The Spiral Corner

The problem

The Spiral Corner sells premium magazine issues that readers own permanently against their account, not files they can download once and pass around. That sits on top of an inherently impossible problem: you cannot truly DRM a PDF on the open web. A determined user can always screenshot a page they can see.

So the brief was twofold, and the two halves pull against each other. The front-end had to be wild: a "shifting digital identity system" with boot-sequence intros, glitch and flicker motion, layered typography, and a hidden keyboard easter egg. The backend had to be the opposite: a disciplined, secure, refund-aware commerce engine. Neither was allowed to compromise the other.

The approach

I rejected fake DRM and built for deterrence in depth and traceability instead. The honest goal is to make leaks costly, friction-heavy, and traceable rather than to pretend they're impossible.

The protection is layered:

• A private storage bucket with no public access, so the file URL is never exposed.
• Server-side ownership checks before any file is handed out.
• Short-lived signed URLs (5-minute scope) issued only to a proven owner.
• Dual-layer forensic watermarking: every on-screen page is stamped client-side into the bitmap with the buyer's email and user ID, and the downloadable copy is separately stamped server-side with pdf-lib before the bytes ever leave the server. Any leaked page traces back to an account.
• A 3-device download ceiling per issue, backstopped by a database trigger against concurrent first-download races.
• Disabled save / print / right-click / drag as deterrent friction.

Web DRM is impossible, so the goal is deterrence and traceability, executed in depth.

The viewer itself is custom. PDF.js renders each page to a canvas inside a react-pageflip two-page spread that works down to phone width. It streams the PDF with real download-progress, holds only a window of live canvases in memory (±4 pages) so it stays light on mobile, flips on scroll with a gesture cooldown, and renders retina-aware so text stays sharp on small screens, all with no native PDF chrome and no download button.

One decision I'm proud of is the egress tradeoff. The viewer could proxy bytes through the server to hide the storage URL, but that caps function duration and double-bills egress. Instead, a proven owner streams straight from storage via a short-lived signed URL (CDN-cached, Range-request friendly, single-billed), while the watermarked download still routes through the server, where stamping has to happen. The right tool per path.

Access is granted by webhooks, treated as the single source of truth. Signatures are verified (HMAC-SHA256), ownership is written with idempotent upserts keyed on (user_id, issue_id) so retries never double-grant, and refunds or chargebacks automatically retract access. The schema even carries a full payment-provider migration trail (Stripe → Paddle → Lemon Squeezy → Whop) with legacy rows preserved, so the processor was swapped without losing data or breaking idempotency.

The outcome

A genuinely secure, idempotent, refund-aware commerce-and-delivery engine: RLS-enforced data isolation across 12 tracked migrations, dual-layer forensic watermarking, device-limited downloads, and signed-URL streaming, all running underneath an aggressively experimental front-end, with neither side compromising the other. An owned issue renders as a real flipbook in the browser: sharp on any screen, no exposed file, no native download, and every page fingerprinted to its buyer.