Why do the oauth clients persist users' credentials?

[cotyhamilton]

I'm working on implementing oauth, but the oauth clients require implementing session stores for user sessions, which contain the users' access and refresh tokens

Here's the example from at proto doc site

https://github.com/bluesky-social/statusphere-example-app/blob/main/src/auth/storage.ts (saves to a database)

and here's from the node client

https://github.com/bluesky-social/atproto/blob/main/packages/oauth/oauth-client-node/README.md (implies saving to a database)

I'd rather save these credentials in the user's cookies, but the NodeSavedSessionStore interface doesn't really allow for this unless I implement another global state for passing data around during the lifecycle of a request (like the current web request or cookie objects)

As it is currently with the session store, it's super easy to mess this all up and grant anyone access to any other currently authenticated user (like, just saving a cookie with the DID of another user who is also logged in...)

It would be cool if there was a mechanism to support saving user credentials in cookies instead of databases, it also would remove a network call or two per request.

[cotyhamilton]

I looked over the browser client and see it uses index db, and both node and browser clients inherit the base oauth client which seems to expect some database store for user credentials.

The browser client seems so much more secure than saving everyone's credentials myself?