Practice & Assessment
Test your understanding of OAuth 2.0 and Third-Party Auth
Multiple Choice Questions
5In OAuth 2.0 authorization code flow, why is a state parameter required?
What does passport.serializeUser store in the session, and why should it be minimal?
What is the key difference between an OAuth access token and an OIDC ID token?
Why is automatically linking OAuth accounts by matching email address a security vulnerability?
When should you request additional OAuth scopes beyond email and profile for a new feature?
Coding Challenges
1Mock OAuth Callback Handler with State Validation
Build an Express app that simulates an OAuth callback flow without an actual provider. GET /auth/start generates a random state string, stores it in the session, and returns a mock authorization URL containing that state. GET /auth/callback accepts query params code and state, validates state matches what is in the session, then simulates a token exchange by returning a mock user object { id, email, name }. If state does not match, return 403. If code is missing, return 400. Store the mock user in the session and return it on GET /me. Input: sequential HTTP requests. Output: mock user JSON or error responses. Estimated time: 20-25 minutes.
Mini Project
Google OAuth Login with Account Linking Protection
Build a complete OAuth integration using Passport.js GoogleStrategy with session backing. Implement: GET /auth/google initiating the OAuth flow with openid email profile scopes and a state parameter, GET /auth/google/callback with state validation and safe account linking logic (reject auto-link if email already exists with local account, returning a descriptive error), POST /auth/link-google route that is accessible only to already-logged-in users (session auth) and links their Google ID to the existing account. Store users in an in-memory array with fields: id, email, passwordHash (optional), googleId (optional). Include GET /me returning current user without sensitive fields. Handle all error states with appropriate status codes.