Hi Jaredhanson,
I'm a newbie to API development. I just notice that as memtions in the guide, an authenticate is needed with { session: false } specified in each endpoint. That means a call to passport.authenticate is needed on each request.
I know APIs don't use cookie-based session. I'm confused that, why not just implements a session middleware that use the bearer token instead of generating a cookie sid?
Thanks
@xingrz you mean like passport-http-bearer?
@nadeeshacabral yes.
I'm developing an API service. Without req.session I have to store those session data in a database. Is there a better solution?
@xingrz You can use a bearer strategy as app-level middleware if you know all endpoints are authenticated:
app.use(passport.authenticate('bearer', { session: false });
Sessions are entirely optional, and if you don't app.use(express.session()), then no cookie sid will be generated.
@jaredhanson thanks
Sorry that my English may be somewhat poor, I think I hadn't expressed my trouble clearly.
Currently, if I want to temporarily store some session-level data, I had to store it into a database, because there's no req.session for me.
Imagine that If there's something like app.use(BearerStrategy.session({ store: new RedisStore() }) as a replacement to express.session() for restful APIs, and req.session available.
No, that's not going to be implemented. If you truly need session storage, use session middleware. There's no reason to duplicate that functionality in an authentication strategy.
Most helpful comment
No, that's not going to be implemented. If you truly need session storage, use session middleware. There's no reason to duplicate that functionality in an authentication strategy.