-
|
Hi I've got my project setup with GitHub OAuth following closely with the express example project. My intention is to use the access token from GitHub to make API calls (to GitHub). My main question is just where should I store this token? Could I simply add a new column to the user table and store it there? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
I would store it in a separate table and would also store the refresh token to enable a token refresh without an user interaction. But you could also store it in the user table. But make sure you don't expose it and make it public to the client. ( I assume you knew this already. If not, now you know it ;) ) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, I actually didn't know that. I've seen a few different conflicting recommendations about either storing the token in local storage or in the cookie. |
Beta Was this translation helpful? Give feedback.
-
|
@noxify @dtgreene How do I hook into Lucia to grab the access token? |
Beta Was this translation helpful? Give feedback.
-
|
It really depends on your implementation since Lucia doesn't store them automatically or anything. That's what the answer above was getting at: creating a separate table to store the tokens that you want access to later. This is my really basic setup for Fastify. The tokens come from fastify.get('/login/github/callback', async (request, reply) => {
const { query, headers } = request;
const code = query.code?.toString();
const state = query.state?.toString();
const storedState = parseCookies(headers.cookie ?? '').get(
'github_oauth_state',
);
if (!code || !state || !storedState || state !== storedState) {
return reply.redirect(getLoginRedirect('Invalid state'));
}
try {
const tokens = await github.validateAuthorizationCode(code); // <-- tokens available here
const githubUser = await getGithub(
'https://api.github.com/user',
tokens.accessToken,
);
const existingUser = selectUser.get(githubUser.id);
if (existingUser) {
const session = await lucia.createSession(existingUser.id, {});
const cookie = lucia.createSessionCookie(session.id).serialize();
return reply.header('set-cookie', cookie).redirect('/login-callback');
} else {
const userId = generateId(15);
insertUser.run(userId, githubUser.id, githubUser.login);
const session = await lucia.createSession(userId, {});
const cookie = lucia.createSessionCookie(session.id).serialize();
return reply.header('set-cookie', cookie).redirect('/login-callback');
}
} catch (error) {
return reply.redirect(getLoginRedirect(error));
}
}); |
Beta Was this translation helpful? Give feedback.
I would store it in a separate table and would also store the refresh token to enable a token refresh without an user interaction.
But you could also store it in the user table.
But make sure you don't expose it and make it public to the client. ( I assume you knew this already. If not, now you know it ;) )