"Error: Grant: mount session middleware first" when using state transport

[jordanbtucker]

I'm getting the following error when using the state transport.

Error: Grant: mount session middleware first

I'm specifically using the state transport to avoid using a session provider. Why is grant requiring session middleware?

Here's a minimal reproducible example.

const express = require('express')
const grant = require('grant').express()

express()
  .use(
    grant({
      defaults: {
        origin: 'http://localhost:3000',
        transport: 'state',
      },
    }),
  )
  .get('/', (req, res) => {
    res.send('<a href="/connect/twitter">Sign In with Twitter</a>')
  })
  .listen(3000)

[simov]

As stated in the docs, a session middleware is required. This is a built-in mechanism into the browser to persist state using cookies. It is needed because the user is being redirected outside of your web page and into the third-party one.

The transport key is about transporting the response data back to you, that's outside of the OAuth flow, which requires a session anyway.

Note that the cookie is being used only during the OAuth flow, you can remove it after that and use some other mechanism to store the user's credentials and session.