Using the returned token to access github api

Question

I used passportjs and passport-github to create a social login in my application,

passport.use(new GithubStrategy(
  {
    clientID     : configAuth.githubAuth.clientID,
    clientSecret : configAuth.githubAuth.clientSecret,
    callbackURL  : configAuth.githubAuth.callbackURL
  },
  function(token, refreshToken, profile, done) {
    process.nextTick(function() {
      User.findOne({'github.id' : profile.id}, function(err, user) {
        if (err) {
          return done(err);
        }
        if (user) {
          return done(null, user);
        } else {
          var newUser = new User();
          newUser.github.id = profile.id,
          newUser.token     = token,
          newUser.name      = profile.displayName;
          newUser.email     = profile.emails[0].value;
          newUser.username  = profile.username;
          // save
          newUser.save(function(err){
            if (err) {
              throw err;
            }

            return done(null, newUser);
          });
        }
      });
    });
  }
));

Now I am using another component called octonode, which requires a access_token to authenticate its user, was the token in the callback the same as this access_token, because I do not seem like authenticated when doing this:

var github = require('octonode');

exports.read = function (req, res, next) {

  var client = github.client();
  client.get('/user?access_token=' + req.user.token, {}, function (err, status, body, headers) {
    res.json(body);
  });
};

And also tried doing this:

var client = github.client(req.user.token);
client.get('/user',{}, function...)

I get a blank screen, meaning no response.

Answer 1

Alright, as one answer in SO states that:

Note that Passport does not actively use the access token or refresh token, other than to fetch the user profile during login. You're application is responsible for using these tokens when making whatever API requests are necessary. As such, you can implement either method you describe, Passport is not involved in the process.

• Jared Hanson

The access_tokens are returned to you, but it does not handle it after, you are the one responsible to save it or to do whatever you want.

My code is basically inspired by a tutorial in Scotch.io's facebook auth using passport. There they do not update the token every login, because they need not in their tutorial, but they do save it in the database, check their source code

With few a few comments, and debugging, I found that that is the culprit in my application, so I need to update the condition that states if a user is found, update the token, and some values so some important info will persists on login.

if (user) {
   user.token = token;
   user.name  = profile.displayName;
   user.email = profile.emails[0].value;
   user.save();
   return done(null, user);
}

And now this will work out just fine:

var client = github.client(req.user.token);
client.get('/user', {}, function (err, status, body, headers) {
    res.json(body);
});

Thanks to @MikeSmithDev for helping me out.