Both strategy function and passport.authenticate are called on protected end point

[philipbrack]

Hi I wrote an example server and client for your library.

One thing I am trying to figure out is, I noticed that both the

passport.use(new FacebookTokenStrategy({
    clientID: 'TBD',
    clientSecret: 'TBD'
  }, function (accessToken, refreshToken, profile, done) {
    <function 1>
    ...

and

app.get(
    "/protected",
    (req, res) => {

      // calling this so as to catch error and respond without 500 and pass all the details to the user.
      passport.authenticate('facebook-token', {session: false}, function (err, user, info) {
        <function 2>
        ...

are executed every time I do an HTTP GET for the "/protected" end point.

Is it the case that passport.authenticate() is what calls the strategy function?

Also under what conditions does the library ping facebook to validate the token?
I should think that if it is a known user and the time to live isn't expired we
shouldn't have to do a lookup.

[philipbrack]

OK I think I may have cracked the case. passport.authenticate('facebook-token') does call the strategy registered before.

Also if I want to optimize the facebook API hit out I referred to I would need to do that logic myself and not call passport.authenticate.

Does that sound correct?

[amank22]

Yeah... I was also thinking about that.
This strategy is called everytime we try to access a protected data. So if a user is not registered and he calls this endpoint, it will create a new user. But I dont think I want to create a new user from all the calls. Also I want multiple providers in my server.