search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Safe to reuse Client instance? #252

Closed fiznool closed 4 years ago

fiznool commented 4 years ago

I'm building a system which needs to carry out actions via the Facebook Graph QPI on behalf of a user.

I was planning on reusing a Client instance inside an express route handler, which could be hit by any user. Is this safe, or should I create a new Client instance per request? (By 'safe', I am wondering if instance variables are altered in a Client instance that might affect future requests).

In other words, should I do this:

const express = require('express');

const app = express();

const client = new Client({ client_id: 'foo', ...etc });

app.get('/', (req, res) => {
  const redirectUrl = client.authorizationUrl({
    scope: 'blah'
  });

  res.redirect(redirectUrl);
});

Or this?

const express = require('express');

const app = express();

app.get('/', (req, res) => {
  const client = new Client({ client_id: 'foo', ...etc });
  const redirectUrl = client.authorizationUrl({
    scope: 'blah'
  });

  res.redirect(redirectUrl);
});
panva commented 4 years ago

there's no state in a Client instance that would change over time, you should use the same instance.