Overview - Local strategy (username/password)

What is it?

Local strategy (username/password) is a way to check if a user is who they say they are by asking for their username and password. It is a method used in NestJS to handle user login by verifying these credentials. When a user tries to log in, the system compares the entered username and password with stored data. If they match, the user is allowed access.

Why it matters

Without local strategy, applications would not have a simple, secure way to verify users before giving access to private information or features. This could lead to unauthorized access and security risks. Local strategy solves the problem of identifying users safely and efficiently, which is essential for protecting user data and providing personalized experiences.

Where it fits

Before learning local strategy, you should understand basic NestJS concepts like modules, controllers, and services. You should also know about authentication basics and how middleware works. After mastering local strategy, you can learn about more advanced authentication methods like JWT (JSON Web Tokens) or OAuth for token-based and third-party logins.

Mental Model

Core Idea

Local strategy is a gatekeeper that checks your username and password to decide if you can enter the app.

Think of it like...

It's like a security guard at a building entrance who asks for your ID and password before letting you inside.

┌───────────────┐
│ User enters   │
│ username &    │
│ password      │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Local Strategy│
│ verifies info │
└──────┬────────┘
       │
  Yes  │  No
┌──────▼─────┐  ┌─────────────┐
│ Access     │  │ Access      │
│ granted    │  │ denied      │
└───────────┘  └─────────────┘

Build-Up - 7 Steps

1

FoundationUnderstanding Authentication Basics

Concept: Learn what authentication means and why it is important in apps.

Authentication is the process of checking who a user is. It usually involves asking for something the user knows (like a password) or has (like a phone). This step is important to keep data safe and give users access to their own information.

Result

You understand why apps ask for usernames and passwords before letting users in.

Knowing what authentication is helps you see why local strategy exists and what problem it solves.

2

FoundationBasics of NestJS Authentication Module

3

IntermediateImplementing Local Strategy Class

4

IntermediateConnecting Local Strategy with Auth Guard

5

IntermediateHandling User Validation and Errors

6

AdvancedSecuring Passwords with Hashing

7

ExpertCustomizing Local Strategy for Production

Under the Hood

Local strategy works by intercepting login requests and extracting username and password. It then calls a validation function that checks these credentials against stored user data, often in a database. If valid, it returns user details; if not, it throws an error. This process integrates with Passport.js middleware, which manages the authentication flow and session handling.

Why designed this way?

Local strategy was designed to separate credential checking from other authentication concerns, making it modular and reusable. Using Passport.js as a base allows NestJS to support many authentication methods with a consistent interface. This design keeps code clean, testable, and easy to extend.

┌───────────────┐
│ Login Request │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Passport.js   │
│ Middleware    │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ Local Strategy│
│ validate()    │
└──────┬────────┘
       │
       ▼
┌───────────────┐
│ User Service  │
│ checks DB     │
└──────┬────────┘
       │
  Valid│Invalid
┌──────▼─────┐  ┌─────────────┐
│ Return     │  │ Throw       │
│ User Info  │  │ Unauthorized│
└───────────┘  └─────────────┘

Myth Busters - 4 Common Misconceptions

Quick: Does local strategy store passwords in plain text? Commit to yes or no.

Common Belief:Local strategy stores and compares passwords as plain text for simplicity.

Tap to reveal reality

Quick: Does local strategy automatically create user sessions? Commit to yes or no.

Common Belief:Local strategy handles user sessions and keeps users logged in automatically.

Tap to reveal reality

Quick: Can local strategy be used for social logins like Google? Commit to yes or no.

Common Belief:Local strategy works for all login types including social logins like Google or Facebook.

Tap to reveal reality

Quick: Does validate() returning null reject login? Commit to yes or no.

Common Belief:Returning null from validate() is enough to reject a login attempt.

Tap to reveal reality

Expert Zone

1

Local strategy's validate() method runs inside Passport's middleware, so throwing exceptions triggers NestJS's built-in error handling automatically.

2

The order of applying guards and middleware affects how local strategy interacts with sessions and other authentication layers.

3

Customizing the username field (e.g., using email instead) requires overriding default options in the local strategy constructor.

When NOT to use

Local strategy is not suitable when you want token-based stateless authentication like JWT or when integrating third-party logins (OAuth). In those cases, use JWT strategy or OAuth strategies instead.

Production Patterns

In production, local strategy is often combined with session management and password hashing libraries like bcrypt. It is also extended with rate limiting, account lockout, and multi-factor authentication to enhance security.

Connections

JWT Authentication

Builds-on local strategy by using verified user info to create tokens.

Understanding local strategy helps grasp how user identity is first verified before issuing tokens in JWT flows.

OAuth 2.0

Alternative authentication method using third-party providers instead of username/password.

Knowing local strategy clarifies why OAuth requires different handling and strategies for login.

Human Identity Verification

Shares the core idea of proving identity through secret knowledge or credentials.

Recognizing authentication as identity proof connects software login to everyday security practices like ID checks.

Common Pitfalls

#1Not hashing passwords before storing and comparing.

Wrong approach:const user = await this.userService.findOne(username); if (user.password === password) { return user; }

Correct approach:const user = await this.userService.findOne(username); const isMatch = await bcrypt.compare(password, user.password); if (isMatch) { return user; }

Root cause:Misunderstanding that passwords must be protected and not stored or compared as plain text.

#2Returning null instead of throwing error on invalid credentials.

Wrong approach:async validate(username: string, password: string) { const user = await this.userService.validateUser(username, password); if (!user) { return null; } return user; }

Correct approach:async validate(username: string, password: string) { const user = await this.userService.validateUser(username, password); if (!user) { throw new UnauthorizedException(); } return user; }

Root cause:Not knowing that throwing exceptions is required to stop authentication flow properly.

#3Applying AuthGuard without specifying 'local' strategy.

Wrong approach:@UseGuards(AuthGuard()) async login() { ... }

Correct approach:@UseGuards(AuthGuard('local')) async login() { ... }

Root cause:Assuming default AuthGuard uses local strategy without explicit naming.

Key Takeaways

Local strategy in NestJS verifies users by checking their username and password during login.

It uses Passport.js middleware and a validate() method to separate credential checking from other logic.

Passwords must always be hashed before storing and compared securely to protect user data.

AuthGuard('local') applies the local strategy to routes, controlling access based on login success.

Advanced production use involves extending local strategy with extra security features like multi-factor authentication.