Script Valley
JWT & Session Auth: Deep Dive
OAuth 2.0 and Third-Party Auth/Assessment

Practice & Assessment

Test your understanding of OAuth 2.0 and Third-Party Auth

Multiple Choice Questions

5
1

In OAuth 2.0 authorization code flow, why is a state parameter required?

2

What does passport.serializeUser store in the session, and why should it be minimal?

3

What is the key difference between an OAuth access token and an OIDC ID token?

4

Why is automatically linking OAuth accounts by matching email address a security vulnerability?

5

When should you request additional OAuth scopes beyond email and profile for a new feature?

Coding Challenges

1
1

Mock OAuth Callback Handler with State Validation

Build an Express app that simulates an OAuth callback flow without an actual provider. GET /auth/start generates a random state string, stores it in the session, and returns a mock authorization URL containing that state. GET /auth/callback accepts query params code and state, validates state matches what is in the session, then simulates a token exchange by returning a mock user object { id, email, name }. If state does not match, return 403. If code is missing, return 400. Store the mock user in the session and return it on GET /me. Input: sequential HTTP requests. Output: mock user JSON or error responses. Estimated time: 20-25 minutes.

Medium

Mini Project

1

Google OAuth Login with Account Linking Protection

Build a complete OAuth integration using Passport.js GoogleStrategy with session backing. Implement: GET /auth/google initiating the OAuth flow with openid email profile scopes and a state parameter, GET /auth/google/callback with state validation and safe account linking logic (reject auto-link if email already exists with local account, returning a descriptive error), POST /auth/link-google route that is accessible only to already-logged-in users (session auth) and links their Google ID to the existing account. Store users in an in-memory array with fields: id, email, passwordHash (optional), googleId (optional). Include GET /me returning current user without sensitive fields. Handle all error states with appropriate status codes.

Hard