I'm using passport-google-oauth20 as the sole form of authentication for my app. Everything seems fine, and I'm able to authenticate a user and store him in the db with the verify callback passport provides.

In this app, I will only use google to authenticate the user and check if he exists or not in the db. I won't be making more requests to google, or grabbing more information from google.

I notice there's a lot of magic that happens behind passports callback function. I have a vague understanding of how serializeUser and deserializeUser works, but I'm not sure when it's necessary.

The callback function that passport provides, sets a JWT on localStorage, so do I still need to serialize a user even if I set the option of { session: false } on the redirect?

Here's some code to clear things up

passport.use(
    new GoogleStrategy({
        clientID: process.env.CLIENT_ID,
        clientSecret: process.env.CLIENT_SECRET,
        callbackURL: 'http://localhost:3000/auth/google/redirect'
    },
    (accessToken, refreshToken, profile, done) => {
        // console.log('TCL: profile', profile); -> Gives profile info
        // console.log('TCL: refreshToken', refreshToken); -> Null
        // console.log('TCL: accessToken', accessToken); 
        // This attaches the user profile to the req object
        done(null, profile);
    })
);

Here are the routes:

app.use(passport.initialize());

app.get(
    '/auth/google',
    passport.authenticate('google', { scope: ['profile', 'email'] })
);

app.get(
    '/auth/google/redirect',
    passport.authenticate('google', { session: false }),
    (req, res) => {
        console.log(req.user);
        res.redirect('/');
    }
);

I'm able to get the profile and all the information I need. Do I still need to serialize the user?

0 Answers