nickredmark
commented
6 years ago Hey there @kelleg1 thanks for your interest in this project. I'd recommend you first check the staart components code directly, because they are meant to be pretty simple and easy to be copy/pasted into your code and adapted. E.g. the Login component:
https://github.com/nmaro/staart/blob/master/packages/staart/src/components/login.js
is based on the following components:
https://github.com/nmaro/staart/blob/master/packages/staart/src/components/login-local.js https://github.com/nmaro/staart/blob/master/packages/staart/src/components/login-facebook.js https://github.com/nmaro/staart/blob/master/packages/staart/src/components/login-google.js
but you can easily include those you need directly into your login page.
Similarly, the individual components should be easily copy/pasted into your code base to be adapted (they are kept supersimple by design).
I'd also like to note that if you desire to extend any component to be more configurable, you are welcome to contribute that. Sooner or later I'm going to do it but if you happen to do it I'll be glad for the contribution.
Regarding to ooth: the main idea is that you can use any authentication method you like, but then a http-cookie-based session is created. If you use ooth as a standalone it gets slightly more complex: ooth gives you a JWT that ooth client then provides to the api to then, again, create a cookie based session (the JWT is then discarded). I believe this makes it safe wrt XSS except during the moment of the JWT transfer (but I wouldn't know of a XSS-safe way to transmit a JWT from a host to another).
WRT CSRF, to be honest I haven't looked into it. I opened a ticket to investigate the topic: https://github.com/nmaro/ooth/issues/33
I do not want to allow my users to log in with Facebook. I tried removing the configuration options in public-settings.js and settings.js but the button still shows up. Is it possible to remove it? Furthermore, is it possible to customize the form? I would like a regular React component in my project that I can modify.
Unrelated to that, I am also curious: Does this project utilize HTTP-only cookies to secure the session ID/token on the client? Is it safe from CSRF and XSS? I am also looking at Next.js Starter which has recently been refactored to use the next-auth module by the same author, but it does not seem to provide a way to login using an email address and password. I have some Passport local strategies I would like to use. Can I do that with ooth/staart?