldn't advice that.

Am I wrong? Curious.

We are actually using Redis and have configured it for high consistency/durability.

This looks interesting, maybe a video of how it works? It's clear that a lot of work has been put into this so kudos for that.

$89 is not "about 18 bottles of beer."

I hate when companies compare their prices to food, beverages or entertainment ("cheaper than a cup of coffee!"). Unless your product is giving me the exact feelings and enjoyment that 18 bottles of beer would give, it's not a good comparison.

It feels like whoever is writing the copy is somehow belittling me. It's an overreaction, but I read it as, "you're a goddamn yuppie who would spend $4 on a cup of coffee. Why won't you buy your product, since your money seems to be burning a hole in your pocket?"

I hate to be negative, especially for something done in a lighthearted manner and probably as a parody of this trope in applications[1], but calling $649 a lot of pizza not only doesn't convince me, it makes me feel bad about myself—never a good idea to sell a product. Even cosmetics or fitness products are sold with a message of empowerment (you could look great!), not of belittlement (you look horrible, do something about it!).

[1]: Poe's law?

Then you don't live in Sweden. Beer here is expensive :) :(

How are privacy laws in Sweden?

Why was I downvoted? I am genuinely interested to know where to host data.


Way too expensive for just a small piece of your business. Keep in mind a decent server at Digital Ocean is just $5/month.

Are you going to add other currencies? What are the limitations of doing it?

This seems best suited for building a prototype quickly (i.e. Hackathons).

This site looks beautiful and very well thought out at first glance.

I think there might be a use case for this for simple projects, but the privacy implications of this in light of NSA and other government spying makes this unusable for most potential applications.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact