Episode 14 of 21

Progress Refresh

Review everything built so far — the Express app, Passport configuration, Google strategy, MongoDB connection, and user model working together.

Progress Refresh

Let us take a step back and review everything built so far. Understanding how all the pieces connect is essential before adding sessions and cookies.

The Complete Flow

1. User visits http://localhost:3000
2. Clicks "Login with Google"
3. Browser goes to /auth/google
4. Passport redirects to Google login page
5. User logs in and grants permission
6. Google redirects to /auth/google/redirect?code=XXX
7. Passport exchanges the code for an access token
8. Passport calls your callback with the user profile
9. Your callback checks MongoDB for the user
10. If new: creates and saves user → calls done()
    If existing: retrieves user → calls done()
11. done() passes the user to Passport for session handling

File Structure

oauth-app/
├── app.js                    ← Express setup, MongoDB connect, routes
├── config/
│   ├── keys.js               ← Client ID, Secret, DB URI (gitignored)
│   └── passport-setup.js     ← Google strategy + callback
├── models/
│   └── user-model.js         ← Mongoose schema + model
├── routes/
│   └── auth-routes.js        ← /auth/google, /auth/google/redirect
└── views/
    └── home.ejs              ← Home page with login link

How the Files Connect

FileDepends OnPurpose
app.jsauth-routes, passport-setup, keysEntry point — wires everything together
passport-setup.jskeys, user-modelConfigures Google strategy + DB logic
auth-routes.jspassportDefines auth endpoints
user-model.jsmongooseDefines user data structure
keys.js(none)Stores all secrets

What Is Missing

The OAuth flow works and users are saved to the database. But after login, the user is not "remembered" — there is no session. On the next request, the app does not know who is logged in. Next, you will add:

  • Serialize/Deserialize — how Passport stores and retrieves user data in sessions
  • Cookie Sessions — browser cookies that persist the login state
  • Profile page — a protected route that shows the logged-in user's info

Key Takeaways

  • The OAuth flow involves: redirect → Google login → callback → database → done()
  • All pieces are connected through app.js as the entry point
  • Users are saved but sessions do not exist yet — the app forgets users between requests
  • Next steps: serialization, cookies, and protected routes