Full‑stack React starter: Vite + TS + Tailwind, Bun/Hono + SQLite, cookie auth, CSRF, and Google OAuth—scaffolded in one command.
npm create super-react@latest my-app
cd my-appYou get:
- Frontend: React + TypeScript + Vite + Tailwind CSS
- Backend: Bun + Hono API server
- Database: SQLite with migrations
- Auth: Google OAuth or email/password (optional)
- Security: CSRF protection, secure cookies
- DX: Hot reload, TypeScript everywhere, one command to run everything
Default preset: Google OAuth (PKCE) with secure cookie sessions, CSRF protection (synchronizer nonce + Origin check), and routes for home/login/dashboard/settings.
Use --password-auth to add email/password authentication alongside Google OAuth.
Use --minimal to generate a lean variant without auth.
npm create super-react@latest
# You'll be prompted to:
# 1. Enter project name
# 2. Select authentication type# Google OAuth only (default)
npm create super-react@latest my-app
# Google OAuth + Email/Password auth
npm create super-react@latest my-app -- --password-auth
# Minimal (no auth, but includes React Router)
npm create super-react@latest my-app -- --minimal
# Alternative: use --no-auth flag
npm create super-react@latest my-app -- --no-authThen, in two terminals:
# API (Bun)
cd my-app/backend
bun run dev # http://localhost:3000
# Web (Vite)
cd ../frontend
npm run dev # http://localhost:5173For Google login, complete the Google OAuth setup below; the backend ships a helpful error until configured.
- Node.js ≥ 18 (for the CLI and frontend tooling)
- npm (bundled with Node)
- Bun (backend runtime) — install from https://bun.sh
- Git (optional)
Windows note: you don't need
chmodfor the CLI; it runs via the Node/npm shim.
my-app/
├─ frontend/ # Vite + React + TS + Tailwind v4 + React Router (always included)
└─ backend/ # Bun + Hono + SQLite API (with optional auth)
Docs: The generator also writes a root CLAUDE.md whose content is tailored to the preset:
- Google-only preset (default): includes Google OAuth setup, CSRF/session details, routes, and security defaults.
- Password auth preset (
--password-auth): adds email/password forms, signup/login endpoints, and password hashing. - Minimal preset (
--minimal): slim overview of the stack and sample endpoints, no auth.
- Frontend routes:
/(public homepage)/login(Google "Continue with Google" button only)/dashboard,/settings(protected)
- Backend: Google OAuth PKCE flow, secure sessions, CSRF protection
- No dependencies on:
lucide-react,zod(password validation)
- Frontend routes:
/(public homepage)/login,/signup(email/password forms + Continue with Google button)/dashboard,/settings(protected)
- Backend: All Google OAuth features + local auth (scrypt password hashing)
- Additional features: Password change, signup validation, show/hide password toggles
- Extra dependencies:
lucide-react(password icons),zod(validation)
- Frontend routes:
/(modern landing page with feature grid and todo demo)/about(tech stack details and documentation)
- Backend:
GET /api/health, andGET/POST /api/todosusing SQLite - Features: React Router navigation, responsive navbar, professional UI
- No auth: CORS is enabled in this preset for convenience
- React Router included in all presets with clean navigation structure
- Auth context (
AuthProvider/useAuth) backed by/api/auth/session(auth presets only) apiFetchhelper automatically attaches CSRF headers on unsafe requests and includes cookies (auth presets only)- Tailwind v4 via
@tailwindcss/viteand@import "tailwindcss";insrc/index.css - Dev proxy:
/api→http://localhost:3000so cookie sessions work during local dev (auth presets only) - Modern UI components: Navbar, Avatar with dropdown menu, Modal, Account Settings page (auth presets only)
- Professional landing page with feature grid and interactive todo demo (minimal preset)
- SQLite tables:
users(email, optional password_hash for--password-auth)sessions(stores hash of the session token + a per‑session CSRF secret)oauth_accountsandoauth_states(for Google PKCE flow)
- Session management: httpOnly cookie session (
sid) withSameSite=Lax,Securein production; 30‑day TTL; rotation on login. - CSRF: synchronizer token with short‑lived nonce (10 minutes) + Origin/Referer validation for
POST/PUT/PATCH/DELETE. - Core endpoints:
POST /api/auth/logoutGET /api/auth/session→{ id, email } | nullGET /api/auth/csrf→{ nonce, token, exp }DELETE /api/account→ delete user accountGET /api/me(example protected)- Google OAuth:
GET /api/auth/google/start,GET /api/auth/google/callback
- Password auth endpoints (when
--password-authis used):POST /api/auth/signup,POST /api/auth/loginPUT /api/account/password→ change password
- Basic rate limiting (in‑memory) for signup/login.
The generator writes backend/.env.example. Create backend/.env and fill:
GOOGLE_CLIENT_ID=your_google_client_id
GOOGLE_CLIENT_SECRET=your_google_client_secret
FRONTEND_ORIGIN=http://localhost:5173
OAUTH_REDIRECT_URI=http://localhost:3000/api/auth/google/callbackIn Google Cloud Console → Credentials → OAuth 2.0 Client IDs (Web application):
- Add Authorized redirect URI exactly as
OAUTH_REDIRECT_URI. - Copy Client ID and Client Secret into your
.env.
Restart the backend, open /login, and click Continue with Google.
- Cookie sessions (httpOnly +
SameSite=Lax; addSecurein production) - CSRF synchronizer nonce + Origin/Referer checks on unsafe methods
- No state changes on GET routes
- Session rotation on login and 30‑day TTL; deleting a session row revokes that device immediately
- Password security (when
--password-auth): scrypt hashing with per‑user salt, 8+ character minimum
If you deploy frontend and backend on different origins, you'll need CORS and likely
SameSite=None; Securecookies. CSRF protection remains required for unsafe methods.
GOOGLE_CLIENT_ID,GOOGLE_CLIENT_SECRET— required for Google loginFRONTEND_ORIGIN— defaults tohttp://localhost:5173in dev; set to your site in prodOAUTH_REDIRECT_URI— defaults tohttp://localhost:3000/api/auth/google/callback- (Standard vars like
NODE_ENValso apply)
- "Google OAuth not configured" → Fill
.envas above. - "Bad origin" on unsafe requests → Set
FRONTEND_ORIGINto your frontend URL. - CSRF errors ("missing/invalid/expired") → Use
apiFetchor manually call/api/auth/csrfand sendX‑CSRF‑Nonce/X‑CSRF‑Tokenwith cookies. - Bun not found → Install Bun and restart your shell.
- Vite proxy not applied → If
vite.config.*wasn't patched, add a dev proxy from/apitohttp://localhost:3000.
Run locally without publishing:
node index.js demo-app # generate into ./demo-app
# or
npm link # create a global shim
create-super-react demo-app # run as a commandVerify package contents before publishing:
npm pack --dry-runPublish a new version:
npm version patch
npm publishImplementation notes:
- The CLI itself is a zero‑dependency Node ESM file with a shebang.
- It installs framework deps only into the generated app.
- It writes a preset‑specific
CLAUDE.md(Google-only vs password auth vs minimal). - Uses file-based templates in
templates/directory for easier maintenance. - Template layers:
base/(always applied),auth-google/,auth-password/(conditionally applied).
- Interactive CLI: Interactive CLI experience with arrow-key navigation using @clack/prompts
- ASCII Art Logo: Stylized lightning bolt branding on startup
- Progress Tracking: Real-time progress display during template file operations
- File Tree Display: Visual representation of created project structure
- Spinners & Progress: Visual feedback during all operations
- Colored Output: Better readability with syntax highlighting throughout
- Smart Validation: Project name validation and helpful error messages
- File-based templates: Refactored from inline strings to organized template files
- Enhanced minimal preset: Now includes React Router, professional landing page, and todo demo
- Improved navigation: All presets now include React Router with clean nav structure
- Better developer experience: Templates are easier to maintain and extend
- Bug fixes: Fixed react-router-dom installation and removed annoying directory prompts
MIT © 2025 Scott Daly