Userbase is the easiest way to add user accounts and data persistence to your static site. All Userbase features are accessible through a very simple JavaScript SDK, directly from the browser. No backend necessary.
@rdlou End-to-end encryption is one of the main features of the product. Since the key is user-controlled, there will always be something that the user must keep and never lose. For this first version, we chose to make that thing the userβs own password.
Other end-to-end encrypted apps (such as password managers) have the same requirement. Sometimes the password is resettable, but you have to keep another key. But thereβs always something that would lock you out if you lose it.
Report
Naive question maybe. If I get hold of an app ID and basically spam it, what happens? What if I create a phishing site and use the app ID to get the username, password and then on passing it to userbase using the same app ID, I could get more user information? Maybe I'm missing something in how this works...
@jumbld Userbase dev here. Sorry for the late response, not naive at all! These questions have come up multiple times and we discussed this topic while building it out.
--- If I get hold of an app ID and basically spam it, what happens?
Today, you could create a bunch of new users on that app and push the total amount of data stored for the app over the 1 GB limit. This is currently a soft limit however. From our FAQ on what happens if you exceed this limit:
>At the moment, Userbase is not metering data storage, and nothing will happen if you exceed it. In the future, Userbase will have other pricing plans that allow higher storage volumes. If you happen to be exceeding the limit when these new pricing plans become available, we will ask you to upgrade to the new plans.
Source: https://userbase.com/docs/faq/
If there is foul play involved in getting your app pushed over the limit, you would not be expected to upgrade.
We are also planning to add spam mitigation features (not a robot, captcha, rate limits by IP, email validation, etc.) to prevent someone from easily creating tons of accounts.
--- What if I create a phishing site and use the app ID to get the username, password and then on passing it to userbase using the same app ID, I could get more user information?
Weβre planning to add an origin whitelist to protect against this threat.
More on this here: https://twitter.com/richcorbs/st...
Report
Hi. I read through the docs and it looks like a lot of work has gone into it! How do you see this working in a production environment with no password reset ability given the key encryption implementation?
@tomfrazier Plenty of apps are starting to support end-to-end encryption, and they all require the password (or some other key) to get access to the account. We're seeing that users are starting to become accustomed to protect their password/key in exchange for a very high level of data privacy. Passwords managers are one type of app where this has been the case for a long time. And more recently, plenty to productivity tools, such as Bear.app, Standard Notes, Inkdrop, and others have added e2ee without the ability to reset the password.
That said, Userbase has a way to allow password resets if the user still happens to have access to a previously used device, and has also allowed the session to persist in local storage (after closing the window). We chose not to release this feature for now, but we can easily do it if we see that there's a need for it.
Report
@dvassallo Thanks for the response. Is the password reset method available that COULD be implemented via arbitration key or similar? I really like the userbase model but for my use case, and I'm sure many others, password reset is a 'must' requirement.
@tomfrazier What's an example that uses an arbitration key? (I'm not aware of this method.) But there's always going to be something that the user has to hold onto for end-to-end encryption to work. It doesn't have to be the password though.
Deepmail
Userbase
Userbase
Userbase
Userbase
Domain Name Inspector
HelpKit Knowledge Base