stevaidis/dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update OAuth2-Backend-Approach.md

Browse Source
This commit is contained in:
Ste Vaidis 2025-01-08 09:42:23 +02:00
parent 2df04f4cde
commit 56fa9943b4
1 changed files with 13 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
OAuth2-Backend-Approach.md
View File

@ -25,15 +25,15 @@ A way for the `user` to tell `google` to give an access to `myapp` app
2. Exchange Code with Token
1. Backend **POST** the `code` to Google `https://oauth2.googleapis.com/token`
2. Google **response** to Backend with an `access_token` and a `refresh token`
3. Backend **redirect** to Frontend `https://myapp/auth/success` with the `access_token` in a `cookie`
2. Google **Response** to Backend with an `access_token` and a `refresh token`
3. Backend **Redirect** to Frontend `https://myapp/auth/success` with the `access_token` in a `cookie`
3. Use Token
1. Frontend **GET** profile data from Backend `https://myapp/api/auth/profile` using the `cookie`
2. Backend **GET** profile data from Google `https://www.googleapis.com/oauth2/v3/userinfo` using the `access_token` from Frontend `cookie`
3. Google **response** to Backend with profile data
4. Backend **response** to Frontend with profile data
2. Backend **GET** profile data from Google `https://www.googleapis.com/oauth2/v3/userinfo` using the `access_token`
3. Google **Response** to Backend with profile data
4. Backend **Response** to Frontend with profile data
<br><br><br>
@ -132,7 +132,7 @@ Set-Cookie: access_token=ya29.a0AfH6SMC8Op6zkVX-VoA; HttpOnly; Secure; Max-Age=3
<p>1. Recieves authorization code from Google</p><br>
<p>2. POST send the authorization code to https://oauth2.googleapis.com/token</p><br>
<p>3. POST response the access & refresh tokens</p><br>
<p>4. Respond the Fronend initial request with a cookie contains the access token</p><br>
<p>4. Redirect to Fronend success page with a cookie contains the access token</p><br>
</summary>
@ -144,7 +144,7 @@ app.get('/callback', async (req, res) => {
// 1. Get the authorization code from Google's redirect
const { code } = req.query;
// 2. Exchange the code for tokens
// 2. POST the authorization code to Google
const tokenResponse = await fetch('https://oauth2.googleapis.com/token', {
method: 'POST',
headers: {
@ -159,21 +159,18 @@ app.get('/callback', async (req, res) => {
}),
});
// 3. Get Response tokens from Google
const { access_token, refresh_token } = await tokenResponse.json();
// 3. Set the HTTP-only cookie with the access token
// 4. Redirect to Fronend success page with a cookie contains the access token
res.cookie('access', access_token, {
httpOnly: true, // Cannot be accessed by client-side JavaScript
secure: true, // Only sent over HTTPS
sameSite: 'strict', // CSRF protection
httpOnly: true, // Cannot be accessed by client-side JavaScript
secure: true, // Only sent over HTTPS
sameSite: 'strict', // CSRF protection
maxAge: 24 * 60 * 60 * 1000, // 24 hours
});
// 4. Store refresh token securely in database (recommended)
// await db.storeRefreshToken(user_id, refresh_token);
// 5. Redirect back to frontend
res.redirect('https://myapp/authentication-success');
} catch (error) {
res.redirect('https://myapp/authentication-error');
}