01-21-2016 12:31
01-21-2016 12:31
Hey guys,
i got a charge hr for christmas and am now developing a small analytics app.
Serverside is node js / express / mongo db while client side is mainly angular (single page app).
Authentication is completely stateless and works by including tokens in the request headers.
I am using this plugin to handle fitbit+oauth2 for me: https://github.com/peebles/fitbit-oauth2 and implemented the following workflow:
1. User creates an account at my app in the signup form
2. My api returns the logintoken and the fitbit auth url
3. My app redirects the user with window.location to the fitbit auth url
4. User grants access
5. Redirect to callback URL
But there is the problem: how do i know which user called the callback?
app.get('/fitbit_callback', function(req, res, next) { console.log(req); var code = req.query.code; fitbit.fetchToken( code, function( err, token ) { if ( err ) return next( err );
//Persist the token in the proper user... how???
});
});
I appreciate your help 🙂
Best,
Tim
Answered! Go to the Best Answer.
01-21-2016 13:28
01-21-2016 13:28
Most apps would use their own session management or a client cookie for that.
OAuth 2 also provides the 'state' parameter when sending people to the authorization page.
01-21-2016 13:09
01-21-2016 13:09
When using the Authorization Code Grant Flow, the Fitbit user_id is returned in the Access Token Request.
When using the Implicit Grant flow, the Fitbit user_id is returned as a parameter in the hash query of the redirect URI.
01-21-2016 13:24
01-21-2016 13:24
I saw the user_id, but i cant map it to my own user. Can i add custom parameters to the callback url somehow (is this supported by the api? I think i read somewhere that it had to match the one i specified in the app config on the fitbit site)?
01-21-2016 13:28
01-21-2016 13:28
Most apps would use their own session management or a client cookie for that.
OAuth 2 also provides the 'state' parameter when sending people to the authorization page.
01-22-2016 00:30
01-22-2016 00:30
State parameter did the trick, thank you.
04-14-2016 08:28
04-14-2016 08:28
I am passing a state parameter to the Fitbit Oauth. But when the request comes back, the state has been changed from a word to a very long string of letters and numbers. I would expect it to be returned verbatim. What am I doing wrong?
04-14-2016 08:33
04-14-2016 08:33
Started GET "/users/auth/fitbit?state=i_can_step" for ::1 at 2016-04-14 11:19:33 -0400 Started GET "/users/auth/fitbit/callback?state=3fe63379b910e743be86afe824159c962a6168065c26f4cd&code=270af5fd4eadf898b5fcdc226378188668363268" for ::1 at 2016-04-14 11:19:59 -0400
04-19-2016 06:54
04-19-2016 06:54
Anyone?
07-24-2020 08:19
07-24-2020 08:19
Thank you for the information!