When the call to load the user's profile is made it uses a GET to https://api.github.com/user. By default, the oauth library does not add the Authorization header to GET requests, so the request to /user is unauthenticated. For a busy site, this means you could quickly hit the rate limit and receive 403 responses from GitHub.
This PR configures the oauth class to authenticate GETs.
Additionally, we are experiencing quite a few problems whereby GitHub returns a 200 response from the token exchange but no access_token (the token contains a error attribute, but this is currently not being tested for in passport-oauth2). This is why I've added an additional check in userProfile to ensure that the acces_token exists - otherwise oauth sends a "Authorization: Bearer undefined" to github, which leads to further problems.
Authorization: Bearer undefined
Use authenticated requests to retrieve the user profile, and fail if no
access token has been supplied
I've merged this and removed the if(!accessToken) check from the user profile function. That should be handled at the source of the problem, with something like your passport-oauth2 patch, but ported over into this module.