Streaming live at 10am (PST)

Memberstack or Firebase?

Hi,

I would like to build a system for human resources managers to track employee training. The system will not contain sensitive data but will allow the user to trigger paid training courses and contain employee names - so it needs to be secure.

Does anyone know if memberstack is suited to this? I have the firebase tutorial from 2018 and am about to run through them, I jsut wanted to see if I am on the right track. Thanks!

My recommendation is to go with Webflow + MemberStack + Zapier as your stack. This will get what you’ve described.

I’ve got a screencast that will walk you through the fundamentals of this setup for you (along with more advanced ones on the same site):

Drop any questions in this thread and let me know if this points you in the right direction.

1 Like

@DrNinjamonkey you can use the stack that @ChrisDrit suggested and at any point add firebase on top of it in case you need to store sensitive data or data types Memberstack doesn’t include.

2 Likes

Thanks Chris, I actually had your guide open as a place to start!

My main question about memberstack is this - if someone tech savvy plays around with the console / turns off javascript, can they mess with users data?

Training progress, paid tests etc will be tied to an employee name and although it isnt banking details it still needs to be confidential. Can MS do that?

1 Like

I would reach out to MemberStack support with questions like that, I’m not the right person to be answering them. I can help with setup and architecture, I’m really good at that, but when it comes to PII specific needs speak to MS directly. Hope that helps!

1 Like

@DrNinjamonkey — please DM me and I’ll get you connected to the right folks on the team :slight_smile:

It’s an important question as I’ve recently learned that we’re talking about ‘Hidden Content’ in some cases here, creating some reluctancy on my use-case.

What’s considered “sensitive content”? In the Memberstack demo, they share “Contracts” (files) that are client-specific. Perhaps I’m not the only one who considers client contracts sensitive?

Maybe @DuncanHamra can help provide some insight.

Well, I was doing some research for the company I’m working with and we were testing the security of memberstack. I was able to break into all the websites that are on memberstack examples page, and was able to access all the hidden pages for those websites.

So, if you’re dealing with sensitive information, don’t use purely Webflow and memberstack since they only take care of the front end. You need a server side solution for sensitive data (Firestore + Security Rules for example) if you really want to secure your data

1 Like

Unfortunate to hear, can you provide any proof that you were able to 'break into all the websites"? Not doubting you but it’s easy for anyone to state that here.

With that said, have you used any alternative setups? I’ve been checking out Firebase as an alternative.

I totally understand haha I’m definitely getting you a video as soon as I get my hands on my PC. I won’t share how I do it, in order to not make it easier to those Ill intentioned.

And yep, we ended up going with firebase for our whole app and not even touch memberstack. This made sense to our app because we were going to use pretty much everything that firebase offers (authentication, hosting, database and cloud functions)… your needs might be a bit different, so I’d recommend you to look around for what makes the most sense to your needs

@mattk83 There you go mate :wink:

Link> https://www.loom.com/share/b89459b171a047f384248191429e251c

DISCLAIMER: I never did and never will use this type of knowledge to do bad things. This demo is intended to show the limitations of Memberstack and raise awareness for users that have extremely sensitive information being hosted in a website that uses any type of front-end-only authentication.

2 Likes

Very interesting.

In terms of your Firebase setup, will it allow similar functionality in order to store “contracts” for a given user/account?

Ideally I’m looking to setup Clients and Users, where a Client is a reference field for Users, so I can have multiple Users who belong to a Client view the same data (without sharing login details).

I certainly need to share things like Contracts, Data Metrics (via a 3rd party embed), and “Tasks” at the least.

You are probably referring to some videos I made in 2018. These are out of date now but the principle of how you can use Firebase and Webflow together is still the same. However I wouldn’t suggest anyone use this approach to build a real world production app. A quick and dirty MVP, sure, but there are major limitations with this approach for anything serious. Think of those videos more as information on how you can play around for fun.

To add to the comments about Memberstack above, the Memberstack guys themselves make it pretty clear on their website that they can’t securely gate content:

image
Also AFAIK they have never claimed that they can, so there is nothing to debunk there. They openly admit that it’s not actually secure.

The only way you can have real secure content with Webflow is to load that content after the page loads, and your back end will need to verify the user’s token. Which it looks like they are working on.

1 Like

Would you care to elaborate?

Sure I wrote an article outlining the biggest limitations here.

Hi Jason, your videos really helped me start with Firebase so thanks for that.

I’m currently learning svelte and working with a friend to build components in that, I was wondering if you have used it before? So far I’m pretty happy with it and it works well inside webflow.

Glad you enjoyed them. I’ve only ever played with Svelte, I’ve never built anything production with it. Seems pretty good but personally I wasn’t a fan of having to learn another syntax. React is much closer to vanilla JavaScript which makes sense to me.

Has anyone here ever tried Caspio for secure access and CMS?

Looking at it now, since you mentioned it - interesting though could be a higher cost than I could justify for a dozen clients, even the need is features that aren’t offered in the first two plans.

Your right. I used it initially for a statewide health company. It worked very well, but with HIPAA compliance it was $1000 a month just for the Caspio plan. Eventually rebuilt the web apps using a different no-code service.