From 480473b7c7a4611e2b6772a17f8076330f517cc2 Mon Sep 17 00:00:00 2001
From: Karolis Narkevicius <karolis.n@gmail.com>
Date: Thu, 6 Jun 2019 11:36:38 +0100
Subject: [PATCH 1/2] Fix a race condition where browsers redirect before
 session is persisted

---
 lib/consumer/express.js | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/consumer/express.js b/lib/consumer/express.js
index 959f649c..f3e90562 100644
--- a/lib/consumer/express.js
+++ b/lib/consumer/express.js
@@ -41,7 +41,7 @@ module.exports = function (_config) {
     connect(req, res)
   })
 
-  var transport = (provider, res, session) => (data) => {
+  var transport = (provider, req, res, session) => (data) => {
     if (!provider.callback) {
       res.end(qs.stringify(data))
     }
@@ -50,14 +50,16 @@ module.exports = function (_config) {
     }
     else if (provider.transport === 'session') {
       session.response = data
-      res.redirect(provider.callback)
+      req.session.save(() => {
+        res.redirect(provider.callback)
+      })
     }
   }
 
   function connect (req, res) {
     var session = req.session.grant
     var provider = config.provider(app.config, session)
-    var response = transport(provider, res, session)
+    var response = transport(provider, req, res, session)
 
     if (provider.oauth === 1) {
       oauth1.request(provider)
@@ -86,7 +88,7 @@ module.exports = function (_config) {
   function callback (req, res) {
     var session = req.session.grant || {}
     var provider = config.provider(app.config, session)
-    var response = transport(provider, res, session)
+    var response = transport(provider, req, res, session)
 
     if (provider.oauth === 1) {
       oauth1.access(provider, session.request, req.query)

From 2eb66f42f88de64581f5fed3b30ea5f35209052a Mon Sep 17 00:00:00 2001
From: simov <simeonvelichkov@gmail.com>
Date: Sun, 16 Jun 2019 19:22:02 +0300
Subject: [PATCH 2/2] Improve redirect handling for express

---
 lib/consumer/express.js | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/lib/consumer/express.js b/lib/consumer/express.js
index f3e90562..7f056449 100644
--- a/lib/consumer/express.js
+++ b/lib/consumer/express.js
@@ -46,16 +46,19 @@ module.exports = function (_config) {
       res.end(qs.stringify(data))
     }
     else if (!provider.transport || provider.transport === 'querystring') {
-      res.redirect(`${provider.callback}?${qs.stringify(data)}`)
+      redirect(req, res, `${provider.callback}?${qs.stringify(data)}`)
     }
     else if (provider.transport === 'session') {
       session.response = data
-      req.session.save(() => {
-        res.redirect(provider.callback)
-      })
+      redirect(req, res, provider.callback)
     }
   }
 
+  var redirect = (req, res, url) =>
+    typeof req.session.save === 'function'
+      ? req.session.save(() => res.redirect(url))
+      : res.redirect(url)
+
   function connect (req, res) {
     var session = req.session.grant
     var provider = config.provider(app.config, session)
@@ -66,7 +69,7 @@ module.exports = function (_config) {
         .then(({body}) => {
           session.request = body
           oauth1.authorize(provider, body)
-            .then((url) => res.redirect(url))
+            .then((url) => redirect(req, res, url))
             .catch(response)
         })
         .catch(response)
@@ -76,7 +79,7 @@ module.exports = function (_config) {
       session.state = provider.state
       session.nonce = provider.nonce
       oauth2.authorize(provider)
-        .then((url) => res.redirect(url))
+        .then((url) => redirect(req, res, url))
         .catch(response)
     }