discord-oauth2 | A really simple to use module to use discord 's OAuth2 API | OAuth library

I'm trying to set up an oauth2 with discord and keep getting in this error: cannot find module '../utils' its needed for the catchAsync function.

Tutorial that I used: https://medium.com/@orels1/using-discord-oauth2-a-simple-guide-and-an-example-nodejs-app-71a9e032770

How exactly can I fix it now?

I'm new to OAuth2 and I'm trying to understand the whole flow of things. For context, I'm thinking of making a web dashboard where users log in via Discord's OAuth2 API.

This is how I think the flow works based on my understanding so far:

1. User goes to my site and clicks a login link
2. My site redirects them to Discord with my client ID and a redirect URL #1 in the query string
3. Discord redirects them back to my site at redirect URL #1 with an authorisation code in the query string
4. My site takes this authorisation code and along with my client ID, client secret and redirect URL #2, uses all these to fetch an access token and refresh token from Discord
5. If I do get an access token, that means the user is now "logged in" (authorisation code worked)
6. My site finally redirects the user to a page and is now free to send requests to Discord's API with the access token, while saving the access token and refresh token. Just for example, say the page states their Discord username

I'm learning from this guide, and what confuses me is this code snippet from the guide. At line 5, it provides the redirect URL #2 mentioned above, in the query string. I'm not sure what it's for.

Also, I'm not very sure how to continue once I have the access token. If multiple users log in, I'd have multiple access tokens on hand. Say a user wants to access the page again, how do I uniquely identify them and know which access token to use to send requests to Discord's API? (for this example, the request would give me their username which I'd display on the page)

Yeah, I probably got a lot of concepts wrong. Any clarification would be greatly appreciated!

Edit: I've done more research into this, and found a much better guide here.

For my question about the second redirect URL, the examples in the official documentation specify a redirect_uri when doing both an access token and a refresh token exchange. However, this new guide makes do without for their access token exchange. Perhaps they missed it out? As this other stack overflow question says:

As an added measure of security, the server should verify that the redirect URL in this request matches exactly the redirect URL that was included in the initial authorization request for this authorization code. If the redirect URL does not match, the server rejects the request with an error.

I suppose this means that after the first access token exchange, any refresh token exchanges or straight up API requests with access tokens need to match the original redirect_uri of said first access token exchange. So I should use one and only one redirect_uri, and the refresh token exchanges/API requests do not actually use the redirect_uri, rather it's used for further security.

As for the whole login procedure, it seems I have to link the access & refresh tokens I obtain to a user session, and for that I'll look into using this passport strategy, passport-discord. Then, once the session expires, I'll discard the two tokens, and they'll have to click login again, but I can make use of this prompt option:

prompt controls how the authorization flow handles existing authorizations. If a user has previously authorized your application with the requested scopes and prompt is set to consent, it will request them to reapprove their authorisation. If set to none, it will skip the authorization screen and redirect them back to your redirect URI without requesting their authorization.

From there I think I'd just store the new access and refresh tokens associated with that user.

I'd really appreciate if any mistakes in my thought process could be pointed out!

The file structure is

1. LargerProject
   • Discord-OAuth2
     • config <-- don't want anyone to access this
     • static <-- images in here

When I don't include the bottom 2 location rules, my images show up, but my configs are accessible. When I put the following rules (I've tried many variations), my images return with a 404 and my configs return with a 403.