Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

TokenError: Code was already redeemed and TokenError: Bad Request

See original GitHub issue

I have a pretty basic passport setup as you can see below. Every once in a while I get two different errors. TokenError: Code was already redeemed and TokenError: Bad Request for reasons I cannot seem to find.

I’ve looked around a lot (1 week) for possible solutions but am yet to find one which works.

Do you see anything wrong with the current code?

app.get('/auth/google', redirect, passport.authenticate('google', { scope: ['profile', 'email'] }));

app.get('/auth/google/callback', passport.authenticate('google', { failureRedirect: '/' }),
  function(req, res) {
    res.redirect('/');
  }
);

Here are the two errors:

TokenError: Bad Request 
  at Strategy.OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:320:12) 
  at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:367:16) 
  at /app/node_modules/passport-oauth2/lib/strategy.js:166:45 
  at /app/node_modules/oauth/lib/oauth2.js:177:18 
  at passBackControl (/app/node_modules/oauth/lib/oauth2.js:123:9) 
  at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:143:7) 
  at emitNone (events.js:85:20) 
  at IncomingMessage.emit (events.js:179:7) 
  at endReadableNT (_stream_readable.js:913:12) 
  at _combinedTickCallback (internal/process/next_tick.js:74:11) 
  at process._tickCallback (internal/process/next_tick.js:98:9)



TokenError: Code was already redeemed. 
      at Strategy.OAuth2Strategy.parseErrorResponse (/app/node_modules/passport-oauth2/lib/strategy.js:320:12) 
      at Strategy.OAuth2Strategy._createOAuthError (/app/node_modules/passport-oauth2/lib/strategy.js:367:16) 
      at /app/node_modules/passport-oauth2/lib/strategy.js:166:45 
      at /app/node_modules/oauth/lib/oauth2.js:177:18 
      at passBackControl (/app/node_modules/oauth/lib/oauth2.js:123:9) 
      at IncomingMessage.<anonymous> (/app/node_modules/oauth/lib/oauth2.js:143:7) 
      at emitNone (events.js:85:20) 
      at IncomingMessage.emit (events.js:179:7) 
      at endReadableNT (_stream_readable.js:913:12) 
      at _combinedTickCallback (internal/process/next_tick.js:74:11) 
      at process._tickCallback (internal/process/next_tick.js:98:9)

Issue Analytics

State:
Created 7 years ago
Reactions:8
Comments:32

Top GitHub Comments

25reactions

akash5324commented, Jul 28, 2018

you have to specify the full url in the callbackURL section of the strategy: for example: when i’m running my code locally on localhost:3000 with code like this:

passport.use(new googleStrategy({

	clientID:keys.clientID,
	clientSecret:keys.clientSecret,
	callbackURL:'auth/google/callback'
},(accessToken,refreshToken, profile,done)=>{

	console.log(accessToken);
	console.log(refreshToken);
	console.log(profile);
}
));

app.get('/auth',passport.authenticate('google',{

	scope:['profile','email']
}));

app.get('/auth/google/callback', 
  passport.authenticate('google'));

The above code will surely throw an error like token:Bad request. so you have pass the complete URl so the final code will be:

passport.use(new googleStrategy({

	clientID:keys.clientID,
	clientSecret:keys.clientSecret,
	callbackURL:'http://localhost:3000/auth/google/callback'
},(accessToken,refreshToken, profile,done)=>{

	console.log(accessToken);
	console.log(refreshToken);
	console.log(profile);
}
));

app.get('/auth',passport.authenticate('google',{

	scope:['profile','email']
}));

app.get('/auth/google/callback', 
  passport.authenticate('google'));

17reactions

njbrauncommented, Aug 25, 2017

After a bit of digging, it looks like failureRedirect is ONLY used for strategy ‘failures’ and not ‘errors’, which is what gets thrown if a Token has already been used/redeemed.

This is a bit confusing, I agree.

It’s almost as if passport needs an additional option for ‘errorRedirect’

You can handle this outside of passport by implementing your own error handling. For example:

app.get('/auth/google/callback',
  passport.authenticate('google'), // complete the authenticate using the google strategy
  (err, req, res, next) => { // custom error handler to catch any errors, such as TokenError
    if (err.name === 'TokenError') {
     res.redirect('/auth/google'); // redirect them back to the login page
    } else {
     // Handle other errors here
    }
  },
  (req, res) => { // On success, redirect back to '/'
    res.redirect('/');
  }
);

Top Results From Across the Web

javascript - TokenError: Code was already redeemed and ...

TokenError : Code was already redeemed and TokenError: Bad Request for reasons I cannot seem to find. I've looked around a lot (1...

Access Token Request Error - TIBCO Product Documentation

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, and does not match the ...

Have a JavaScript Unexpected Token Error? Check Your Syntax

A deep look at the Unexpected Token Error in JavaScript, ... These are words or symbols used by code to specify the application's...

400 Bad Request - HTTP - MDN Web Docs

The HyperText Transfer Protocol (HTTP) 400 Bad Request response status code indicates that the server cannot or will not process the request ...

RFC 6749: The OAuth 2.0 Authorization Framework

Internet Engineering Task Force (IETF) D. Hardt, Ed. Request for Comments: 6749 ... Code Components extracted from this document must include Simplified BSD ......