How to configure access to a hosted Streamlit application behind Ghosts authentication and paywall tiers

Hello,

I’m looking for help / guidance on how I would be able to integrate my Ghost site’s user authentication and paywall tiers to control access to the UI of a Streamlit application that is host via some cloud hosting service (e.g. hosted via Render).

Basically, I would like to sell a digital product that is only accessible for users who are a.) registered with my Ghost site and b.) on a specific paid tier.

My background is in data science/ML, not in web development so apologies if this is an obvious ask.

My rough ideas for a solution would be:

  • Host Streamlit application via something like Render
  • Setup a Page on my Ghost site that is accessible only by paid tier membership
  • Embed the Streamlit application UI as an iframe on that page
  • Concern: this means my web app needs to be public… How do I overcome this?

I’m sure there are better ways to do this, but this is what seems the easiest for me. Please feel free to suggest better alternative methods as well that would be more secure.

Thanks so much,
Andrew

You’ve hit on one idea: “Security through obscurity”: Make the backend app technically public, but hide it from the public and expose it only on paid tier pages. Some version of that could work, a clever paid member could find the public URL and share it.

Another option is to write a custom integration so that your other app connects to the same database as Ghost, and is possibly hosted on the same today. The idea is that they both (1) access and recognize the same session cookie and (2) Validate the cookie through the same database.

I don’t know either Streamlit or Render and I’m not going to learn about them now, but another option would be write some kind of Ghost extension that works as a proxy: It would validate the session cookie and then send a request to the backend with a secret header with a value that’s known the backend but never publicly exposed. This way, only the authenticated users could access it without making it completely public.

The summary might be that there’s no way to just plug these two things together. Hiring a developer may be the way to go.

@andrewrreed on the same boat now. Do you happen to find a solution to this?
Let me know thanks :slight_smile:

Stick a cloud function on a subdomain. Grab the user’s Ghost cookie and validate it, use that to decide if you pass through the request to the other server…?

1 Like