Metamorphic (Early Access) is using Elixir

Hi everyone

Posting here to showcase and announce that Metamorphic is now officially live on a public-facing domain at https://metamorphic.app.

Metamorphic is a privacy-focused alternative to the social networking (media) landscape. And it’s no clone, with fundamentally different behaviors and features, so it may feel strange at first (though the ideas and concepts should all feel pretty familiar).

I tend to just sum it up by saying that it’s a better way to connect and share online with the people in your life (no bias here).

It’s built with Elixir and Phoenix (lots of Live View) and it’s just me working on it! Some of the tooling includes:

• phx_gen_auth
• ecto
• cloak_ecto
• ets
• enacl/libsodium
• GenServer
• nimble_totp
• zxcvbn
• bamboo
• live view
• tailwind
• alpinejs
• stripity_stripe
• stun

The site is now ready to take sign ups for our upcoming Early Access Launch, this was a big push for me to get out before my family and I leave tomorrow to move from coast-to-coast.

You can easily click through to see other portions of the service and get sense of what’s in store for Metamorphic (I’ve disguised the feature images for now until the Early Access launch gets closer).

Here’s also a list of urls to quickly learn more:

• Blog post: Early Access Sign Ups
• Customer rights
• Hassle-free
• Privacy
• Security
• Terms of use

Becoming a parent was the inspiration behind Metamorphic, as it totally changed my life and made me start to pay attention to things I had chosen to ignore before and focus on trying to create the kind of world I would want and hope for my family.

No plans to ever sell or spin-off Metamorphic, I’m in it for long-haul. Some inspiring small software businesses that are examples of success not trying to run the typical startup route are Transistor.fm, Fathom Analytics, and DuckDuckGo (though DDG is pretty “big” to me ).

Big thanks to the Elixir community, I really never imagined I could have made something like this (or be making it) a year ago. The PETAL stack has definitely made development possible for me as I work on this in my spare full-time (“full-time” worked around being a primary caregiver).

In addition to the tooling, the Elixir community is such a super power for development, so thank you to everyone (including all the books from authors)!

Check it out, let me know what you think, and sign up to get on the Early Access list if you’re interested!

I hope you join me on this journey to a better online life.

-Mark

Thanks so much for your post and inspiring backstory. Also have been considering elixir and PETAL for some personal projects. To know that the stack and supportive community has helped you make your dream into a reality - and mostly as a one man team - is just…wow. an inspiration for myself to stop dabbing around and get going on making my own dream project a reality.

Thank you, that’s so awesome to hear. I don’t know if it helps you, but things that have helped me, and continue to, are:

• this forum (reading posts from others)
• Dashbit’s blog and DockYard’s blog
• listening to Elixir podcasts like Thinking Elixir
• services/tutorials like full stack phoenix, elixircasts.io, pragmatic studio, poeticoding and elixir school
• studying open sourced repositories like Bytepack and Livebook
• and then books (so many PragProg books)
• trial and error (lots of trial and error, preferably in a safe environment)

Wishing you the best and excited to see what you make!

@shd42 Before the question: you worked with Sea Shepard? I think that’s so awesome. I just watched the documentary not too long ago on the founder. So many questions but so impressed you went out and did it.

Great question. It’s probably not clear because I haven’t yet put a section up explaining how it all works. So sorry about that and I’ve add that to my to do list. It’s just me making it all and my little one isn’t yet in daycare, so I work in nap breaks and after bed time if I’m not too exhausted (translation: takes me a longer than I’d like to check things off my list).

To answer: currently your data like images (for memories, avatars, other features) are hosted with Amazon S3.

I wasn’t stoked about this as there could well be a future where I’m paying them a significant amount of money, but it currently was within my ability to get it up and working.

I’ve looked at decentralized options like Storj, and I’m considering transition to Storj in the future (it has an S3 adapter — part of my reason for S3 was that I can more easily move services). When you sign in to your session and pull your images down from S3, they’re stored temporarily in ETS until you log out, then they’re cleared (currently that’s how the temp ETS is working).

Other non-object data like name, email, stripe_id, pseudonym, etc is stored with our hosting provider which is currently Render.

Oh! Just remembered: also when you delete your data, like a memory let’s say, the encrypted blob is also deleted from S3.

On Amazon
Now, S3 claims that they don’t do anything with the data in your buckets. I’ve read their policies a couple times and it actually sounds like that’s the case (I choose to not actually trust them—so what’s hosted is the asymmetrically encrypted object blob—even the file name, just not the extension—cause that made it much harder for how i then decrypt and show you the image temporarily in the browser without storing anything other than the decrypted binary temporarily on ets).

However, I do presume that their AI systems are involved in similar practices to scan public (and possibly private) images to train and build up their image recognition training sets. I presume this because that’s standard industry practice for the economic model.

So that’s when I realized I had to asymmetrically encrypt (with your password-derived key) because I didn’t want to “trust” that they wouldn’t do that with peoples data.

This also allows me to keep the buckets public but restricted with their CORS policy etc—which allows the frequent and hard to predict pulling of images for people (although as I write I realize I think I can update this now again to be private with presigned urls because the binary now gets stored in ets)—because the data is totally encrypted with the NaCl/libsodium libraries that the authors suggest not even the NSA can break (again all i can do is use my judgement and then decide to trust or not—I decided to trust them because they made a note on how NIST recommends algorithms and bit sizes that are strong for everyone but the NSA, hence 256 over 512 for SHA, which was my hunch, so that helped me feel like the library had similar hunches and I could count on it—it’s also recommended by the Practical Security book on prag prog). But you can forever go down the rabbit hole on wondering.

I encourage anyone to test and see if they can pull down any encrypted blobs from Metamorphics buckets (staging or otherwise and verify that the encrypted data is useless). Ive searched for them on grayhatwarfare but they don’t show up (although I don’t have a premium account so that may be why). They are currently named like: metamorphic-memories, metamorphic-avatars, and (I think) staging-metamorphic-memories (on my phone) etc.

On Render
The founder of Render comes from Stripe. And I felt Stripe is probably the most trustworthy with your data in the payments space. That inclined me to believe that @anuragg would bring similar if not better data and privacy practices. Again, I just have to trust at this point.

They also have temporary logging by default of only 7 days, which made me, again, feel that they had a similar respect for operational functionality and people’s data. And they encrypt their databases, use tls 1.3/1.2, I believe, when it’s supported.

However, I take a similar step as with Amazon and asymmetrically encrypt that data too before it hits the database with them (then I use amazon’s own symmetric encryption to encrypt that blob at rest).

Additionally with Render, the asymmetric encrypted data is then symmetrically encrypted by me with the Cloak/cloak_ecto library and I don’t store any logs outside of Render’s temp 7 day logs. Also, the logs are the base server error/warning logs.

Symmetric not asymmetric
Things not asymmetrically encrypted include the stripe_id. I added a section to the privacy policy on how a government may be able to get metadata by court ordering stripe and metamorphic’s databases (https://metamorphic.com/privacy), but it’s pretty trivial. Metamorphic is about protecting you and your data from surveillance capitalism and those AI systems, rather than making you 100% invisible/anonymous. It’s probably possible to do on Metamorphic but I don’t offer any guidance for that cause it’s next to impossible in the digital space.

Not encrypted
Things not encrypted explicitly by me but by my hosting provider only, are things like Boolean data that indicates really nothing sensitive or personal at all.

Okay this is probably straying off topic, sorry!

@kokolegorille Feel free to split this part of the conversation to another topic (or even better if possible, into the Metamorphic post) before we derail it completely .

Yep, member of Sea Shepherd for like a decade now. Participated in various “missions” across the globe, and still do (the pandemic did make a slight dent in my plans for a few months, but back on track now). It’s been part of my life (an early decision in my life choices allowing me to be as “free” as possible, allowing me to do this).

Congratulations on the little one are in order then! I’m also a one-man shop, so to some extent, i perfectly understand the situation and i don’t have someone to take care of, so i can only imagine how much more tiring it must be at times (or all the time ).

It’s quite interesting to see how much thought you’ve put into this. And as you said, it’s not about going anonymous (a social network based on pictures and things like that are like a contradiction with it anyway…), but more like “that’s my data, and if i don’t want you to see or use it in any way, that’s it, end of the discussion”. Having said that, too many lines have been crossed by large U.S based cloud tech companies (emphasis on large), to the point where i now actively avoid them entirely. This isn’t really specific to U.S based services, but ever stronger privacy laws over here in the E.U has made our alternative a lot more compliant with that idea, ending up with people like me going for the alternative without even considering companies from the U.S (or any place outside the E.U) (note: this isn’t a push towards using E.U based cloud companies, i’d prefer being able to choose what i want, based on what i need, and the costs being aligned with my budget, without having to consider privacy stuff).

I’d say that encrypting everything before it even gets in their hands might provide the “you might be able to break into, but it’s going to be so costly and resource intensive that it’s going to make you question the point of even attempting it”. I’m rather unfamiliar with Stripe (in the sense, i don’t use it in any projects), i use PayPlug, so i can’t speak on that, but Render privacy terms clearly states “please note that your personal information may be transferred to a country and jurisdiction that does not have the same data protection laws as your jurisdiction”. I’m guessing you are taking action to ensure no personal data gets into the logs, but still (they have very little GDPR wise, making me wonder if they are even compliant with it…).

I had never heard of Storj before, so thanks for that, will keep an eye on it.

Just to be clear, so my answer doesn’t come across as too strong, i find what you’re attempting to do commendable, impressive and important. Far too few people (sometimes even in our line of work, sadly) are aware of how important this is. And at the end of the day, nothing is perfect, what you’ve already achieved is imho multiple order of magnitude better than what we had before (plus, you’re using Elixir, that’s one more point ), and over time, you’ll get to make it even better (hopefully, with help from your future employees ). It’s just rather murky water to deal with privacy in the digital space, and considering the amount of money involved, unlikely to get clearer unless people like you make it so.

Moved the last 2 posts to the Metamorphic topic, as requested

That’s so awesome, thanks for your work and commitment to causes like this!

Thank you.

Thank you for your detailed questions and interest. I’m so happy to respond to your thoughts and concerns, and I think I can address them all .

That’s my data
Yes, by asymmetrically encrypting your data on Metamorphic, I ensure that Metamorphic nor anyone but the person logging in each session with their correct password can decrypt their data and thus use it. In this case, using the data means on Metamorphic’s service to share with the people you choose to share with.

I also have an awesome future idea for how people can utilize the fact that they truly own their data on Metamorphic, to pay for the cost of their accounts even (and maybe make money) depending on the success of the service and if they choose to. But, I’m not saying more on this one yet, but it would still preserve and respect their privacy to some degree (though obviously less of a degree than before if participating it). It’s not set in stone, there’s a lot I have to think futher about and figure out, but I think there’s interesting options here to make the service more affordable for people and actually make their data work for them rather than against them. We’ll see.

I should note that I won’t do anything that I feel actually removes all or any of the protections I’ve worked so hard to put into place. It’s more that I’m just aware that some people may not be able to afford Metamorphic and I’m also trying to find ways to make it work both ways.

US Big Tech
I’m changing the name of the cloud tech companies here, because it’s really essentially a conversation about the giant surveillance capitalists (Google, Facebook, Amazon, now Microsoft, possibly Apple (but they’re so private we don’t have the same level of evidence at this point)).

It’s hard to find anything in tech that’s not supported directly or indirectly by these players. In fact, almost all of the undersea cables are run by them (so your data is going through their infrastructure regardless). And along the way it’s being siphoned by the spy agencies (typically at the access points) either with direct or indirect cooperation by these same companies.

This is why strong encryption is so important (and maybe why Facebook is trying to find ways to work with encrypted data in their pipelines – this may be more marketing hype than reality but I don’t know any more yet about that). As Bruce Schneier wrote, encryption keeps you safe.

I need to also be fair to Big Tech, they contribute a lot of good things to. And lots of amazing and gifted people work for these companies. And it’s hard to not have to rely on them in some way or another. However, we could reorganize the private-public arrangement around technology and have a probably far more equitable and advanced space (but this is an entirely different discussion ).

On Encryption
If you read Glen Greenwald’s book on the Snowden disclosures, you’ll see that even simple configuration changes can make the difference between whether or not the NSA can successfully get your data. That seems aligned with the nature of tech, if your program is designed for certain things and the data doesn’t match up then your program tends to not work as expected.

This suggests to me me that strong encryption really does provide some solid cover for both your privacy and your data. We use the NaCl/libsodium library for the asymmetric encryption because it needs to be as airtight as possible and that library is as good as it gets (as far as I know at this point), and makes it possible for me to utilize such strong encryption safely with such limited resources.

Yes, security is really all about the tradeoffs of time and money.

On the GDPR
This law is so important (as is the California law, Illinois biometrics law, and others) but they aren’t enough and don’t go far enough in actually addressing surveillance capitalism.

For instance, I know from personal anecdotes of people in the industry here in the U.S., that the GDPR effectively allows them to continue with business as usual. So, while it is important, it’s not enough and Facebook rendered it meaningless by swapping their legal structure to have everyone’s data be effectively domiciled outside the reach of the GDPR. So, it’s unfortunately not enough to protect people but is is an important and great first step.

On Payments
Thanks for sharing the PayPlug link. I haven’t had time to read through in any detail but I wasn’t aware of them prior.

This is a tough space for privacy, you may be able to use one of those Visa gift cards for Stripe but I haven’t tried it. If that works, then you could use that with an anonymous email through DuckDuckGo or other services and have some strong privacy on the payments front with Metamorphic. Again, I haven’t tried it so I don’t know if it will work but it seems plausible.

Stripe also has a great climate program that makes it very easy to automatically donate part of your payment straight to funding climate programs. For me, that was another important consideration.

On Social Media
One of the most important things about social media is that is has shifted the access to the public sphere into the digital space with the potential to democratize it and give everyone a voice. A healthy public sphere is essential to a healthy society. Long long ago, in a galaxy far far away… () the public sphere was a physical public space or square and people could/would debate and share ideas on how to organize and govern their communities (this is a more democratic example).

With this idea, if you participated in the public sphere you agreed to give up some of your privacy in order to preserve trust and lend credibility to your opinion. It also meant you needed to think about how you conducted yourself and treated others because your friends and community members would know that their neighbor behaved such-and-such way, etc.

So, there is an important aspect to giving up some privacy when you agree to participate in the public sphere. And it’s important to note that this sacrificing of privacy is known by you, initiated by you, and under your control – and in return for your ability to meaningfully participate.

With Metamorphic, my first step and goal is to empower people to take back control over their digital lives and regain some of their privacy. This means all the steps I’ve taken to create a system like this. My second goal was to remove all of the dark pattern design that addicts you and really hurts your mental, emotional, and social well being. This means that Metamorphic is more than just a privacy-respecting clone, there are significant differences in the way you interact and use the service (which I hope will translate to people spending less time on it and more time with life). The next step is to enable the ability to participate in the public sphere but in a manner that leaves it up to you, under your control, and still with a level of protection not currently happening on the major platforms. These public sphere participation features are future features and I can’t say more about them at this point as they’re still very early ideas.

A lot of the harmful stuff that happens on major platforms, are already rendered moot on Metamorphic by nature of its design. But, there are still lots of other things that I have to think about and consider as I develop Metamorphic.

Book worth reading: The Social Construction of Reality

Early Access
With early access, you sign up with an email address. This email address is symmetrically encrypted. When you get invite codes, you can then create an account at which point your account data is immediately asymmetrically encrypted and unknowable to me or anyone other than the password holder.

So, if you’re super concerned with privacy, and people signing up have already done this, you can use a temp or anonymous email to sign up for early access and another email to create your account.

The reason I don’t asymmetrically encrypt the early access sign up email, is that there’d be no way for me to email in the future when Early Access is ready to launch. At least, as I’ve designed the system for better or worse. Once Early Access is over I am going to delete all of that invite and email sign up data and it’ll be gone for good.

On Logs
Yes, no personal data is in logs at all. My logs would be frowned upon by probably every operations teams because of how basic, limited, and sparse they are.

It’s just the basic server functioning logs. I don’t personally log anything at this point. This opens up questions about denial of service attacks etc but I just haven’t got there yet. Maybe I will have to do something to address that but we’ll see.

Yes, Render’s privacy policy didn’t have me thrilled but I also felt like I protected against it all with my lack of identifying logs and encryption practices.

Now, they probably have my data for the account with them, but I have to make trade offs myself until a future where maybe I can build out our own infrastructure.

Also, I have a blog post on how I use the session rather than the IP to rate limit log in attempts while preserving privacy. So, I always try to look for solutions like that. That way I don’t have to take someone’s IP which could potentially be very privacy invading.

On Trust
At the end of the day, it all comes down to trust. I’ve learned that you could have a system that end-to-end or asymmetrically encrypts or zero-knowledges everything and still be stealing everyone’s data secretly. You would just do it before the data actually gets encrypted.

Take Zoom for example. They’re currently settling a multi-million dollar lawsuit that essentially shows that they lied about so many things and their settlement lets them claim they did nothing wrong, etc. I find a company like that very difficult to trust (and part of why I decided to make a feature like Portals – which will eventually be super awesome once I get my hands on that WebRTC book coming out in November).

Trust is also essential to a democracy and healthy society. This is another aspect why surveillance capitalism is so destructive to democracy and our societies. Its nature obliterates trust.

I mean even if you open-sourced your code, you could have another code base that you actually use. Again, this is an endless rabbit hole and at the end of the day you have to trust someone at some point. That being said, it’s important that your trust is earned. And in a healthy society trust is continually tested and reaffirmed.

I actually plan to open source Metamorphic after it’s in a more stable and secure position. I think my plan is to hopefully work with another company, like Dashbit, to help me make sure I do everything as good as I can.

To Conclude
Sorry, this is so long. I think I’m now losing my focus. Hope I answered some of your thoughts and concerns. I have put a lot of thought into this, and continue to, and my whole goal is to provide the power of technology to work for people (in this case to connect and share) to make their lives better rather than exploit them.

I don’t think I realized what I set out to do, how actually challenging it would be, but Elixir and Phoenix really make it possible for me.

This would probably make for an easier to follow discussion on a podcast as it is so much to read.

Perhaps I can invite you to hop on our humble podcast to discuss and learn more about what you’re up to and all of your adventures too? Or someone with a podcast can invite us both on .

Apologies for the late response, i was sure i had sent that reply . Thank you for the detailed response. It’s clearly getting into the difficult land of personal views (depending on how/where the person was raised, and so on).

That’s like the third time in that many months i’ve been asked for this (with one of the other two on this very forum ). I must have missed the bus about podcast making such a comeback (or they we’re always there, and i was too focused to notice…). Like the other two, it’s mostly a question of having the time at the moment, but i’ll be happy to once things settle in for me (should be the end of the year, or the beginning of the next).

I’m happy to report that I’ve switched from using the Amazon S3 for object storage to using Storj.

I’d been wanting to do this for awhile and, now that I just finished up a big support feature, I’ve had the head space to circle back to make the switch!

Storj is a decentralized cloud object storage provider. And I still am asymmetrically encrypting everything sent through their network, so no changes there.

Since I haven’t yet sent out the first early access invite codes, this means that people will start from the beginning with their encrypted objects stored with Storj. I still need to update the privacy policy and copy to reflect the change.

Storj seems interesting. WIll you develop a library to interact with it ? I see they provide bindings for their golang client in C.

Admittedly, I hadn’t yet thought about it. I’m currently using ex_aws to connect through their Gateway (setup similarly to how you’d configure it for minio).

I’m glad you mention this though, because now it is in my head and I think it’s a really interesting idea.

I have some questions:

• Are you referencing the uplink-c bindings?
• Also, the Livebook team is interfacing with Storj through their Gateway, perhaps someone is already working on a library?
• Are you interested in working on a library?

Yes I was refering to the C bindings as I know we can use C code from Elixir. There is also a rust library that uses the C bindings. I guess Rustler would be easier to use.

I am not really interested working on a library right now as I do not need that functionality. Maybe in the future. Also I do not really know how to write proper C code or to integrate C code with the BEAM.

Hi everyone,

I wanted to give a general update on when I would start sending out Early Access invite codes to people who have signed up (you still can!):

I’ve been going through a major life event that is requiring all of my heart and soul, and so I’m pushing back sending out invite codes until 1H 2022.

I had originally intended to have finished getting the Letters feature into a beta stage this month, but due to current events I have not been able to work on it yet. And I didn’t want to send out any codes until Letters was also in a beta stage.

Thank you to everyone that has signed up, it’s beyond exciting and encouraging for me and I appreciate your support. I am also super excited to be able to share another way to connect and share online that I really hope and believe will make our lives better. And if that’s not the case for you, then you can share your feedback, request new features, and vote on features, all in real-time too!

I’m sorry for the delay. I was really hoping people would be able to spend this holiday season sharing with their loves ones without worry on Metamorphic — but you’ll have to wait until 1H 2022 now (but I think it’ll ultimately end up making the Early Access experience better).

Thank you so much for your support and happy holidays

Hi again everyone

Happy to say that I’ve begun work on the Letters feature finally. I know this has been a long time coming, especially those who’ve waited at least 8 months now since signing up for Early Access.

Excited to say that the beta version of Letters is making quick progress now. Here’s a behind-the-scenes screenshot of our LiveView powered “at-mentions” in progress. This will be initially how you determine who to send your letter to. Disclaimer: nothing is set in stone and open to change.

Also, made some updates to the landing page including the launch date for the first round of Early Access invites (finally ). I will be rolling invites out in batches and beginning with people that I think will be the most patient and willing to stick around through the ongoing development process and UX evolution. Once I’ve finished with the round 1 invites, then I will update the landing page with the date for the next round. At this point, I’m foreseeing about 3 rounds and possible month or two in between rounds depending on how it goes.

Thank you so much for your patience, interest, and support. So close!

PS — If anyone’s been following closely, then you’ll notice that I’ve closed down the old company (Core Theory) and will be opening a new company for Metamorphic in the near future. Also, the podcast has transitioned branding over to just being about Metamorphic. I haven’t released any new episodes yet, due to everything that’s going on in my life. But, I will be getting back to the podcast later this year once things settle down a bit.

Hi everyone,

Wow, what a road it has been.

It’s been 8 months since the first person signed up for invite codes to our Early Access launch at Metamorphic and tonight, through the rest of this month, I am sending out the first round of emails to people.

---

It's been quite a journey

In 2020, I had a crazy idea to make an alternative way for people to connect and share online. Inspired by becoming a father (“Dada”), my own observations and intuitions about the effects of current platforms, and culminating with Shoshana Zuboff’s latest book on surveillance capitalism, I set off to not only build Metamorphic but also learn how to build it too.

Learning to Code

At the time, I had limited experience with Python and Ruby. With Python I had made a simple arcade-style game, called Paper Space Arcade, and packaged and shipped it for $0.99 to anyone with a Windows OS — it even featured an original soundtrack/score and my twin nephews loved to come over and play.

After Paper Space Arcade, I turned to web development to make a website for my partner-at-the-time to assist with her job applications and resume. This led to me discovering the Django framework and I began work building a job search for architects website called The Grid (wayback machine).

Switching from game development to web development was like turning the dopamine switch on high. The gap between code and “useable” shrank to almost nothing. Suddenly I could imagine turning an idea into a reality before the sun went down. It was an empowering feeling made intoxicating by its immediacy.

The Covid Age

When Covid hit, I felt both inspired and powerless to help. Day after day I’d read updates on the increasing numbers and wonder what I could do. Ultimately, not that much, but it drove me to add a search feature to The Grid that was updated with the Covid data from Johns Hopkins and enabled people to quickly and easily search by county around the world.

While The Grid failed, it was a great exercise in learning and avenue for channeling my creative energies and desire to help (it mostly just stressed people out whenever I commented on the latest numbers for their county).

Do all webs spin from Ruby?

As I immersed myself more and more in Python and Django, I inevitably discovered Ruby and Ruby on Rails. My first impression of Rails was “syntax confusion”, but I found myself charmed by the passion and philosophy of its fans and kept coming back to it.

So, I began building a portfolio site for my same partner-at-the-time using Ruby on Rails and I like to believe that it helped play a small role in landing her a job (the architects commented on how impressed they were with her site — though largely due to her design is my guess).

A transformation begins

Around the end of 2020, the idea that my company with my co-founder-at-the-time would raise money and successfully develop video games came to an end. I had also been the primary-caregiver to my incredible little one and found myself realizing how much I valued my role as such.

While I was demoralized about the end of the “video game dream”, I found myself increasingly inspired to do something that would have a positive effect on the world for my little one. That’s when I decided to commit to building another way to connect and share online — insulated against the raging surveillance economy.

Early versions

Since Ruby was the latest language I had been working in, I embarked to build Metamorphic with Ruby and Ruby on Rails. It’s hard to imagine or even remember these early versions, but I do recall consistently bumping up against the need to do so much more with so much less.

While I was stumbling over the same development hurdles with Ruby and Rails, I learned about Elixir and Phoenix from that similarly momentous Chris McCord Twitter clone.

However, I was initially turned away again from my first impression of the syntax and feeling my brain explode every time I saw symbols moving through other symbols:

# From Chris McCord's demo
def inc_likes(%Post{id: id}) do
  from(p in Post, where: p.id == ^id, select: p)
  |> Repo.update_all(inc: [likes_count: 1])
end

But, destiny beckoned, and I sat down one night and followed along — throwing out any attempt to understand and just going along for the ride.

And what a ride it was. When I played with the finished demo on my own laptop it was like hitting reset on the dopamine switch. I didn’t know much of anything about Elixir and Phoenix, but I knew I had found the tools that would give me the best shot I had at making Metamorphic come true.

Today

And now, nearly 2 years later, I am finally “ready” (ohhh boy…) to start sending out the first round of Early Access invites. I had no idea that it would take me this long when I first set out to make it.

My naivete was a blessing because I probably wouldn’t have attempted Metamorphic if I had realized what I would go through along the way. I still don’t know.

The community around Elixir is simply phenomenal. Whether it’s a podcast or this forum, people are compassionate, kind, and inspiring (not to mention brilliant and skilled — seriously, wow). And it goes without saying, but I’ll keep saying it, that Metamorphic wouldn’t be possible without the community.

With luck and work, I’ll be able to keep contributing and giving back to the community even more (so far that Ecto guide and simple HaveIBeenPwned? alt-library).

A final personal note around Early Access

I mentioned I’ve been going through a challenging time outside of Metamorphic, which had delayed my original launch plans.

And it’s true, as a father and primary-caregiver going through a… nightmare of a divorce… going through all sorts of court/legal fights (family and criminal)… being isolated with the little one from our family and support network on the other end of a large country… while moving in our first blizzard… I’ve had to handle more than I ever thought I was capable of.

So, I cross my fingers that Early Access members will be patient and understanding with any hiccups or “bugs” as I work to make Metamorphic as awesome as it can be for everyone, while also working to make sure my little one’s life is as awesome as it can be for them too.

I’ve been so fortunate to have such incredible support in my personal life and in this community, and so from the bottom of my heart, thank you to everyone.

I’m so excited to welcome people on this crazy journey with me.

To a better future together,

Mark

Congratulations on your journey, the perseverance and passion you show is a clear inspiration to everyone!

Mark,
I received 3 early access codes today, so I signed up. However, everything in the left navigation bar except home and support gave me 500 internal server error.

Hi Derek,

Oh sorry to hear that! Thanks for letting me know. Working on this right now, just saw its an error when you don’t have a subscription.

Update

Okay, this error has been fixed and pushed up. Should be good to go. Now when you click on features in the left navigation bar you are redirected to start a 14-day free trial subscription if you don’t have an active subscription or free trial.

There’s one more kink now I’m updating actually.

Update

It appears the bug exists in Firefox but not in Brave browser (which makes me think Chrome is okay too but haven’t tested).

In Firefox, it isn’t reading the CSP config (issuing an error that it is blocking the Stripe script). This is preventing proper syncing between Stripe and Metamorphic.

On Brave, the CSP config is being read correctly and this bug doesn’t occur and everything syncs correctly.

Looking into why this is happening in Firefox.

Update

Appears the Privacy Badger extension was blocking some of the Stripe network connections. Disabling or allowing Stripe in the Privacy Badger extension gets rid of the CSP block in Firefox.

Currently, working on updating the subscription synchronizing to handle some potential edge cases that I’m still noticing with Firefox. Will update soon (also there’s an announcement on your Metamorphic dashboard about this current bug and will update there too when I have something new to report).

Thank you for your patience and understanding and sorry about this

Update 3/26/2022

It appears the webhooks timing out issue on new subscription sign ups has been resolved!

You should now be able to sign up for 14-day free trial (in Firefox or otherwise) and start using the app. Let me know if you are still having an issue.

From what I had been reading, it seemed that there was some kind of delay causing no responses to be returned on webhooks that I thought would be returning responses.

Attempts

I did a few things to get to where it appears to be working:

• create Oban workers to send off the calls to stripe for attaching payment method and creating subscriptions
• [deprecated] Task.Supervisor to call the function that calls into the webhooks supervised genserver (webhooks genserver handles the events and notifying subscribers via PubSub of the events)
• [deprecated] call the success function to try and immediately return a 200 "ok" response to Stripe
• drop stripe controller, deprecated items above, and custom body parser in favor of stripity_stripe’s Stripe.WebhookPlug
• made a MetamorphicWeb.StripeHandler with stripity_stripe’s @behaviour Stripe.WebhookHandler

The challenge for me was that the webhooks would consistently work in development with the Stripe CLI (considering ngrok for future). So, I would first check that things work there and then have to test in production on my own account and go back and forth.

I think this really was the difference-maker for me and I’d recommend anyone to default to this body parser method if using stripity_stripe:

# endpoint.ex

plug Stripe.WebhookPlug,
    at: "/webhooks/stripe",
    handler: MetamorphicWeb.StripeHandler,
    secret: {Application, :get_env, [:stripity_stripe, :webhook_signing_key]}

plug Plug.Parsers,
  ...

So, now the StripeHandler simply broadcasts out to the supervised webhooks_processor.ex GenServer to handle further processing and broadcasting:

# stripe_handler.ex
  ...
  @behaviour Stripe.WebhookHandler

  @impl true
  def handle_event(event) do
    notify_subscribers(event)
  end

  def notify_subscribers(event) do
    Phoenix.PubSub.broadcast(MetamorphicWeb.PubSub, "webhook_received", %{event: event})
  end

  def subscribe_on_webhook_received() do
    Phoenix.PubSub.subscribe(MetamorphicWeb.PubSub, "webhook_received")
  end

Thank you to @stefanchrobot (response to another thread), @andreaseriksson (stripe course), Conner Fritz blog and Simon Rydell’s blog post.