nodejs authentication with passport js and passport local mongoose

Nodejs Authentication With Passport JS and Passport Local Mongoose

When creating a web app, a basic requirement is to make a login system with the help of which users can authenticate themselves before getting access to preserved resources or views.

If you wish to create a Node app, there is an authentication middleware for Node called Passport.

Passport provides authentication mechanisms with the help of a few commands. It is created for a singular purpose that is to authenticate requests.

Here we will learn how Node JS authentication with Passport JS and Passport local mongoose.

Passport-Local Mongoose is a Mongoose plugin that simplifies username creation and password login with Passport.

This module auto-generates salt and hash fields, you don’t require to hash the password with this crypto module, the passport-local-mongoose does this for you.

How is Salting of Password Important?

Whenever a user simply hashes their password and if there are two users in the database that have the same password, they will end up having the same hash.

Now, if any one of these passwords gets hacked then the hacker can reach each account that uses the same password because users with identical passwords have the same hash fields.

Therefore, before hashing, we prepend a unique string, just something unique. So that the hash is entirely different for every salt.


Also, Read – 7 Key Video Optimization Tips to Rank in YouTube and Google Search


Steps to Perform Authentication with Passport JS and Passport Local Mongoose 

Firstly, you need to generate an express app by installing all the needed modules.

> npm install passport passport-local mongoose passport-local-mongoose --save


1) You Need to Create a Directory Structure as Shown Below:



2) Need to Create a Model/User.js File That Will Define the User Schema

// importing the modules 
var mongoose = require('mongoose'); 
var Schema = mongoose.Schema; 
var passportLocalMongoose = require('passport-local-mongoose'); 

var UserSchema = new Schema({   
    email: {type: String, required:true, unique:true}, 
    username : {type: String, unique: true, required:true}, 
// plugin for passport-local-mongoose 
// exporting the userschema 
 module.exports = mongoose.model("User", UserSchema);


Note: In this schema, we don’t add any field for passwords because passport-local-mongoose doesn’t need it. Also, we don’t need to add any methods to hash our password for authentication as passport-local-mongoose will do that for us.

3) Configuring Passport/Passport-Local in App.js:

Firstly in app.js, you have to initialize the passport


Now the passport maintains persistent login sessions. For persistent sessions to work in the passport, the authenticated user must remain serialized to the session and deserialized when any subsequent requests are made.

With passport-local-mongoose it remains like this:


If you are not using passport-local-mongoose with the passport then the serialized and deserialized code can be somewhat different.

Now we have to set the strategies for the passport. For passport local mongoose the code would be like:

const User = require('./models/user');
const LocalStrategy = require('passport-local').Strategy; 
passport.use(new LocalStrategy(User.authenticate()));


In case, you are using only the passport without a passport-local-mongoose then you will have to write some code to compare passwords and all. But using this passport-local-mongoose, only those 2 lines are enough.

4) Next Comes the Creation of the Route/User.js File:

For this, you need to import the user-schema first, along with other required modules.

// importing modules 
const express = require('express'); 
const router = express.Router(); 
// importing the User Schema 
const User = require('../model/user');

5) Next is the Registering Part:

For registering the code should be:'/login', function(req, res) {       
    Users=new User({email:, username : req.body.username});   
          User.register(Users, req.body.password, function(err, user) { 
            if (err) { 
              res.json({success:false, message:"Your account could 
              not be saved. Error: ", err}) 
              res.json({success: true, message: "Your account has 
               been saved"}) 

In the above code, rather than defining our password in New user, we use the password with the User.Register() i.e. a passport-local-mongoose function. Now just check your database for your saved user, it will be like here:

    "_id" : ObjectId("5ca8b66535947f4c1e93c4f1"),
    "username" : "username you gave",
    "email" : "email you gave",
    "salt" : "4c8f6e009c4523b23553d9479e25254b266c3b7dd2dbc6d4aaace01851c9687c",
    "hash" : "337de0df58406b25499b18f54229b9dd595b70e998fd02c7866d06d2a6b25870d23650
    "__v" : 0

You will notice here that there is no field for the password, alternatively, passport-local-mongoose generated salt and hash for you, you are not required to set salt plus and fields in your schema.

Passport-local-mongoose will hold your username unique, i.e. if the username already exists it will return “UserExistsError”.

6) For Login:

Now for login,

userController.doLogin = function(req, res) { 
    res.json({success: false, message: "Username was not given"}) 
  } else { 
      res.json({success: false, message: "Password was not given"}) 
      passport.authenticate('local', function (err, user, info) { 
           res.json({success: false, message: err}) 
         } else{ 
          if (! user) { 
            res.json({success: false, message: 'username or password incorrect'}) 
          } else{ 
            req.login(user, function(err){ 
                res.json({success: false, message: err}) 
                const token = jwt.sign({userId : user._id, 
                   username:user.username}, secretkey, 
                      {expiresIn: '24h'}) 
                res.json({success:true, message:"Authentication 
                    successful", token: token }); 
      })(req, res); 

Also, Read – How to Convert CSV to JSON File in Node.JS

7) Resetting or Changing Passwords:

Resetting or changing passwords requires 2 simple functions in passport-local-mongoose:

setPassword function and changePassword function

When a user forgets the password then the SetPassword is used

For setPassword code is:

user.setPassword(req.body.password, function(err, user){ ..

When the user wants to change the password then the ChangePassword is used.

For change password code is:

user.changePassword(req.body.oldpassword, req.body.newpassword, function(err) ...

Users can directly call them in their router files.


Well, we’re finally at the end. In the above article, you will learn how to implement local authentication using Passport in a Node.js application along with resetting or changing the passwords.

We hope you liked this tutorial and perhaps got some inspiration for your next project. Happy coding!

1 Comment

  • inertial says:

    Thanks fоr every other mɑgnificent post. Where
    else couⅼd anybody get that type of information in such an ideal way of writing?

    I’ve a рresentation subsequent week, and I’m on the search for such info.

Leave a Reply

Your email address will not be published.