Are we expected to call nonceStore.setUsed manually?

[scaleupcto]

...from within provider.validate_request? It might make more sense to call it from within there, i.e. just inside the passed next function for this.nonceStore.isNew in Provider.prototype._valid_oauth

If we're expected to call it from within our own implementation of isNew itself, there's little value in documenting that it must be exposed externally, instead part of the contract of isNew should be that on subsequent calls for the same value it should return false.

[omsmith]

Once again, sorry for the delay.

If you're implementing your own NonceStore, then I suppose at the moment you would be expected to call it, yeah.

It would really make more sense to me to turn the NonceStore class into an abstract implementation, which provides sane defaults, and simply calls the _isSeen and _setUsed implementations of the extended classes.

This is maybe something we can do with a version bump - I had also started putting together a different library which is arranged more in the style I would have used if I initially authored this one (omsmith/node-lti-provider) - we'll see.