Simple, unobtrusive authentication for Node.js.
Passport is authentication middleware for Node.js that provides a standardized way to handle user authentication in web applications. Unlike monolithic auth solutions, Passport uses a strategy-based architecture where each authentication mechanism (username/password, OAuth, JWT, etc.) is implemented as a separate pluggable module. This design allows developers to integrate multiple authentication methods without rewriting core logic or being locked into specific database schemas.
The package focuses exclusively on authentication—verifying who a user is—without imposing opinions on authorization, database structure, or routing. It integrates seamlessly with Express applications through middleware hooks that control authentication flow and maintain persistent login sessions. Passport serializes minimal user data (typically just an ID) into the session, then deserializes it on subsequent requests to retrieve the full user object.
With over 500 authentication strategies available in the ecosystem and 5.7 million weekly downloads, Passport has become the de facto standard for Node.js authentication. It's used across startups and enterprises alike for handling everything from simple local username/password authentication to complex multi-provider OAuth flows. The library's unopinionated design makes it suitable for REST APIs, server-rendered applications, and hybrid architectures.
const express = require('express');
const session = require('express-session');
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
const bcrypt = require('bcrypt');
const app = express();
// Mock user database
const users = [
{ id: 1, username: 'alice', passwordHash: '$2b$10$YourHashedPasswordHere' }
];
// Configure local strategy
passport.use(new LocalStrategy(
async (username, password, done) => {
const user = users.find(u => u.username === username);
if (!user) return done(null, false, { message: 'Incorrect username' });
const match = await bcrypt.compare(password, user.passwordHash);
if (!match) return done(null, false, { message: 'Incorrect password' });
return done(null, user);
}
));
// Serialize user ID to session
passport.serializeUser((user, done) => {
done(null, user.id);
});
// Deserialize user from session
passport.deserializeUser((id, done) => {
const user = users.find(u => u.id === id);
done(null, user);
});
// Middleware setup
app.use(express.urlencoded({ extended: false }));
app.use(session({
secret: 'your-secret-key',
resave: false,
saveUninitialized: false
}));
app.use(passport.initialize());
app.use(passport.session());
// Login route
app.post('/login',
passport.authenticate('local', {
successRedirect: '/dashboard',
failureRedirect: '/login'
})
);
// Protected route
app.get('/dashboard', (req, res) => {
if (!req.isAuthenticated()) {
return res.redirect('/login');
}
res.json({ user: req.user });
});
app.listen(3000);Traditional web applications with session-based login: Use passport-local strategy to verify username/password credentials against a database, then maintain user sessions across requests with cookie-based session management.
Social login integration: Implement "Sign in with Google/Facebook/GitHub" buttons using OAuth strategies (passport-google-oauth20, passport-facebook) to delegate authentication to third-party providers without handling passwords directly.
REST API authentication with JWT: Protect API endpoints using passport-jwt strategy to validate JSON Web Tokens sent in Authorization headers, enabling stateless authentication for mobile apps and SPAs.
Multi-tenant SaaS platforms: Combine multiple strategies (local, OAuth, SAML) to support different authentication methods for different customer organizations within the same application.
Enterprise SSO integration: Use passport-saml or passport-openidconnect to integrate with corporate identity providers like Okta, Auth0, or Azure AD for single sign-on functionality.
npm install passportpnpm add passportbun add passport