Passportjs Facebook login flow (passport-facebook vs passport-token)

Question

Working with Node, Express, and Passport.

Okay, so my team and I are building a REST API for a dual-sided marketplace type application. We have already set up a basic Lo

Answer 1

The client side Facebook redirects are inconvenient when using native iOS and Android Facebook SDKs - as they sometimes redirect to the user installed Facebook app instead. Hence if you would like a really generic API then you should go with passport-facebook-token.

Answer 2

Verify if the 2 flows shown are correct.

Yes, they are correct.

---

Q: I have a list of APIs. How can I protect them with passport-facebook strategy

You have serveral options:

1. Validate the Facebook token

• Server returns the Facebook token along with the user information
• Client sends Facebook token each time it calls an API
• Server validates the Facebook token

More information about how to validate Facebook token here.

2. Using JSON Web Token (JWT)

• Server returns a JWT after retreiving the Facebook user information
• Client sends JWT each time it calls an API
• Server validates the JWT

This way, the server does not have to send the request to Facebook to validate the Facebook token. More information here.

---

Q: If I'm using passport-facebook-token, how do I tell user to go and login on facebook

Your /api/auth/facebook only accepts Facebook token and returns corresponding HTTP code. Thus, asking the user to go and login in Facebook is the job of the client.

More information about how to create a Facebook login manually here.