Wow, thank you very much for this detailed response, this is really helpful.
I'll try to answer some of the question you raised and will update the documentation as well:
Admin interface
It's available for all packages. Looking at the pricing page now I feel like a fool :)
Kickstarter
Got it, I'll try to rephrase the copy to better relay that.
Token expiry
Yes this is not documented at all. The token is generated when you sign up and valid until revoked / regenareted from the admin (by you).
Customer and data protection laws
The service stores passwords hashed (brcypt), emails, forms and documents are not ecrypted or anonymized at this point.
The service is GDPR compilent in the sense the you can delete your data fully.
I need to look into the CCPA.
User deletion request
The service is more like a database in this sense, the other entities are not linked to a user but to an account. The developer has to orchestrate the deletion of files which belong to a user.
Securing passwords
The passwords are store as hashes, hashed by bcrypt, so I can't see the passwords.
I see your concerns and they are valid, I need to look into other options.
Missing error responses
This can be documented more for sure.
Summary
I undestand where you are coming from.
I should make it more clear that if some one self-hosts:
- they can have an encrypted database so they are compliant with GDPR, CCPA
- they can store files/images locally
- they have the admin interface to manage all entities
I get a mixed message from your website, documentation, pricing, and examples. The added value of your service is not clear after reviewing your product.
Admin interface
On the Pricing page, I find a lifetime option that grants me access to an admin page of the self-hosted service I bought from you. I wonder why I don't get access to said admin-page when I'm a monthly paying customer (Startup), especially as you do not list any support option for the 'Developer' and 'Startup' package.
Kickstarter
It looks like I have to use your clients, but they are just kick-starter projects or examples. The API is documented, and I can even use Postman to query your service. So I can write my own client software. I would rephrase the website; otherwise, it looks like I must get a server to host your clients.
Token expiry
All requests must contain an
access_tokenbut for how long is each token valid? How is each token validated? How can I invalidate tokens? Can I bring my token?Customer and data protection laws
I can create users, but nowhere on your page or the code examples can I find how your service protects sensitive data such as user passwords, emails, forms, and documents. Nor is it stated what data-protection-law or data-privacy-law your a complying. Can I use your service for my EU business (GDPR)? Can I use your service for my US-California business (CCPA)? How is your service dealing with user account deletion requests as they are defined in law (GDPR)?
User deletion request
I found in the API only the possibility to delete users but not their contents, which the user has created/saved. But according to the law, I have to delete the contents as well. I thought I have to write such a service, but I feel it's impossible when looking at the API — or it's merely not described if, for example, if the files API lists only the files the user has uploaded. Maybe just a documentation issue or a real problem.
Securing passwords
The authentication part is practically not usable, as I don't know how passwords are protected. Your service operates via HTTPS, but I can't be sure not even you or your administrators can see or decipher the passwords. Are you using salts to hash passwords? How can I get access to salt to send you only hashed passwords, not plain text passwords? Forms must also be protected, as forms can contain sensitive data.
If I need to care about storing the salt used for hashing the password and then send you the hashed passwords, I have nothing won. Not just only can some of your admins still pick up the hashed passwords, and I also have a useless storage system that costs maintenance.
I suggest you kick the password thingy from your API and passwordless authentication. For example, FIDO or implement an email-based authentication as the one Hashnode uses.
Missing error responses
Practically I have to try to break all your API endpoints to learn about all possible error responses to prepare my software.
Inconsistencies in the client API's
Use either plural or singular.
The file/image exists before I can upload it to your service. Other endpoints use
submitorsend.Summary
$30/mo is too much as I feel. Not only is it unsafe to use for businesses in the EU and US-California. I also need to create an admin interface and implement my password storage, as yours shouldn't be used in production.