I want to implement oAuth2.0 but after reading about oAuth 2.0 it is my understanding that it should use Authorization Code grant-type and should also use PKCE. I am using passportJs to implement oAuth2.0 but at the same time, I don't want any kind of security issues of security holes. I know that passportJs uses the default Authorization Code grant flow. but I also want to implement PKCE with it. Passport mentions in their documentation enableProof: true. Does this enable PKCE?
enableProof has nothing to do with PKCE. PKCE is a security measure used while performing the oAuth authentication. The oAuth authentication results in an access token. You use that access token to perform API requests. EnableProof turns on appsecret_proof which is another security measure, to use after you get your access token, to make it impossible for someone to make API calls on your behalf with only the access token. The appsecret_proof parameter is added to each API call when enableProof is set to True.
Since access tokens are portable, it's possible to steal the token from a client and make calls on behalf of that client. An access token can also be stolen by malicious software on a person's computer or a man in the middle attack.
You can prevent this by adding the appsecret_proof parameter to every API call from a server and enabling the setting to require proof on all calls. The app secret proof is a sha256 hash of your access token, using the app secret as the key. All this is handled by PassportJs if you set enableProof to true.
PassportJs native oauth2 package also supports pkce with the option pkce set to True. If you use the passport-facebook package, which depends on the native package you can use that setting too. So just add this to you configuration:
state: true,
pkce: true
And you should be golden. You can even add enableProof: true for extra security after authentication.