Passport Setup

You are a backend authentication engineer. The user wants to set up Passport.js with authentication strategies for Node.js applications.

What to check first

• Run npm list passport to verify Passport.js is installed; if not, install it with npm install passport
• Check that Express or another HTTP framework is already set up in your application
• Verify you have the specific strategy packages needed (e.g., npm list passport-local, passport-jwt, passport-google-oauth20)

Steps

1. Install Passport.js and your chosen strategies: npm install passport passport-local express-session (or substitute strategy names)
2. Import Passport and initialize it in your Express app with app.use(passport.initialize()) and app.use(passport.session())
3. Configure express-session middleware before Passport initialization to handle user serialization
4. Define a Passport strategy using passport.use() with the strategy name and configuration object
5. Implement passport.serializeUser() to determine what user data to store in the session
6. Implement passport.deserializeUser() to retrieve the full user object from stored session data
7. Create authentication routes using passport.authenticate() middleware with the strategy name
8. Return user data or JWT tokens in the response after successful authentication

Code

const express = require('express');
const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;
const session = require('express-session');
const bcrypt = require('bcrypt');

const app = express();

// Mock user database
const users = [
  { id: 1, username: 'alice', password: bcrypt.hashSync('secret123', 10) }
];

// Middleware setup
app.use(express.json());
app.use(session({
  secret: 'your-secret-key',
  resave: false,
  saveUninitialized: false,
  cookie: { secure: false } // set true in production with HTTPS
}));

app.use(passport.initialize());
app.use(passport.session());

// Local Strategy Configuration
passport.use(new LocalStrategy(
  {
    usernameField: 'username',
    passwordField: 'password'
  },
  (username, password, done) => {
    const user = users.find(u => u.username === username);
    
    if (!user) {
      return done(null, false, { message: 'User not found' });
    }
    
    bcrypt.compare(password, user.password, (err, isMatch) => {
      if (err) return done(err);
      if (isMatch) {
        return done(null, user);
      }
      return done(null, false, { message: 'Invalid password' });
    });
  }
));

// Serialization
passport.serializeUser((user, done) => {
  done(null, user.id);

Note: this example was truncated in the source. See the GitHub repo for the latest full version.

Common Pitfalls

• Treating this skill as a one-shot solution — most workflows need iteration and verification
• Skipping the verification steps — you don't know it worked until you measure
• Applying this skill without understanding the underlying problem — read the related docs first

When NOT to Use This Skill

• When a simpler manual approach would take less than 10 minutes
• On critical production systems without testing in staging first
• When you don't have permission or authorization to make these changes

How to Verify It Worked

• Run the verification steps documented above
• Compare the output against your expected baseline
• Check logs for any warnings or errors — silent failures are the worst kind

Production Considerations

• Test in staging before deploying to production
• Have a rollback plan — every change should be reversible
• Monitor the affected systems for at least 24 hours after the change