Node.js + Passport - Unexpected redirect when using Google oauth2

Question

I am building a node.js server using passport middleware. I'm trying to authenticate my users via Google's oauth2.

The authentication process is as follows:

1. User is redirected to <server>/auth/google, which uses passport's middleware thus: passport.authenticate("google", { scope: ["profile", "email"] })

2. The user then receives Google's login page and logins

3. Google then redirects user to <server>/auth/google/callback, which uses passport's middleware thus: passport.authenticate("google", { failureRedirect: "/", session: false })

4. In the end, the user is redirected to <client>?token=<token>

I am hosting my project's front-end on Netlify and the back-end on NOW.

Everything works fine when running on localhost, yet when running in production there is an unexpected redirect during step 3, in which the user is redirected to <server>/auth/google/t?token=<long-token-string> instead of the path mentioned.

What is the reason behind this redirect? Any suggestions?

Thanks,
Ofek

Answer 1

After reading and debugging passport.js and oauth, I finally found out what was wrong. This was a bug in my code.

I used this in my config file:

export const CLIENT_ORIGIN =
  process.env.NODE_ENV === "production"
    ? "https://<project-name>.netlify.com"
    : ["http://127.0.0.1:3000", "http://localhost:3000"];

So, when running on localhost, setting callbackURL = CLIENT_ORIGIN[1] in the StrategyOptions made sense, but when running in production CLIENT_ORIGIN received the value "https://<project-name>.netlify.com" (a string instead of an array), therefore CLIENT_ORIGIN[1] returned the character "t". As a result, the callbackURL received the value "t", which caused this unpredicted (and undocumented) redirect.