Practice & Assessment
Test your understanding of OAuth 2.0 and Social Login
Multiple Choice Questions
5What is the purpose of the 'state' parameter in the OAuth 2.0 authorization request?
In Passport.js, what does serializeUser store in the session?
A user has an existing account with email alice@example.com. They try to log in with Google, and Google returns a profile with the same email but not yet linked. What is the secure default action?
Why might profile.emails be empty when using passport-github2, even with the user:email scope?
What does req.isAuthenticated() check in a Passport.js application?
Coding Challenges
1Implement GitHub OAuth login with account linking
Add GitHub OAuth to an Express app using passport-github2. Implement the /auth/github and /auth/github/callback routes. In the strategy callback, implement all three account scenarios: find by githubId (log in), find by email (link account), create new user. Use an in-memory users array as a mock database. Handle the case where GitHub returns no email by setting email to null. Protected route GET /profile should return req.user. Input: browser-simulated OAuth flow. Output: session-authenticated user on /profile. Constraint: no real database — use a module-level array. Estimated time: 25–30 minutes.
Mini Project
Multi-Provider Social Login App
Build an Express app supporting Google and GitHub OAuth login with full account linking. Users can: sign up via email/password, log in with Google, log in with GitHub, and link or unlink social accounts from a /settings page (GET returns linked providers, DELETE /auth/unlink/:provider removes the provider ID from the user record). The users table must support googleId, githubId, and passwordHash columns, all nullable. If a user has no password set (social-only account), the unlink route must refuse if it is their only login method. Store sessions in express-session with an in-memory store for development.