We're using node-oauth2-provider as an authentication library for our service. The current process for a user to log in is:
POST /oauth2/access_token
Which creates and saves the access_token to the database.
On subsequent requests we send the access_token which is pulled from the database to verify that it exists. From there the user is added to session manually by us in a similar fashion to their examples.
After this happens, if a request comes in without the access token, the session still seems to be set. As if it's persisting across requests. Maybe I misunderstand how this is supposed to work... but shouldn't the access token be the indication that a user's requests are still valid?
If so, do I need to clear the session manually?
If not and it stores it in memory... possibly indicated by:
express.session({store: new MemoryStore({reapInterval: 5 * 60 * 1000}), secret: 'abracadabra'})
Then how does the server know that subsequent requests are valid?
