You can, but there are some nuances:
- you don't always need the web version, sometimes you only need data. In this case, the use of cookies is not a very pleasant thing, especially if it is not sharpened for this (and most things are not sharpened))
- when the fronter wants to test the front under different accounts, having only social. authorization, he will strongly want some kind of token authorization)
- for the server socket, if implemented correctly, the user is not needed, only his reliable id. I don’t know how oauth (passport) is, but jwt can definitely provide it without an extra overhead
. Otherwise, cookies are just as good an option, and even better if you don’t need external authorization (authorization using your product)

Better through passport. After the spa, you will want a mobile application, and it is better to work with it through tokens.