Getting oauth provider access token for use outside of lucia

[ohmree]

I'm using sveltekit, prisma, the twitch provider and @twurple/{auth,api} (to make twitch api calls on behalf of the user).

I think a good start would be to stick a twurple RefreshingAuthProvider on event.locals in my handle function, this is an object that can be initialized once and have tokens added to it at runtime.

The tokens should probably come from the return value of the twitch provider's validateCallback (in fact I've managed to feed this object into twurple with a bit of transformation), but since event.locals isn't persisted across requests I think I'll need to persist the tokens somewhere after calling validateCallback then in handle I can authenticate the twurple client if the persisted token is populated.

The part I'm struggling with is where exactly to store the tokens.
From what I understand storing sensitive data on my AuthUser is a no-no.
Should I put them in a separate prisma model with a relation to the AuthUser? or to the AuthSession? Or maybe the AuthKey?

[pilcrowonpaper]

You can store any data in AuthUser, but you have to make sure you're not sending the user object to the client (via a load function). I recommend storing it in a separate table.