This is an express route from an exemplary satellite, angularjs , implementing the three-legged OAuth from Twitter:
/* |-------------------------------------------------------------------------- | Login with Twitter |-------------------------------------------------------------------------- */ app.get('/auth/twitter', function(req, res) { var requestTokenUrl = 'https://api.twitter.com/oauth/request_token'; var accessTokenUrl = 'https://api.twitter.com/oauth/access_token'; var authenticateUrl = 'https://api.twitter.com/oauth/authenticate'; if (!req.query.oauth_token || !req.query.oauth_verifier) { var requestTokenOauth = { consumer_key: config.TWITTER_KEY, consumer_secret: config.TWITTER_SECRET, callback: config.TWITTER_CALLBACK }; // Step 1. Obtain request token for the authorization popup. request.post({ url: requestTokenUrl, oauth: requestTokenOauth }, function(err, response, body) { var oauthToken = qs.parse(body); var params = qs.stringify({ oauth_token: oauthToken.oauth_token }); // Step 2. Redirect to the authorization screen. res.redirect(authenticateUrl + '?' + params); }); } else { var accessTokenOauth = { consumer_key: config.TWITTER_KEY, consumer_secret: config.TWITTER_SECRET, token: req.query.oauth_token, verifier: req.query.oauth_verifier }; // Step 3. Exchange oauth token and oauth verifier for access token. request.post({ url: accessTokenUrl, oauth: accessTokenOauth }, function(err, response, profile) { profile = qs.parse(profile); // Step 4a. Link user accounts. if (req.headers.authorization) { User.findOne({ twitter: profile.user_id }, function(err, existingUser) { if (existingUser) { return res.status(409).send({ message: 'There is already a Twitter account that belongs to you' }); } var token = req.headers.authorization.split(' ')[1]; var payload = jwt.decode(token, config.TOKEN_SECRET); User.findById(payload.sub, function(err, user) { if (!user) { return res.status(400).send({ message: 'User not found' }); } user.twitter = profile.user_id; user.displayName = user.displayName || profile.screen_name; user.save(function(err) { res.send({ token: createToken(user) }); }); }); }); } else { // Step 4b. Create a new user account or return an existing one. User.findOne({ twitter: profile.user_id }, function(err, existingUser) { if (existingUser) { var token = createToken(existingUser); return res.send({ token: token }); } var user = new User(); user.twitter = profile.user_id; user.displayName = profile.screen_name; user.save(function() { var token = createToken(user); res.send({ token: token }); }); }); } }); } });
Problem: Step 3:
var accessTokenOauth = { consumer_key: config.TWITTER_KEY, consumer_secret: config.TWITTER_SECRET, token: req.query.oauth_token, verifier: req.query.oauth_verifier }; // Step 3. Exchange oauth token and oauth verifier for access token. request.post({ url: accessTokenUrl, oauth: accessTokenOauth });
Since the node -request documentation describes step 3 as:
The difference is that in the satellite example, it does not go through token_secret to enter, but should. So is this a mistake or what am I missing?
The real problem for me was that a 3-day twitter login thread actually requires a session on the server side, but the satellizer example satellizer not use any sessions, so I was wondering how this is possible without sessions, but either this is not possible, and the satellite example or I donβt understand something.