NodeJS + Passport, retrieving an access token (Spotify API)

Question

I'm learning Node.js, and writing a very simple web app using the Spotify API (creating a playlist).

Specifically, I've been using the passport-spotify package, and used the example provided as a starting point.

I've been able to make normal API calls within the app just fine, because they don't require any user authentication, however I now need to make a request and provide an access token.

My previous calls have obviously been pretty simple ajax requests in the public scripts of the app, but now that I require the access token, I've hit a bit of a roadblock.

I've thought of/attempted two methods so far, and they are as follows:

• Store the access token that Passport retrieves (and seemingly brushes aside) as a cookie, and then access that cookie in the public javascript like I have been for other API calls. I'm not sure about the security of this method. Either way, I was unable to figure out how to even set it as a cookie, as this requires res.cookie(), and res is not passed into the function.

• Create a new route that when requested with ajax will trigger a node-based api request, so this way the access token stays hidden. Here below is what I came up with for that. I do get a response which seems to indicate that the idea works, but I don't know how to retrieve the access token.

  app.get('/playlist/:name', function(req, res){
  
  var options = {
    url: 'spotify api link, cannot post without more reputation',
    headers : {
      'Accept': 'application/json',
      'Authorization': 'Bearer ' + accessToken,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      name: req.params.name,
      public: false
    })
  };
  
  request.post(options, function(error, response, body){
    console.log(error);
    console.log(response);
    console.log(body);
  })
  
  });
  

Forgive my lack of knowledge in this area - it's my first time delving into back-end development and OAuth. Retrieving an access token seems like something that should be easy, so maybe I'm going about it all the wrong way.

Thanks for reading!

UPDATE IN CASE ANYONE HAS THE SAME PROBLEM: I solved the problem by creating a global variable for the access token, assigning it when it passes through the app, and then creating a cookie from it in the callback phase - app.get('/callback')... in the example I mentioned above. I can then read the token in my public javascript through that cookie.

I should say that I am not sure if this is the best (or safest) method, but it has worked for my purposes. I assume making a global variable for the token isn't good, but I'm not sure.

If anyone sees my solution and notices an issue or better method, I am still interested to hear about that.

Answer 1

The callback function for the passport configuration gets called with an access token and a refresh token.

passport.use(
new SpotifyStrategy(
    {
      clientID: client_id,
      clientSecret: client_secret,
      callbackURL: 'http://localhost:8888/auth/spotify/callback'
    },
    function(accessToken, refreshToken, expires_in, profile, done) {
      User.findOrCreate({ spotifyId: profile.id }, function(err, user) {
        return done(err, user);
      });
    }
  )
);

You can store that access token and refresh token in a database. If your app uses the authorization code flow, you can find or create a User in your database, and store the two tokens inside that user object. Then you can pick off this token and use it in your requests.

I would suggest taking a look at https://github.com/thelinmichael/spotify-web-api-node. This is a wrapper around the Spotify API, where you can pass in your tokens and the wrapper will automatically include your access token as a header on each request you make.