2

I'm attempting to get and store an access token from the Pocket API using Node.js. I am able to get the request token, redirect to the Pocket login page, redirect back to my site, and finally able to exchange the request token for an access token.

But that's where my problem lays. I don't know how I should go about actually storing the token, and without it I am unable to make API calls (of course). Here's the relevant code:

//called when Pocket API redirects back to /getAccessToken
function getAccessToken(response, requestToken) {
    restler.post("https://getpocket.com/v3/oauth/authorize", {
        headers: { "Content-Type" : "application/json",
                   "X-Accept" : "application/json" },
        data : JSON.stringify({consumer_key:CONSUMER_KEY,code:requestToken})
    }).on("complete", function(data, res) {
        if(res.statusCode == 200) {
            var accessToken = data.access_token;
            console.log("Access granted: " + accessToken);
            //BUT HOW DO I STORE THE ACCESS TOKEN FOR USE OF API CALLS ??
        }
        response.writeHead(307, {Location: DNS}); //go back to site
        response.end();
    });

};

I was thinking I should store the accessToken on the client side, but I don't actually know how to go about doing that. I've tried using cookies, but that didn't seem to work. Of course, I may have just implemented them wrong.

Your help is much appreciated.

thebradbain
  • 3,139
  • 4
  • 16
  • 17
  • 1
    what did you try for cookies and what makes you say it didn't work? – Robert Levy Aug 04 '13 at 19:30
  • Should have clarified! I used the [Cookies](https://github.com/jed/cookies) node module, and whereas I could have made it work, it seemed to bloat up my code and at times be unreliable. I didn't think cookies would be the solution, but if so do you have any suggestions? – thebradbain Aug 04 '13 at 19:35

2 Answers2

2

How you store the access token usually depends on where you will be using the API.

I usually like to persist tokens in the database (like MongoDB) on the User document they are associated with, and then my web client can ping my server (via a RESTful endpoint) if it needs the token for anything. This way if the user clears all that state on the browser you don't have to go through the entire OAuth flow again.

ilmatic
  • 565
  • 3
  • 11
1

you should probably make the cookies thing work. option 2 is to use localStorage but if you're struggling with cookies i wouldn't try going down that path - it gives you more control of when the tokens are sent across the wire but also requires a lot more work to make your serverside and clientside code coordinate.

Robert Levy
  • 28,747
  • 6
  • 62
  • 94