I am having issues following this user guide Auth0 Express SDK Quickstarts: Login as it requires being able to store session state in memory.
As i am deploying to the cloud (Google App Engine in this case), it really doesnt play well.
After tonnes of trawling I have found these bits of info
Sadly, it seems to be either old advice or not showing how login without using Lock works. Also, this approach seems to mainly apply to securing APIs and not regular web apps.
Why is it that all the QuickStart guides depend on storing sessions in memory? Am i missing an obvious reason why this doesn’t seem to be done?
Does anyone know of a git repo that shows how a regular web app can use a JWT based approach and not in express (/passport) session memory?
That quickstart makes use of express-session to manage application session after a user login through the identity provider (in this case the IdP is the Auth0 service).
You’re correct that the quickstart does not make use of a custom session store and as such it defaults to the session store used by the module when no specific store is provided. This happens to be an in-memory store and as mentioned in the module itself (express-session - npm) this is a store not meant to be used in production.
The reason the in-memory store exists and is used by default both by the module itself and then by the quickstart is simplicity. In other words, the quickstarts aims at showcasing the handling of the user login so the session store being used is irrelevant so it’s simpler if it uses one that is available to everyone by default.
Transitioning that sample code to use a production store should also not be difficult as express-session has built-in support for a series of compatible modules that allow you to use a production ready store. See a list of possible stores at (express-session - npm).