Validate access token on the server side in custom auth example

[pual]

There's a google = require('googleapis') dependency declared but never used.
It looks like every token received will get a valid session or will be created as a new user, I think there should be a token check against the google api !?

[jamesnocentini]

It looks like every token received will get a valid session or will be created as a new user, I think there should be a token check against the google api !?

You're right. Ideally the sample project should check for the validity of the token on the server side. Things have changed slightly concerning Google Auth since it implements OpenIDConnect which Sync Gateway now supports. For 3rd party auth services that don't support OpenIDConnect you'll have to follow the auth flow you've described.

I'll leave this ticket open to track the ability to validate access tokens in the custom auth flow. But we might want to do it with another provider that doesn't support OpenIDConnect (maybe Twitter).