I want to create a system where a user can use my services for a certain amount of time without signing up, then grant them some more usage after they sign up, and eventually give them unlimited access using payments.
The service framework I aim to simulate is https://novelai.net/ where they allow 50 text generation before signing up and 50 text generations after signing up. However, it was pretty simple to modify my local storage for unlimited text generation. My main concern is how can I track the users who have yet to sign up?
I thought about using cookies and local storage, but they are prone to client-sided modification and may be subject to forgery for unlimited usage. I also thought about recording user’s IP address into my server database, but since VPN allows multiple users to use the same IP address I don’t think this is viable either.
Should I just exposing my services to potentially “malicious users” who wants to use my services freely or scare 90% of potential users away with that annoying “Sign up” button?
You ignore them. People who really want to use your services without paying, and have the time and motivation to circumvent your controls, will do so. Between incognito mode, VPNs, VMs, etc., someone who wants it bad enough will get past whatever you are checking.
A simple combination of local storage, IP address, and/or browser fingerprinting will be enough to keep casual users honest. If you want people to use the service without even signing up for an account, you just accept that there will be some degree of cheating.
By the way, this is usually fine. The real money is in figuring out how to serve (and charge) large corporate/enterprise customers. An arms race with individuals highly motivated to circumvent your limitations is usually not in your own best interest.
If you have a server, you can give them a token that gives them access to your services. The frontend will store this token however it is convenient. You keep track of the date the token was made on the server, and when the token expires the server will give the frontend a message saying the token has expired, and the frontend can forward them to a page asking them to upgrade.
Easy economics. If it costs you more work, time and money to prevent them than their damage is to your business than it’s more economical to ignore them.
prolly just gonna use cookies as an id and store user information on server database. Gonna have to streamline the signup process so user don’t wanna cheat.