When you receive an id_token from Swoop, it is important to verify the token against your CLIENT_SECRET to ensure that it is valid and hasn't been tampered with.

Here is how to validate JWT's in node.

Install the jsonwebtoken Library

npm install --save jsonwebtoken

Import The Library

const jwt = require('jsonwebtoken')

Verify The Token

app.post('/loginWithSwoop', (req, res) => {
  // Normally CLIENT_SECRET should be stored in an environment variable
  // and accessed via process.env.CLIENT_SECRET
  let secret = 'CLIENT_SECRET';
  let document;
  
  try {
    // Verify the JWT
    document = jwt.verify(req.body.swoopToken, secret);
  } catch(e) {
    res.redirect('/error');
  }

  // Look up your user
  let user = await User.findOne({email: document.email});
  // "Login" your user
  req.session.user = user;
  // Redirect to their account
  res.redirect('/account');
})