Prevent Expressjs from creating a session when requests contain an authorization header?

Question

I have an API that can be called either using a browser where requests are transactional and have a session OR directly, eg. using curl, where requests are atomic. Browser reque

Answer 1

Looks like you need to write your own session middleware. Here's an example. If you can create a separate subdomain, say, www.example.com for browser sessions and app.example.com for accessing it directly, then you should be able to use the linked method almost exactly, and just don't start the session for app.example.com requests. That may be the most direct method whereby the call indicates the method it intends to authenticate by, and any diversion from that is an error.

Otherwise, you'll have to detect the authentication token in the middleware and not start the session when you find it.