Passport is an Express-compatible authentication middleware for Node.js, created with the solitary purpose of authenticating requests. This is accomplished through an array of extensible plugins known as strategies. Passport's unique angle lies in its simplicity and flexibility. By not mounting any routes or assuming any particular database schema, it provides developers with complete control allowing them to make application-level decisions. The interface that connects Passport and an application is straightforward - the application provides a request for Passport to authenticate, and Passport provides hooks to control the outcome when the authentication fails or succeeds.
To use Passport, one needs to start by installing the npm package using the following command:
$ npm install passport
Once installed, the authentication strategies that an application is going to use must be configured. Passport's strategies range from verifying username and password credentials, to delegated authentication with OAuth (such as through Facebook or Twitter), to federated authentication using OpenID. Here's an example of a LocalStrategy, which verifies username and password credentials:
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;
var mongodb = require('mongodb');
var User = mongodb.Collection('users');
passport.use(new LocalStrategy(
function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
if (!user.verifyPassword(password)) { return done(null, false); }
return done(null, user);
});
}
));
Passport maintains persistent login sessions and for that, the user must be serialized to the session when authenticated and be deserialized when subsequent requests are made. Passport does not mandate how your user records should be stored, instead, you provide functions to Passport which will implement the necessary serialization and deserialization logic. This is what that typically looks like:
passport.serializeUser(function(user, done) {
done(null, user.id);
});
passport.deserializeUser(function(id, done) {
User.findById(id, function (err, user) {
done(err, user);
});
});
To use Passport in an Express or Connect-based application, you need to configure it with the required passport.initialize() middleware. If your application uses persistent login sessions (recommended, but not required), passport.session() middleware must also be used:
var app = require('express')();
app.use(require('cookie-parser')());
app.use(require('body-parser').urlencoded({ extended: true }));
app.use(require('express-session')({ secret: 'keyboard cat', resave: true, saveUninitialized: true }));
app.use(passport.initialize());
app.use(passport.session());
After which, you can use the Passport's authenticate() function as route middleware to authenticate requests:
app.post('/login',
passport.authenticate('local', { failureRedirect: '/login' }),
function(req, res) {
res.redirect('/');
}
);
The documentation for Passport is available on its official website at passportjs.org. It offers a detailed guide of how to use and implement Passport, along with a comprehensive list of authentication strategies that are available. Moreover, it also provides a Strategy Search to help you find the strategies that would best suit the needs of your application.
