TokenError: Code was already redeemed and TokenError: Bad Request

See original GitHub issue

I have a pretty basic passport setup as you can see below. Every once in a while I get two different errors. TokenError: Code was already redeemed and TokenError: Bad Request for reasons I cannot seem to find.

I’ve looked around a lot (1 week) for possible solutions but am yet to find one which works.

Do you see anything wrong with the current code?

app.get('/auth/google', redirect, passport.authenticate('google', { scope: ['profile', 'email'] }));

app.get('/auth/google/callback', passport.authenticate('google', { failureRedirect: '/' }),
  function(req, res) {
    res.redirect('/');
  }
);

Here are the two errors:

TokenError: Bad Request 
  at Strategy.OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:320:12) 
  at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:367:16) 
  at /app/node_modules/passport-oauth2/lib/strategy.js:166:45 
  at /app/node_modules/oauth/lib/oauth2.js:177:18 
  at passBackControl (/app/node_modules/oauth/lib/oauth2.js:123:9) 
  at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:143:7) 
  at emitNone (events.js:85:20) 
  at IncomingMessage.emit (events.js:179:7) 
  at endReadableNT (_stream_readable.js:913:12) 
  at _combinedTickCallback (internal/process/next_tick.js:74:11) 
  at process._tickCallback (internal/process/next_tick.js:98:9)



TokenError: Code was already redeemed. 
      at Strategy.OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:320:12) 
      at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:367:16) 
      at /app/node_modules/passport-oauth2/lib/strategy.js:166:45 
      at /app/node_modules/oauth/lib/oauth2.js:177:18 
      at passBackControl (/app/node_modules/oauth/lib/oauth2.js:123:9) 
      at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:143:7) 
      at emitNone (events.js:85:20) 
      at IncomingMessage.emit (events.js:179:7) 
      at endReadableNT (_stream_readable.js:913:12) 
      at _combinedTickCallback (internal/process/next_tick.js:74:11) 
      at process._tickCallback (internal/process/next_tick.js:98:9)

Issue Analytics

State:
Created 7 years ago
Reactions:8
Comments:32

Top GitHub Comments

25reactions

akash5324commented, Jul 28, 2018

you have to specify the full url in the callbackURL section of the strategy: for example: when i’m running my code locally on localhost:3000 with code like this:

passport.use(new googleStrategy({

	clientID:keys.clientID,
	clientSecret:keys.clientSecret,
	callbackURL:'auth/google/callback'
},(accessToken,refreshToken, profile,done)=>{

	console.log(accessToken);
	console.log(refreshToken);
	console.log(profile);
}
));

app.get('/auth',passport.authenticate('google',{

	scope:['profile','email']
}));

app.get('/auth/google/callback', 
  passport.authenticate('google'));

The above code will surely throw an error like token:Bad request. so you have pass the complete URl so the final code will be:

passport.use(new googleStrategy({

	clientID:keys.clientID,
	clientSecret:keys.clientSecret,
	callbackURL:'http://localhost:3000/auth/google/callback'
},(accessToken,refreshToken, profile,done)=>{

	console.log(accessToken);
	console.log(refreshToken);
	console.log(profile);
}
));

app.get('/auth',passport.authenticate('google',{

	scope:['profile','email']
}));

app.get('/auth/google/callback', 
  passport.authenticate('google'));

17reactions

njbrauncommented, Aug 25, 2017

After a bit of digging, it looks like failureRedirect is ONLY used for strategy ‘failures’ and not ‘errors’, which is what gets thrown if a Token has already been used/redeemed.

This is a bit confusing, I agree.

It’s almost as if passport needs an additional option for ‘errorRedirect’

You can handle this outside of passport by implementing your own error handling. For example:

app.get('/auth/google/callback',
  passport.authenticate('google'), // complete the authenticate using the google strategy
  (err, req, res, next) => { // custom error handler to catch any errors, such as TokenError
    if (err.name === 'TokenError') {
     res.redirect('/auth/google'); // redirect them back to the login page
    } else {
     // Handle other errors here
    }
  },
  (req, res) => { // On success, redirect back to '/'
    res.redirect('/');
  }
);

Top Results From Across the Web

javascript - TokenError: Code was already redeemed and ...

TokenError : Code was already redeemed and TokenError: Bad Request for reasons I cannot seem to find. I've looked around a lot (1...

Access Token Request Error - TIBCO Product Documentation

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, and does not match the ...

Have a JavaScript Unexpected Token Error? Check Your Syntax

A deep look at the Unexpected Token Error in JavaScript, ... These are words or symbols used by code to specify the application's...

400 Bad Request - HTTP - MDN Web Docs

The HyperText Transfer Protocol (HTTP) 400 Bad Request response status code indicates that the server cannot or will not process the request ...

RFC 6749: The OAuth 2.0 Authorization Framework

Internet Engineering Task Force (IETF) D. Hardt, Ed. Request for Comments: 6749 ... Code Components extracted from this document must include Simplified BSD ......