OAuth Login (Passport.js) TutorialEpisode 14

Progress Refresh

Review everything built so far — the Express app, Passport configuration, Google strategy, MongoDB connection, and user model working together.

Progress Refresh

Let us take a step back and review everything built so far. Understanding how all the pieces connect is essential before adding sessions and cookies.

The Complete Flow

1. User visits http://localhost:3000
2. Clicks "Login with Google"
3. Browser goes to /auth/google
4. Passport redirects to Google login page
5. User logs in and grants permission
6. Google redirects to /auth/google/redirect?code=XXX
7. Passport exchanges the code for an access token
8. Passport calls your callback with the user profile
9. Your callback checks MongoDB for the user
10. If new: creates and saves user → calls done()
    If existing: retrieves user → calls done()
11. done() passes the user to Passport for session handling

File Structure

oauth-app/
├── app.js                    ← Express setup, MongoDB connect, routes
├── config/
│   ├── keys.js               ← Client ID, Secret, DB URI (gitignored)
│   └── passport-setup.js     ← Google strategy + callback
├── models/
│   └── user-model.js         ← Mongoose schema + model
├── routes/
│   └── auth-routes.js        ← /auth/google, /auth/google/redirect
└── views/
    └── home.ejs              ← Home page with login link

How the Files Connect

File	Depends On	Purpose
`app.js`	auth-routes, passport-setup, keys	Entry point — wires everything together
`passport-setup.js`	keys, user-model	Configures Google strategy + DB logic
`auth-routes.js`	passport	Defines auth endpoints
`user-model.js`	mongoose	Defines user data structure
`keys.js`	(none)	Stores all secrets

What Is Missing

The OAuth flow works and users are saved to the database. But after login, the user is not "remembered" — there is no session. On the next request, the app does not know who is logged in. Next, you will add:

Serialize/Deserialize — how Passport stores and retrieves user data in sessions
Cookie Sessions — browser cookies that persist the login state
Profile page — a protected route that shows the logged-in user's info

Key Takeaways

The OAuth flow involves: redirect → Google login → callback → database → done()
All pieces are connected through app.js as the entry point
Users are saved but sessions do not exist yet — the app forgets users between requests
Next steps: serialization, cookies, and protected routes