GitHub OAuth Apps let users log in to your app using their GitHub account. You can also take actions on behalf of users using the GitHub API, like posting comments or closing pull requests. In this article, I’ll explain how to support GitHub login using Node.js and  Express, and how to use the GitHub API once you’ve got an access token for the user.

Supporting GitHub Login

Most tutorials use  Passport, but Passport is usually unnecessary. This tutorial will use vanilla Express, with no dedicated OAuth frameworks.

The web OAuth 2.0 login flow has 3 steps:

1. Your app client redirects to GitHub with your app’s id and a URL to redirect the user to when they successfully authorize your app.
2. The dialog redirects back to your app client’s domain with an auth code in the query string. An auth code is a short-lived code that you can exchange for a long-lived access token.
3. Your app pulls the code parameter from the query string, and makes a POST request to the GitHub with the access code. GitHub verifies the access code and sends back an access token your app can use for authorization going forward. Your app is responsible for storing the access token.

When implementing  Passport-free OAuth login, you need 3 routes:

1. A route that displays a UI which can redirect to GitHub to log in.
2. A route that exchanges an auth code for an access token and stores the access token.
3. A route that does something with the access token.

First, you need to create a GitHub OAuth App. Go to  your Developer Settings page and click “New OAuth App.” Make sure you create a new OAuth App, not a new GitHub App.

#node.js #node