How to Use Passport.js in Express for Authentication
To use
passport.js in express, first install Passport and a strategy like passport-local. Then initialize Passport middleware in your Express app, configure a strategy, and set up routes to handle login and session management.Syntax
Here is the basic syntax to set up Passport.js in an Express app:
- Import Passport and strategy: Load Passport and the authentication strategy you want.
- Initialize Passport: Use
app.use(passport.initialize())andapp.use(passport.session())for session support. - Configure strategy: Define how Passport verifies user credentials.
- Serialize/Deserialize: Manage user data in sessions.
- Use in routes: Protect routes or handle login with
passport.authenticate().
javascript
import express from 'express'; import session from 'express-session'; import passport from 'passport'; import { Strategy as LocalStrategy } from 'passport-local'; const app = express(); app.use(express.urlencoded({ extended: false })); app.use(session({ secret: 'secret', resave: false, saveUninitialized: false })); app.use(passport.initialize()); app.use(passport.session()); passport.use(new LocalStrategy( function(username, password, done) { // Verify username and password here } )); passport.serializeUser(function(user, done) { done(null, user.id); }); passport.deserializeUser(function(id, done) { // Find user by id }); app.post('/login', passport.authenticate('local', { successRedirect: '/dashboard', failureRedirect: '/login' }));
Example
This example shows a simple Express app using Passport.js with the local strategy to authenticate a hardcoded user. It demonstrates login handling, session management, and a protected route.
javascript
import express from 'express'; import session from 'express-session'; import passport from 'passport'; import { Strategy as LocalStrategy } from 'passport-local'; const app = express(); const PORT = 3000; // Hardcoded user for demo const user = { id: 1, username: 'user', password: 'pass' }; app.use(express.urlencoded({ extended: false })); app.use(session({ secret: 'secret', resave: false, saveUninitialized: false })); app.use(passport.initialize()); app.use(passport.session()); passport.use(new LocalStrategy((username, password, done) => { if (username === user.username && password === user.password) { return done(null, user); } else { return done(null, false, { message: 'Incorrect credentials.' }); } })); passport.serializeUser((user, done) => { done(null, user.id); }); passport.deserializeUser((id, done) => { if (id === user.id) { done(null, user); } else { done(new Error('User not found')); } }); // Login route app.post('/login', passport.authenticate('local', { successRedirect: '/dashboard', failureRedirect: '/login' })); // Middleware to protect routes function ensureAuthenticated(req, res, next) { if (req.isAuthenticated()) { return next(); } res.redirect('/login'); } // Protected route app.get('/dashboard', ensureAuthenticated, (req, res) => { res.send(`Hello, ${req.user.username}! Welcome to your dashboard.`); }); // Simple login form app.get('/login', (req, res) => { res.send('<form method="post" action="/login">\n <input name="username" placeholder="Username"/>\n <input name="password" type="password" placeholder="Password"/>\n <button type="submit">Login</button>\n</form>'); }); app.listen(PORT, () => { console.log(`Server running on http://localhost:${PORT}`); });
Output
Server running on http://localhost:3000
// When visiting /login, user sees a login form.
// On successful login with username 'user' and password 'pass', user is redirected to /dashboard showing a welcome message.
Common Pitfalls
- Not initializing Passport middleware: Forgetting
app.use(passport.initialize())andapp.use(passport.session())breaks authentication. - Missing session setup: Passport needs sessions to remember logged-in users; forgetting
express-sessioncauses errors. - Incorrect serialize/deserialize: These must correctly save and retrieve user info for sessions.
- Not parsing request body: Without
express.urlencoded(), login form data won't be read. - Using wrong strategy name: The string in
passport.authenticate('local')must match the strategy name.
javascript
/* Wrong: Missing session and passport.session() */ import express from 'express'; import passport from 'passport'; import { Strategy as LocalStrategy } from 'passport-local'; const app = express(); app.use(express.urlencoded({ extended: false })); app.use(passport.initialize()); passport.use(new LocalStrategy((u, p, done) => done(null, { id: 1, username: u }))); app.post('/login', passport.authenticate('local', { successRedirect: '/', failureRedirect: '/login' })); /* Right: Add session and passport.session() */ import session from 'express-session'; app.use(session({ secret: 'secret', resave: false, saveUninitialized: false })); app.use(passport.session());
Quick Reference
Remember these key points when using Passport.js with Express:
- Install
passportand a strategy likepassport-local. - Use
express-sessionto enable sessions. - Initialize Passport with
app.use(passport.initialize())andapp.use(passport.session()). - Define
serializeUseranddeserializeUserto manage user sessions. - Protect routes by checking
req.isAuthenticated(). - Use
passport.authenticate()in login routes.
Key Takeaways
Always initialize Passport and session middleware in your Express app.
Configure serializeUser and deserializeUser to manage user sessions correctly.
Use passport.authenticate() in routes to handle login and protect pages.
Parse form data with express.urlencoded() before authentication.
Test your strategy logic carefully to avoid login failures.