Check out http://railskits.com/saas/ for the SaaS Rails Kit
* Disclosure - I'm friends with Ben, the owner of RailsKits, and have done work for him in the past.
It has a few wrinkles though, mainly from being actively developed in 2008, with mainly bugfixes and Rails 3 support coming since then. The main ones I'd highlight that tripped me up:
- Expects payment gateway authentication credentials to be stored in a YAML file in source control instead of loaded from the environment.
- A number of the controller actions trigger immediate email sending, which can cause customer-visible 500 errors if the email sending fails and is a less reliable way of making sure the email gets sent.
- Use Stripe API v1 instead of the current v2.
- A lot of the customer email templates are kind of boilerplate-y and would not win the Patrick McKenzie stamp of copywriting approval. I believe they're loaded in from the gem rather than from the app.
My main piece of advice would be to vendor the entire gem right off the bat -- you're likely going to be tweaking several different parts of it, and there's almost no active development that you'd have to incorporate.
Stripe is good, as you'll never see credit card numbers, so you'll have no security issues to deal with in that area
I'm building a SaaS product right now and finding that there aren't very many sources for finding industry standards. Non-enterprise SaaS is quite new.
That said, I think the best thing to do is wait until you spot abuse, and create measures to prevent it. Work on your analytics and reporting systems rather than trying to contrive possible service abuses.
I'm rolling my own signup (which is easy enough in Django), but I'd consider doing a Google login. Facebook & Twitter I wouldn't care to implement: My target audience wouldn't want to be mixing their social logins with my service.
