How to Build a Membership site with Replit

To build a membership site on Replit, start with a Node.js Express app for the server, use SQLite (or Replit’s built-in Database for simple cases) for storing user data, and enable authentication with hashed passwords using bcrypt. Set up routes to handle sign-up, login, logout, and protected content. Use Express sessions (stored in memory or with a store like SQLite) to keep users logged in. You’ll manage secrets (like session keys) using Replit’s “Secrets” panel. Deploy directly from Replit once it works. Everything runs inside one Repl, so keep your code organized: backend in server.js, static assets in a public folder, and views (HTML forms and pages) in a views folder. This approach gives a small, secure, and maintainable membership app that’s realistic for Replit’s environment.

 

Step 1: Setup project structure

 

Create a new Node.js Repl. In your main directory (where index.js usually is), rename it to server.js. Add:

• server.js – your backend logic
• views/ – HTML templates (for signup, login, dashboard)
• public/ – static assets like CSS or images
• database.sqlite – will be created automatically by the code

 

npm install express express-session sqlite3 bcrypt ejs

 

Step 2: Create the server (server.js)

 

This file is the heart of your app. It sets up your routes and database.

 

// server.js
const express = require('express');
const session = require('express-session');
const sqlite3 = require('sqlite3').verbose();
const bcrypt = require('bcrypt');
const path = require('path');

const app = express();
const db = new sqlite3.Database('database.sqlite');

// Use EJS for simple templating
app.set('view engine', 'ejs');
app.set('views', path.join(__dirname, 'views'));

// Middleware setup
app.use(express.urlencoded({ extended: true }));
app.use(express.static('public'));
app.use(
  session({
    secret: process.env.SESSION_SECRET, // Store in Replit secrets
    resave: false,
    saveUninitialized: false
  })
);

// Create table if not exists
db.run(`CREATE TABLE IF NOT EXISTS users(
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  username TEXT UNIQUE,
  password TEXT
)`);

// Route: Home
app.get('/', (req, res) => {
  if (req.session.userId) {
    res.redirect('/dashboard');
  } else {
    res.render('login');
  }
});

// Route: Sign up page
app.get('/signup', (req, res) => {
  res.render('signup');
});

// Route: Handle sign up
app.post('/signup', async (req, res) => {
  const { username, password } = req.body;
  const hashed = await bcrypt.hash(password, 10);
  db.run(`INSERT INTO users(username, password) VALUES(?, ?)`, [username, hashed], err => {
    if (err) {
      return res.send('User already exists or error occurred.');
    }
    res.redirect('/');
  });
});

// Route: Handle login
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  db.get(`SELECT * FROM users WHERE username = ?`, [username], async (err, user) => {
    if (!user) return res.send('Invalid username or password');
    const match = await bcrypt.compare(password, user.password);
    if (match) {
      req.session.userId = user.id;
      res.redirect('/dashboard');
    } else {
      res.send('Invalid username or password');
    }
  });
});

// Route: Dashboard (protected)
app.get('/dashboard', (req, res) => {
  if (!req.session.userId) return res.redirect('/');
  res.render('dashboard', { username: req.session.username });
});

// Route: Logout
app.get('/logout', (req, res) => {
  req.session.destroy(() => {
    res.redirect('/');
  });
});

app.listen(3000, () => console.log('Server running on port 3000'));

 

Step 3: Create your views

 

Inside your views folder, create three EJS files: login.ejs, signup.ejs, and dashboard.ejs.

 

<!-- views/login.ejs -->
<!DOCTYPE html>
<html>
<head><title>Login</title></head>
<body>
<h2>Login</h2>
<form action="/login" method="POST">
  <input name="username" placeholder="Username" required>
  <input name="password" type="password" placeholder="Password" required>
  <button type="submit">Login</button>
</form>
<a href="/signup">Sign up</a>
</body>
</html>

 

<!-- views/signup.ejs -->
<!DOCTYPE html>
<html>
<head><title>Sign Up</title></head>
<body>
<h2>Create Account</h2>
<form action="/signup" method="POST">
  <input name="username" placeholder="Username" required>
  <input name="password" type="password" placeholder="Password" required>
  <button type="submit">Sign Up</button>
</form>
<a href="/">Back to Login</a>
</body>
</html>

 

<!-- views/dashboard.ejs -->
<!DOCTYPE html>
<html>
<head><title>Member Dashboard</title></head>
<body>
<h2>Welcome to the members area!</h2>
<a href="/logout">Logout</a>
</body>
</html>

 

Step 4: Manage Secrets

 

In Replit, go to the Secrets (lock icon) on the left sidebar, and add a new secret:

• Key: SESSION\_SECRET
• Value: any random long string (for example from a password generator)

Replit automatically makes this available as process.env.SESSION\_SECRET in your code.

 

Step 5: Test and deploy

 

Click “Run”. Replit will open a web view of your app. Try signing up and logging in. The first time you run it, notice that database.sqlite appears in your file tree; that’s where user info is stored. Once it’s working, click the “Deploy” button in the top-right to host it. In Replit’s free tier, the Repl will sleep when inactive — that’s fine for learning and demos, but use Replit Deployments or an external host if you need it online reliably 24/7.

 

Practical Notes

 

• Replit’s SQLite database persists across runs, but avoid large datasets – it’s not meant for high traffic.
• Never commit your secrets; use Replit Secrets instead.
• For teams, Replit’s “Collaboration” lets others edit code in real-time, but only share with people you trust as all can access the Secrets while running.
• Use console.log() for debugging – Replit’s console works well for that.

 

This pattern — Express + SQLite + Sessions — is small, solid, and fully works inside Replit’s environment for real, practical membership sites.

A solid membership site on Replit should use an Express (Node.js) backend for user handling, a database connection through Replit’s built-in Database or an external DB (like MongoDB Atlas), and proper auth and secrets handling via Replit’s Secrets tab. Don’t store API keys or passwords directly in your code. Keep users’ passwords hashed (never plain-text). Structure the app so that your backend handles login/signup, your frontend (can be static HTML or React) fetches data only through API endpoints, and your logic is simple enough to avoid Replit’s storage and runtime limits. Host persistent assets on external storage or GitHub if needed and always test when you fork or reboot the Repl.

 

Project Structure

 

A simple structure that works well for Replit:

• index.js → main server file (Express app)
• views/ → HTML templates or front-end React build output
• public/ → static assets like CSS and images
• db.js → database connection (if external)
• utils/hash.js → helper for password hashing

Replit automatically runs the file you specify in the “Run” button (by default usually index.js).

 

Recommended Dependencies

 

npm init -y
npm install express bcryptjs jsonwebtoken dotenv

This installs:

• express for the web server
• bcryptjs for password hashing
• jsonwebtoken for user session tokens
• dotenv for loading environment secrets from Replit

 

Setting up Secrets in Replit

 

In the left sidebar, click the lock icon → add a secret key like:

• JWT\_SECRET: something unique (used for token signing)
• DB\_URL: if using external database

These can be accessed in code via process.env.JWT\_SECRET safely, without exposing them publicly.

 

Backend Setup (index.js)

 

// index.js
import express from "express"
import bcrypt from "bcryptjs"
import jwt from "jsonwebtoken"

const app = express()
app.use(express.json())

// Temporary demo storage: use this only for learning! Replace with a DB in real projects.
let users = []

// Signup route
app.post("/signup", async (req, res) => {
  const { username, password } = req.body
  const existing = users.find(u => u.username === username)
  if (existing) return res.status(400).json({ error: "User already exists" })

  const hashed = await bcrypt.hash(password, 10)
  users.push({ username, password: hashed })
  res.json({ success: true })
})

// Login route
app.post("/login", async (req, res) => {
  const { username, password } = req.body
  const user = users.find(u => u.username === username)
  if (!user) return res.status(400).json({ error: "Invalid credentials" })

  const match = await bcrypt.compare(password, user.password)
  if (!match) return res.status(400).json({ error: "Invalid credentials" })

  const token = jwt.sign({ username }, process.env.JWT_SECRET, { expiresIn: "2h" })
  res.json({ token })
})

// Protected route
app.get("/profile", (req, res) => {
  const auth = req.headers.authorization
  if (!auth) return res.status(401).json({ error: "No token" })

  const token = auth.split(" ")[1]
  try {
    const decoded = jwt.verify(token, process.env.JWT_SECRET)
    res.json({ message: `Welcome ${decoded.username}!` })
  } catch {
    res.status(401).json({ error: "Invalid token" })
  }
})

// Port for Replit environment
const port = process.env.PORT || 3000
app.listen(port, () => console.log("Server running on port " + port))

Place this file in the root of your Repl (it’s the main entry). When you click “Run,” Replit will start this Express server.

 

Frontend Example (views/signup.html)

 

<!DOCTYPE html>
<html>
  <body>
    <h2>Sign Up</h2>
    <form id="signup-form">
      <input name="username" placeholder="Username" required />
      <input name="password" type="password" placeholder="Password" required />
      <button>Sign Up</button>
    </form>
    <script>
      const form = document.getElementById("signup-form")
      form.addEventListener("submit", async (e) => {
        e.preventDefault()
        const data = { username: form.username.value, password: form.password.value }
        const res = await fetch("/signup", {
          method: "POST",
          headers: { "Content-Type": "application/json" },
          body: JSON.stringify(data)
        })
        const json = await res.json()
        alert(JSON.stringify(json))
      })
    </script>
  </body>
</html>

If you use static HTML pages like this, keep them under a views/ or public/ folder and let Express serve them by adding in index.js before your routes:

 

app.use(express.static("public"))

 

Database (Optional but Recommended)

 

For production-grade persistence, use MongoDB Atlas (free tier). Create a db.js file in the root:

 

// db.js
import mongoose from "mongoose"

export async function connectDB() {
  await mongoose.connect(process.env.DB_URL)
  console.log("Connected to database")
}

Then in index.js, at the top:

 

import { connectDB } from "./db.js"
connectDB()

 

Replit-Specific Tips

 

• Avoid using Replit’s built-in Database for serious membership sites — it’s fine for testing, but not reliable for scaling or security.
• Use Secrets for private information. Never commit credentials or tokens.
• Enable Always On (if you have Replit Core) so that the membership site stays available.
• Collaborate safely — sharing your Repl exposes code but not your Secrets; still, handle tokens with care.
• Deploy by using Replit’s “Deployments” tab if you need a stable public URL; free Repls sleep otherwise.

This setup is enough for a real, working membership base that can evolve into a full project — secure, sharable, and compatible with Replit’s environment.