Session-less version?

[olalonde]

I was wondering why this module requires a session store. After getting a request token, why do we need to save it in a store? Isn't it passed to the client?

Also, it seems if I wanted to go session-less, I'd have to pass an options.requestTokenStore option right? https://github.com/jaredhanson/passport-oauth1/blob/master/lib/strategy.js#L101

edit: Ah ok, the session store is used to store the request token secret.

[steffansluis]

I don't get it, why store the tokenSecret in an express session? Why not just in a plain object? There is no need for the secret to be persisted in the session, since it is pretty much disposable right? I would like to go session-less, but it seems this strategy doesn't allow that

[olalonde]

Yes.. I think it needs to be saved somewhere if you have more than one server running though. But yes it would be nice if it could be saved by the client to avoid the need for cookies.

[somprabhsharma]

we have multi server architecture, so in our case if the first request comes to server1 and it stores the request token secret in session of server 1 and if the callback goes to server2 then it will never be able to find the stored request token secret and throws Failed to find request token in session error. How to handle this scenario ?