The middleware used for authentication in Node is Passport. It is designed to serve a singular purpose: authenticate requests. Normally users log in by providing a username and password. But today using an OAuth provider (such as Facebook or Twitter), it has become a popular authentication method.

Here, we use Passport for local authentication with a MongoDB database.

Topic Covered

  • How to use Passport
    • Authenticate
    • Configure
  • Example of Passport

Install it by using npm:

// Installing package locally 
$npm install passport


An authenticating request is made by calling passport.authenticate() function and specifying which strategy to use.'/login',
  passport.authenticate('local'),// for local strategy
  function(req, res) {
   // When authentication was successful this function get called.
   // `req.user` contains the authenticated user.
  res.redirect('/users/' + req.user.username);

After authenticating a request, it will redirect to the following page:'/login',
  passport.authenticate('local', { successRedirect: '/',
                                   failureRedirect: '/login' 

The user will be redirected to the homepage if authentication is successful. Otherwise, the user will be redirected back to the login page.

Flash Messages

Flash messages can be used with redirects in order to display status information to the user.'/login',
  passport.authenticate('local', { successRedirect: '/',
                                   failureRedirect: '/login',
                                   failureFlash: true ,
                                   successFlash: 'Welcome!'


To use Passport for authentication we have to configure:

  • Authentication strategies
  • Application middleware
  • Session
Authentication  Strategies

To authenticate requests strategies are used in the passport. Strategies range from verifying a username and password, or using OAuth or using OpenID. The strategy must be configured before an authenticated request is made by passport. The use() function are used to supply strategies and their configuration. Following uses the LocalStrategy for username/password authentication.

var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;

passport.use(new LocalStrategy(
  function(username, password, done) {
    User.findOne({ username: username }, function (err, user) {
      if (err) { return done(err); }
      if (!user) {
        return done(null, false, { message: 'Incorrect username.' });
      if (!user.validPassword(password)) {
        return done(null, false, { message: 'Incorrect password.' });
      return done(null, user);
Verify Callback

Authentication strategies use a verify callback function, to find the user that possesses a set of parameters. When Passport authenticates a request, it parses the parameters contained in the request. It then invokes the verify callback function with those parameters (username and password) as arguments. If the parameters are valid, done should be invoked to supply Passport to the user that authenticated.

return done(null, user);

If the parameters are not valid, done should be invoked with false instead of a user to indicate an authentication failure.

return done(null, false);

If an exception occurred while verifying the parameters, done should be invoked with an error, in conventional node style.

return done(err);
Application  Middleware

In a Express passport.initialize( ) middleware is required to initialize Passport. passport.session( ) middleware must be used if application uses persistent login sessions.

var session = require("express-session");
var  bodyParser = require("body-parser");

app.use(session({ secret: "mysecret" }));
app.use(bodyParser.urlencoded({ extended: false }));

The parameter used to authenticate a user can only be transmitted during the login request. If the authentication succeeds, a session will be established and maintained via a cookie set in the user’s browser.
Each subsequent request will not contain parameters, but rather the unique cookie that identifies the session. To support login sessions, Passport will serialize and deserialize user instances to and from the session.

passport.serializeUser(function(user, done) {

passport.deserializeUser(function(id, done) {
  User.findById(id, function(err, user) {
    done(err, user);


Passport Authentication with local strategy:

First, install the following  npm module in root folder 

npm install express --save
npm install express-session --save
npm install connect-mongo --save
npm install body-parser --save
npm install passport --save
npm install passport-local --save
npm install mongoose --save

Create a login form in a file called  login.html  in the root folder of application

<!--                                 login.html                             -->
<!DOCTYPE html>
<html lang="en">

 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <meta http-equiv="X-UA-Compatible" content="ie=edge">
<!-- login.html-->
 <form action="/" method="post">
     <input type="text" name="username" />
     <input type="password" name="password" />
     <input type="submit" value="Submit" />

Create a file  app.js  in the root folder of the application,

                                                 /* app.js */
//  For Express  
const express = require('express');
const app = express();
var session = require('express-session');

const bodyParser = require('body-parser');
app.use(bodyParser.urlencoded({ extended: true }));

const mongoose = require('mongoose');
var db = mongoose.connection;
const Schema = mongoose.Schema;
const userinfo = new Schema({
  username: String,
  password: String
const usersinfos = mongoose.model('users', userinfo, 'users');
var MongoStore = require('connect-mongo')(session);
app.get('/', (req, res) => res.sendFile('login.html', { root: __dirname }));

//  For Passport  
const passport = require('passport');
  secret: 'secretsshh',
  resave: true,
  saveUninitialized: false,
  store: new MongoStore({
    mongooseConnection: db

app.get('/success', (req, res) => res.send("Welcome " + req.query.username + "!!" + "<a href='/logout'>logout</a>"));
app.get('/error', (req, res) => res.send("error logging in"));

passport.serializeUser(function (user, cb) {

passport.deserializeUser(function (id, cb) {
 userinfos.findById(id, function (err, user) {
    cb(err, user);

// For Passport Local Authentication
const LocalStrategy = require('passport-local').Strategy;
passport.use(new LocalStrategy(
  function (username, password, done) {
      username: username
    }, function (err, user) {
      if (err) {
        return done(err);
      if (!user) {
        return done(null, false);
      if (user.password != password) {
        return done(null, false);
      return done(null, user);
  passport.authenticate('local', { failureRedirect: '/error' }),
  function (req, res) {
    res.redirect('/success?username=' + req.user.username);

app.get('/logout', function (req, res, next) {
  if (req.session) {
    // For Delete Session Object
    req.session.destroy(function (err) {
      if (err) {
        return next(err);
      } else {
        return res.redirect('/');

app.listen(8080, function () {
  console.log('App listening on port 8080')

The serializeUser() function serializes the user instance with the information we pass to it and store it in the session via a cookie. The deserializeUser() invoked every subsequent request to deserialize the instance, providing it with the unique cookie identifier as a “credential”.

We require the passport–local strategy. Then we tell Passport to use an instance of the LocalStrategy we required. There we find a record based on the username. If a record is found and the password matches, the above code returns the user object. Otherwise, it returns false.

In strategy implementation, with the authenticate method which attempts to authenticate with the given strategy on its first parameter local. It will redirect to /error if it fails. Otherwise, redirect to the /success route, sending the username as a parameter.

First, create database passportDB and create collection users with username and password as a field and insert a record with  user1 as username  and  userpass as a password  in MongoDB.

start server with the command
node app.js
now point the browser to:


and login with user1 as username and userpass as a password.

Get More Knowledge: