// Spellstash login / signup page. // Email + password via Supabase Auth. After auth, redirects to ?next= or // /collection.html. Auto-switches to signup if URL has ?signup=1. const { useState, useEffect } = React; // Only allow same-origin relative redirects from ?next. Blocks open-redirect // payloads like //evil.com, https://evil.com, and javascript: URLs. Must start // with a single "/" and not "//" or "/\". function safeNext(raw, fallback) { if (typeof raw !== "string" || raw.length === 0) return fallback; if (raw[0] !== "/" || raw[1] === "/" || raw[1] === "\\") return fallback; return raw; } function LoginPage() { const [mode, setMode] = useState("login"); const [email, setEmail] = useState(""); const [password, setPassword] = useState(""); const [submitting, setSubmitting] = useState(false); const [error, setError] = useState(null); const [info, setInfo] = useState(null); useEffect(() => { const params = new URLSearchParams(window.location.search); if (params.get("signup") === "1") setMode("signup"); // Already logged in? Skip the form and go. window.ssAuth.client.auth.getSession().then(({ data }) => { if (data.session) { window.location.href = safeNext(params.get("next"), "/collection"); } }); }, []); const goNext = () => { const params = new URLSearchParams(window.location.search); window.location.href = safeNext(params.get("next"), "/collection"); }; const submit = async (e) => { e.preventDefault(); setSubmitting(true); setError(null); setInfo(null); try { if (mode === "login") { const { error: err } = await window.ssAuth.client.auth.signInWithPassword({ email, password }); if (err) throw err; goNext(); } else { const { data, error: err } = await window.ssAuth.client.auth.signUp({ email, password }); if (err) throw err; if (data.session) { // Email confirmation disabled in Supabase project, session is live. // Brand-new accounts with no explicit destination land on the // collection with ?welcome=1, which surfaces the founding-member // lifetime offer once. An explicit ?next (e.g. from a Pro CTA) wins. const params = new URLSearchParams(window.location.search); window.location.href = safeNext(params.get("next"), "/collection?welcome=1"); } else { setInfo("Check your email for a confirmation link, then come back and sign in."); setSubmitting(false); } } } catch (err) { setError(err.message || "Something went wrong. Try again."); setSubmitting(false); } }; const signInWithGoogle = async () => { setSubmitting(true); setError(null); try { const params = new URLSearchParams(window.location.search); const next = safeNext(params.get("next"), "/collection"); const { error: err } = await window.ssAuth.client.auth.signInWithOAuth({ provider: "google", options: { redirectTo: window.location.origin + next, }, }); if (err) throw err; // signInWithOAuth navigates the page; nothing to do post-call. } catch (err) { setError(err.message || "Could not start Google sign-in."); setSubmitting(false); } }; return (
Spellstash

{mode === "login" ? "Sign in" : "Create your stash"}

{mode === "login" ? "Welcome back. Email and password to continue." : "Free to start. 3 containers and 300 cards. No credit card."}

or
{error &&
{error}
} {info &&
{info}
}
{mode === "login" ? ( <>New here? { e.preventDefault(); setMode("signup"); setError(null); setInfo(null); }}>Create an account ) : ( <>Already have an account? { e.preventDefault(); setMode("login"); setError(null); setInfo(null); }}>Sign in )}
$4.99/month when you upgrade. Less than a booster pack.
); } ReactDOM.createRoot(document.getElementById("root")).render();