I mean this:
this.state = {
username: '',
password: '',
}
Is it safe to do that for the login form?
It depends. Its important that the password never leaves the client (or only encrypted or better hashed).
Also it should not stay on the client for too long. The app might be used in a shared location where multiple users login and logout. If the component that holds this state is not unmounted between session, the next user might be able to get the old state.
So I need to clear the state when the component is unmounted? Should I do that in componentWillUnmount?
No. You do that as soon as the login attempt has been successfully made (and on componentWillUnmount otherwise)
Why do you need to store password in state in the first place? Just get it from the form and immediately pass it to the login/registration call in the same method.
Why not? It’s not as if the string isn’t readable as cleartext anyway.
The recommended way to handle input in react is to store it in the state?
Anyway, as long as the input box is shown on the screen, the user can retrieve it through the development tools in the browser, so I don’t see how storing the password in the component can make it more risky.