Fairly sure that passport strategy is out of date for changes made to how Twitch Auth works, but I could be wrong, I don’t use it myself.
The docs cover how to perform authentication.
It doesn’t give an opinion on how to session manage or which language to use. (Passport Twitch provides an opinion)
Twitch Auth uses “standard” oAuth that you would find on many sites that authenticate via a third party
State normally acts as a nonce, a “single use” session token to prevent CSRF attacks.
As per this (after a google for “passportjs get user from session”)
The user is in res.user
Sure it’s one approach
A common misread of the Documentation/lack of understanding of oAuth
Step 1) Perform a GET redirect (not a POST redirect) to Twitch
Step 2) Check if a code is present in the question string after returning to your callback
Step 3) Perform a server to server POST request to exchange the code for an access token.
Finally I checked the default installed for passport-twitch is for an unmaintained version. A more up to date version is here
which itself hasn’t been updated since March last year