UNPKG

create-super-react

Version:

Full‑stack React starter: Vite + TS + Tailwind, Bun/Hono + SQLite, cookie auth, CSRF, and Google OAuth—scaffolded in one command.

super-react.com

scottdaly/create-super-react

61 lines (53 loc) 2.49 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# CLAUDE.md This project was generated by **create-super-react** (default). It includes Google OAuth authentication with secure sessions, CSRF protection, and a clean modern UI. ## Structure ``` {{PROJECT_NAME}}/ frontend/ → Vite + React + TypeScript + Tailwind v4 + React Router backend/ → Bun + Hono + SQLite (bun:sqlite) ``` ## Frontend - React Router routes: `/`, `/login`, `/dashboard` (protected), `/settings` (protected) - `apiFetch` helper auto‑adds CSRF headers on unsafe methods and sends cookies - **Google OAuth only** - no email/password forms - Tailwind v4 via `@tailwindcss/vite` + `@import "tailwindcss"` in `src/index.css` - Dev proxy: `/api``http://localhost:3000` so cookie sessions work in dev ## Backend - SQLite database at `backend/data.sqlite` - Tables: - `users(id, email, created_at)` (Google OAuth only, no passwords) - `sessions(id, user_id, token_hash, csrf_secret, created_at, expires_at, user_agent, ip)` - `oauth_accounts(provider, provider_user_id, user_id, created_at)` - `oauth_states(state, code_verifier, nonce, created_at)` (temporary PKCE state) - Session management: - Session cookie: httpOnly, `SameSite=Lax`, `Secure` in prod, 30‑day TTL - CSRF & safety: - Synchronizer token with **short‑lived nonce** (10 min) + **Origin/Referer check** for all authenticated actions - Never mutate state on GET - Endpoints: - GET `/api/auth/session``{ id, email } | null` - GET `/api/auth/csrf``{ nonce, token, exp }` - POST `/api/auth/logout` - DELETE `/api/account` → delete account - GET `/api/me` (protected example) - Google OAuth: GET `/api/auth/google/start`, GET `/api/auth/google/callback` ## Google OAuth Setup (PKCE) Create `backend/.env` (copy from generated `.env.example`): ```env GOOGLE_CLIENT_ID=your_google_client_id GOOGLE_CLIENT_SECRET=your_google_client_secret FRONTEND_ORIGIN=http://localhost:5173 OAUTH_REDIRECT_URI=http://localhost:3000/api/auth/google/callback ``` Then add the redirect URI in Google Cloud Console and restart the backend. ## Dev commands ```bash # API cd backend && bun run dev # http://localhost:3000 # Web cd ../frontend && npm run dev # http://localhost:5173 ``` ## Troubleshooting - **Bad origin** → set `FRONTEND_ORIGIN` to your frontend dev/prod origin - **CSRF missing/invalid/expired** → use `apiFetch` or fetch `/api/auth/csrf` and send `X‑CSRF‑Nonce` + `X‑CSRF‑Token` - **Google not configured** → fill `.env` values above