Ask HN: How to build site with payment, subscriptions, user login, registration

72 points by imvetri ↗ HN
I built a working concept that helps to design user interfaces and convert it into an interactive user interface. I am 11 years experinced software engineer in frontend engineering and design. When it comes to putting my tool on a site to gain customers, my head is breaking because i do not know backend.

I have wordpress on a domain, thinking that it will help me reach there, but im getting into panic.

I don't know how to add user login, registration, subscription, paid subscription, landing pages, product pages.

How do you do? Or how have you done it?

70 comments

[ 244 ms ] story [ 2894 ms ] thread
ditch wordpress. use laravel
Yes, laravel has everything you need and is very simplistic.
This is a very broad question, but the most straightforward answer is to use a popular full stack framework like Ruby on Rails. It'll give you most of what you need out of the box, and there's 3rd party packages for the rest.
Elixir + Phoenix + LiveView. Or, if Python is more your jam, Django has built in authentication.
I really wouldn't suggest the Elixir + Phoenix stack to someone who doesn't have experience with the Elixir/Erlang ecosystem and functional programming

It is amazing though.

Your best bet would be to use something like Supabase, which simplifies all the backend stuff. Get deep into the docs and use Claude to figure stuff out.
When does the rugpull happen? I see using a third party auth as a suicide pact. What stops Supabase from sending out the usual email that "they're proud to have been acquired?"
I think supabase is open source such that you can (and many customers do) self host with no additional cost and with complete control.
You can actually self host Supabase, that's really the whole point: a Firebase alternative that you can host yourself. Obviously you can use their hosted service as well.
Have a look at Laravel Breeze.

Has most of the things you mentioned right away, and if you need payments Laravel Cashier makes it easy as well.

I wrote a "user management system" in PHP back in 2000 because I thought "user management" was dark matter for almost all web sites: you don't really want to write email verification, password reset forms and all that stuff but it's the kind of "non-functional" requirement which will leave your web site "non-functional" if you don't do it.

I used the software for a few projects for myself, customers and employers. It was open source, but the industry couldn't give a damn, turned out the missing feature was "depends on a third party auth service that is someday going to get acquired and shut down". Auth frameworks like that proliferated like mushrooms after the rain around 2013 and all of a sudden people were interested.

(Oddly back then I was looking at various "API management" products that a number of "want-to-have" features but that all lacked the one feature you needed to make a business, which was integration with a payment gateway.)

I think the basic advice in 2024 is the same as it was in 2000 which is store user records in a relational or document database, encrypt your passwords like an OS does, use signed cookies for authentication (ignore the anti-JWT splogs that a certain vendor funds), etc. I think today it would not be unreasonable to take a "microservice" kind of approach where auth is handled by some self-contained system through an API but practically you might want to be able to join stuff against your user table.

However, a lot of the complexity of a good auth system is tied up to the UX for both the visitors and administrators. I've seen onboarding completion rates increase from 22% to 85% as a result of improving each and every step. Administrators deserve a great interface for managing users. Even if a "microservice" had a good internal API so much of quality, security and all that depend on the UI the system exposes and I think that is just as important to reuse as the inner logic.

> I think today it would not be unreasonable to take a "microservice" kind of approach where auth is handled by some self-contained system through an API but practically you might want to be able to join stuff against your user table.

One option for writing less code yourself might be using something like Auth0 (cloud) or Keycloak (self-hosted) with some OpenID Connect library for your tech stack, or a Relying Party implementation altogether, like: https://github.com/OpenIDC/mod_auth_openidc

They'll get you most of the way there, without making you write a bunch of security related code yourself (which is also more likely to cause issues, if someone isn't familiar with the domain).

> encrypt your passwords like an OS does

This should be hash not encrypt:

“Securely hash your passwords like an OS does”

I would recommend using something like bcrypt with strong parameters.

100% for saying it better than I did.
And hashes with salts of course. Without, get a rainbow table and the password becomes plain as day.
That too. I’ve been doing it so long I didn’t feel I had to say it.
As someone who is not a web dev I find it amusing that there are 4 answers all saying something different.
Which imho is one of the things that make web development nowadays obnoxiously difficult - there are tons of frameworks and stuff trying to reinvent the wheel. Keeping up to date with vanilla web development alone is pretty hard, I don't know how people can keep up doing React/Django/SQL/AWS/whatever. It's too much.
Part of a reasonable answer is that you do it with whatever toolset you’re familiar with. It’s also reasonable, if you used a signed cookie system that the cookie verification module is about 50 LoC so you could use an auth system written in (say) PHP to authenticate a node.js or .NET application.

In 2000 I had been watching Yahoo buy up lots of internet properties and… integrate them with their auth system. I had a vision that you could pick “best of breed” open source and other software, plug it into your auth system and make your own “portal” web site. I had some success developing sites this way but it never caught on and I still don’t understand why.

An incredibly vague and generic question isn’t going to have one answer.
What segment of tech has a single answer to any complex question?
There's a niche service nowadays called "SaaS-as-a-Service" where an entire SaaS ready to use and customize is priced to you. I didn't use one myself but [1] is a good example.

[1] https://saasbold.com

This is the correct answer. If you're trying to validate a business idea and this kind of thing is not your core competency, just get an entry-level plan with a tool like this. I'd also highly recommend you sign up for a CRM tool like HubSpot to capture leads, send marketing emails and do landing pages. It does all that kind of stuff adequately well for a small business. WorkOS is another option although I've never used it and can't endorse.
Save 4 hours by using their payments system instead of building one? Who's building payment systems in 4 hours??
This requires I assume a bunch of paid subscriptions to third party APIs?
It won’t use the newest framework of the month JS library in a few months, but that’s okay. Validating an idea quickly without much fuss by having a boiler plate done for you is key. Just move sooner rather than later to something you understand once you get to a stable point.
Supabase for registration and auth, frontend framework of your choice for views, Stripe payment links for subscriptions. You'll have to sprinkle in some Supabase Edge Functions for Stripe webhooks for your entitlements flow as well. AWS SES for transactional email. Something like Basedash for your admin panel and at this point you're running an MVP at least.
Supabase / Appwrite, etc can be solid choices, understanding how it works is important to.
I have a go monolith, htmx for dynamic pages, and SQLite to back it. I really tried to find something for user login / auth / forgot password, but ended up just implementing it myself. Way easier than figuring out APIs and such to integrate with my pages.
https://pocketbase.io is already aligned with what you're working with, and can be embedded in your existing codebase.
Yeah but then I have to figure out the pocketbase API and keep it as a dependency. I'd rather the dependency footprint be as small as possible, accepting the minor tradeoff of having to implement auth myself.
Rails has all the great backend stuff. Frontend could be react and next
If you are a frontend engineer already maybe a JS based backend SaaS boilerplate project is the best starting point. Something that already comes with Stripe Checkout integration could get you up and running quickly (Like https://shipfa.st and probably others, maybe someone has more recommendations there).

Personally I'm using Ruby on Rails which has a lot of plugins to get up and running quickly with payments and user management. The equivalent there would be: https://jumpstartrails.com

Lots of good advice on here. It would help to add what development environments and languages you are comfortable with.

You say you don't know how to do all that, so you're probably looking for a "SaaS boilerplate" for a web framework you feel comfortable with. There are many good paid and free boilerplates available.

Yes, you can build all of this yourself, but it will take several months or years at the point you're at now.

I'm a bit ahead of you, but I'm going through this now and it turns out that understanding all of this "extraneous" stuff is taking way more time than it took to code up the core functionality (purpose of the app).

There are basically three parts to this question, all of which can be chosen independently and then fit together.

First you choose a frontend (and often backend) framework to actually build the pages, like Next.js, Svelte, Laravel, etc.

Then, you can choose an auth solution like Clerk, auth0, NextAuth, Supabase, etc. Most of these products work with a wide variety of frameworks. Some of the frameworks (like Laravel) also have an auth framework built in.

For payments, you technically have choices but I would just use stripe.

There's also the option of working with an agency or freelancer. Since you know about frontend and design, you might be able to work out something for a reasonable price.

For these types of projects (in a validation state) I recommend using Stripe subscriptions, they have incredible low code tools that will handle all the heavy stuff. You'll save a lot of time.

Disclaimer. I run my own software studio.

Btw, I don't think wordpress is the right tool to implement what you're looking for.

It'd be usefull for your marketing pages, blog and product updates, but not so much for your application logic.

I recommend learning a full-stack back-end web framework that is known like Django, ASP .NET, Ruby on Rails, Laravel, to name a few.

There's lots of tutorials on how to get started with them, it will be a lot of information to start.

If you really want to learn about the core themes each of these has:

* User authentication - Login / Registration

* User authorization - Is this user allowed to do x, y or z?

* Database connectivity and query management (usually done via ORM) which handles where your data goes to, and comes from.

* Template engine (which you can replace if you rather an API, but I recommend for starting out, to just make a boring web app)

* User management

As for payment / subscriptions, these are not included OOTB, but if you can get through the basics of any of these frameworks, I don't think you'll struggle too much to work out third party libraries that add what you need to these frameworks.

I started out my first web project with a micro web framework, but I had some experience in programming in general and used it and it worked out, I started with CherryPy. Basic "Hello" page, and gradually added pieces as I needed to add them, like database, template engine and so on. I now just use Django or ASP .NET depending on what I'm doing.

Django is regarded as the framework for people with deadlines, but it might not be for you, maybe Rails or ASP are more for you.

My recommendation is pull up a list of web frameworks that meet most of your needs, and go from there.

You could also look into ecommerce frameworks as well. Though I cannot personally speak to these. Laravel I'm sure has a few options for Ecommerce. You might want to go with Laravel if you want to host with PHP.

I recently used kobble.io to do this quite easily
Laravel or WordPress I’d say
Ruby on Rails, Pay Gem for Payments, Devise for Login/Registration (Auth), a StaticPages controller for Landing/Product pages.

I would then use the Litestack gem: https://github.com/oldmoe/litestack + SQLite to get your DB/Cache/Job Queue working, deploy with Kamal, behind Cloudflare on a $5 Hetzner VM.

I go from idea to live app in an afternoon with this stack. I haven't gotten around to it yet, but moving all my apps to essentially free analytics dashboard/visibility with https://github.com/benvinegar/counterscale, Free APM with ScoutAPM.

If anything is ever successful, scaling is super easy. Pay for a beefier Hetzner instance, and/or start to move your DB/Cache/Job Queue off of the litestack defaults with a single LOC. Move to AWS services because those are web scale or something.

I love this stack. It prioritizes getting shit done. Feel free to email me if you have questions.

Ruby on Rails with Devise and Stripe pretty much does this out of the box.
I really like using Supabase for auth- they handle the database and the oauth for you
Might take a look at AWS's Amplify framework which includes a bunch of free tier and libraries. Cognito is particularly useful for just getting user auth done.
I think the best advice is use something you are comfortable with. But the second best advice is hopefully that isn't WordPress. Yes, you can do it in WP, but you would have so many more options if you picked something like Angular or React as your frontend. Then outsource auth and payments (auth0 and Stripe, for example) and that will take you pretty far. Good luck!