Hey everyone,
I’m a Senior Design Engineer looking for some feedback and a sanity check on the system design for a new project I’m building. I’ve done a fair bit of research, but I want to make sure I’m not missing any potential pitfalls before I go deep into the code.
TL;DR: I’m building a marketplace for premium UI components and templates. I’ve mapped out a full architecture using Next.js, Lemon Squeezy, Supabase, and a specific open-source auth solution, and I’d love your thoughts on its robustness and security.
My Background & Context
I’ve already built and launched SATIS UI, a free library of UI components. It has a decent user base, and now I want to launch SATIS UI PRO. The goal is to sell high-quality, premium assets to a global audien…
Hey everyone,
I’m a Senior Design Engineer looking for some feedback and a sanity check on the system design for a new project I’m building. I’ve done a fair bit of research, but I want to make sure I’m not missing any potential pitfalls before I go deep into the code.
TL;DR: I’m building a marketplace for premium UI components and templates. I’ve mapped out a full architecture using Next.js, Lemon Squeezy, Supabase, and a specific open-source auth solution, and I’d love your thoughts on its robustness and security.
My Background & Context
I’ve already built and launched SATIS UI, a free library of UI components. It has a decent user base, and now I want to launch SATIS UI PRO. The goal is to sell high-quality, premium assets to a global audience, operating from my base in Bengaluru, India.
The Product Vision
SATIS UI PRO will offer:
Lifetime All-Access: A one-time payment to get everything, forever. 1.
À La Carte Purchases: Users can buy individual components, sections, or templates. 1.
Kits/Bundles: Users can buy a “SaaS Dashboard Kit,” for example, which would automatically unlock all the individual components used to build it.
My Proposed Architecture & System Design
I’ve tried to model this after successful players in the space, focusing on automation, security, and maintainability.
Core Stack: Next.js on Vercel. This gives me SSG for marketing pages, and SSR for secure, gated content.
Payments: Lemon Squeezy. Using them as a Merchant of Record (MoR) seems critical. It offloads the massive headache of global VAT/sales tax, which is a must-have for a solo dev in India selling to a global market.
Database: Supabase (Postgres). This would be the source of truth for user entitlements. My proposed schema is:
users (stores user profiles, linked to the auth provider’s user ID)
products (metadata for every component, kit, etc., each with a unique lemon_squeezy_variant_id)
user_entitlements (a join table linking user_id to product_id)
bundle_items (a join table defining the contents of a “kit”)
Authentication: I’m planning to use Better Auth. I’ve chosen it because it’s an open-source, full-stack solution designed for the Next.js App Router that I can self-host. This gives me full control over the user data and avoids vendor lock-in, which is a priority for me.
The Core Logic: Secure Content Delivery
Purchase & Fulfillment: A user buys from a Lemon Squeezy checkout link. A webhook is sent to a Next.js API route, which verifies the request and updates the user_entitlements table in Supabase.
1.
“Code as Content”: The premium source code lives directly in the Git repository in a private folder (e.g., src/pro-content/).
1.
The Gatekeeper: Access to a component page (e.g., /pro/components/bento-grid) is handled by server-side logic (e.g., getServerSideProps or a Server Component in the App Router).
1.
Authorization Check: On the server, I’ll get the user session from Better Auth. Then, I’ll call a Supabase RPC function (check_user_access) to determine if the user has rights to the asset.
1.
Delivery: If the check passes, the server reads the component code from the file system using fs and passes it as a prop to the page. If not, the page gets props to render the paywall.
My Questions for the Community:
Architecture Review: Does this seem like a robust and scalable approach? Am I over-complicating or under-engineering any part of it? 1.
Security: Are there any security loopholes or attack vectors I might be missing in this server-side gated content model? 1.
Auth Strategy: My key question is about auth. I’ve settled on Better Auth for its open-source nature and control. Has anyone used it in a production environment? How does it compare in terms of security and long-term maintainability to more established solutions like Auth.js or Supabase’s native auth? Is this a risky choice for a new project? 1.
Gotchas: Has anyone here built something similar? Are there any non-obvious “gotchas,” especially with the MoR model or serving a global audience from India?
Thanks for taking the time to read this. I’m really trying to build this the “right way” from the start and would be grateful for any feedback or suggestions you have.