The more you do on the server the better. But you still have the problem of verifying that requests are coming from your client on your domain and not your client (or hacked version of your client) on someone else’s domain. Like you said, the hacker could make an account (if they’re easy to make) and bake those credentials into their version of your app and have it log in automatically with those when people go to the hacker’s site. There’s also cases where a hacker can actually load your website into an iframe in their website exposing only what they want to, making it look like your app (or a part of it) is running on their site. The link you posted has protections for this as well, but it’s another thing to consider.
But I really don’t know much about what you can do about that particular kind of situation (logins). I’ve never had to deal with it myself, and anything else I could add would just be me googling it 
