Description
I am using this passport strategy on a serverless platform with the authentication code flow, and to improve security I was considering using the PKCE flow extension. As several issues and the project itself suggests, these options are not documented.
However by reading the code I can see that I seem to be able to add pkce: true in the options object, however the strategy constructor complains that "OAuth2Strategy requires state: true option when PKCE is enabled" . So naturally I am inclined to also add the undocumented ( #28 ) state option, but as far as I can tell, i.e. it's name suggests, or the unmerged PR !93 suggests, this would need to store a state on the server between authorization start and callback.
Since I can not make sure which server, holding different states, gets the callback by design in a server less environment, this implies PKCE is not supported in serverless environments?