What's the best way to save the access token in MongoDB?

Hi community! I’m currently in the process of developing a MERN stack app that is connected to a MongoDB database, and will allow users to connect their twitch users to their accounts so they can add the followers count they have as part of the profile data.
The way I’ve managed to do this is the following:

POST request to “https://id.twitch.tv/oauth2/token” to get the access token
GET request to “https://api.twitch.tv/helix/users” to get userinfo (mainly user id)
GET request to “https://api.twitch.tv/helix/channels/followers?broadcaster_id=${id}” to get the total amount of followers.

So my questions are the following:

After receiving both the access_token and refresh_token, what would be the best way to save this data? Should I save both the refresh token and access token as part of the user data in the User model I’ve created on MongoDB, so I can use the refresh token to generate a new access token when it expires?
Would using 3 HTTP requests as I’ve done be the correct way to do this? Or there would be a most efficient way?

Any guidance on this would be greatly appreciated.

Thanks in advance!

Sounds sensible to me

What you did sounds good to me.
There is no changes I would make.

Thanks, I was thinking about hashing the access tokens before saving them in the database.
Do you think that would be a good way to do it so I can retrieve the followers count every time users access my app?

No need to hash imo, since if you get breached they’ll probably nab the code to which describes how to unhash it since you need to unhash for use.

A given access token is only valid for 4 hours (using code flow)
If the access token is leaked can’t do anything with it if it’s 4 hours old.
and so far you only are reading public data, so you can’t do much with the token.

The refresh token is only useful if an attacker also aquires your client secret. and if you reset your leaked client secret then all the access tokens die after 4 hours and all the refresh tokens are useless the moment you reset.

So hashing is unneeded in my opinion.

Follow counts can also be pulled using any token
So depending what you are doing you might not even want to store user tokens are all.

After the user signs up to your service you jsut store their username/ID in your database, and you can everything else with an App Access Token that is used only in real time/running memory not stored in the database.

Got it. I think that’s what I needed to confirm
Thanks a lot!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.