Documentation request - best/good practice for saving accessToken

jaredhanson / passport-facebook

Facebook authentication strategy for Passport and Node.js.

https://www.passportjs.org/packages/passport-facebook/?utm_source=github&utm_medium=referral&utm_campaign=passport-facebook&utm_content=about

MIT License

1.29k stars 447 forks source link

Documentation request - best/good practice for saving accessToken #225

Closed mrjohnskelton closed 6 years ago

mrjohnskelton commented 6 years ago

I've also raised this question regarding accessToken on stackoverflow - hoping for some help.

I am trying to figure out how to make further calls to the facebook graph api using the accessToken provided to function(accessToken, refreshToken, profile, cb) { by the second phase of authentication .

(* - My design assumptions are that the accessToken:

doesn't have immediate access to req or res, header or session
is on the server, not the client
shouldn't be saved to a database as part of the User object, as it is short-lived (session duration)
should be considered to be 'sensitive' data)

I can't find any documentation to suggest the best way of doing this*. Please could the README.md be enhanced to include a best/good practice example of saving and then retrieving the accessToken.

mrjohnskelton commented 6 years ago

OK, I am indebted to (https://benbiddington.wordpress.com/2010/04/23/facebook-graph-api-getting-access-tokens/) for the insight I must have missed in other documentation.

An access_token value is created by the passport framework and put on the session, accessible (in angular) by either $cookies or Auth.getToken(). This token is a session token, and so lacks user identification. So, the type of graph request I was trying https://graph.facebook.com/v2.11/me/friends..., wasn't working because nothing I was passing was identifying who 'me' is. Changing the graph url request to https://graph.facebook.com/v2.11/{fbId}/friends works with the token available from passport (where fbId can also be gotten from the user object generally available in the frameworks).

Any chance of a suitable tweak to the README.md to explain/example the above? I'll have a go at doing it myself, but I'm not sure I trust my git skills!

danielnjoo commented 6 years ago

Hey, do you have any examples of what you did? I'm trying to make Graph API calls in nodeJS, but am not sure how to authenticate them having already authenticated using passport.

Currently what I'm doing is using the FB JS-SDK, and setting the access token inside the passport strategy instantiation:

passport.use(new Strategy({
    clientID: process.env.CLIENT_ID,
    clientSecret: process.env.CLIENT_SECRET,
    callbackURL: '_______',
    profileFields: ['id', 'displayName', 'emails', 'name'],
    enableProof: true
  },
  function(accessToken, refreshToken, profile, cb) {
    FB.setAccessToken(accessToken);
    return cb(null, profile);
  }));