What is passport?
Passport is an authentication middleware for Node.js that can be used in any Express-based web application. It supports a comprehensive set of strategies to authenticate users using a username and password, Facebook, Twitter, and more.
What are passport's main functionalities?
Local Authentication
This feature allows you to set up local authentication where users can log in with a username and password. The LocalStrategy is used to authenticate users against a local database.
passport.use(new LocalStrategy(
function(username, password, done) {
User.findOne({ username: username }, function (err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false); }
if (!user.verifyPassword(password)) { return done(null, false); }
return done(null, user);
});
}
));
OAuth Authentication
Passport can be used to authenticate users using OAuth providers like GitHub, Facebook, Twitter, etc. This code sample demonstrates how to authenticate users with GitHub using the GitHubStrategy.
passport.use(new GitHubStrategy({
clientID: GITHUB_CLIENT_ID,
clientSecret: GITHUB_CLIENT_SECRET,
callbackURL: 'http://yourdomain.com/auth/github/callback'
},
function(accessToken, refreshToken, profile, cb) {
User.findOrCreate({ githubId: profile.id }, function (err, user) {
return cb(err, user);
});
}
));
JWT Authentication
Passport supports JSON Web Tokens (JWT) for securing API endpoints. The JwtStrategy is used to authenticate users based on a JWT token sent in the authorization header.
const JwtStrategy = require('passport-jwt').Strategy,
ExtractJwt = require('passport-jwt').ExtractJwt;
let opts = {}
opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
opts.secretOrKey = 'secret';
passport.use(new JwtStrategy(opts, function(jwt_payload, done) {
User.findOne({id: jwt_payload.sub}, function(err, user) {
if (err) {
return done(err, false);
}
if (user) {
return done(null, user);
} else {
return done(null, false);
// or you could create a new account
}
});
}));
Other packages similar to passport
express-jwt
This package is a middleware that validates JSON Web Tokens for authentication purposes, similar to Passport's JWT strategy. It is specifically focused on JWT and does not support other authentication methods.
oauth
The oauth package provides a generic implementation of OAuth 1.0 and 2.0 that can be used for connecting to different OAuth providers. Unlike Passport, it does not come with pre-built strategies and requires more setup.
grant
Grant is an OAuth middleware for Express, Koa, and Hapi, supporting over 180 providers out of the box. It is similar to Passport's OAuth strategies but is more focused on OAuth and social login flows.
Passport
Passport is Express-compatible authentication
middleware for Node.js.
Passport's sole purpose is to authenticate requests, which it does through an
extensible set of plugins known as strategies. Passport does not mount
routes or assume any particular database schema, which maximizes flexiblity and
allows application-level decisions to be made by the developer. The API is
simple: you provide Passport a request to authenticate, and Passport provides
hooks for controlling what occurs when authentication succeeds or fails.
Install
$ npm install passport
Donate
Using Passport in your project? Donations
are greatly appreciated and help support development of this and other quality
modules.
Usage
Strategies
Passport uses the concept of strategies to authenticate requests. Strategies
can range from verifying username and password credentials, delegated
authentication using OAuth (for example, via Facebook
or Twitter), or federated authentication using OpenID.
Before authenticating requests, the strategy (or strategies) used by an
application must be configured.
passport.use(new LocalStrategy(
function(username, password, done) {
User.findOne({ username: username, password: password }, function (err, user) {
done(err, user);
});
}
));
Sessions
Passport will maintain persistent login sessions. In order for persistent
sessions to work, the authenticated user must be serialized to the session, and
deserialized when subsequent requests are made.
Passport does not impose any restrictions on how your user records are stored.
Instead, you provide functions to Passport which implements the necessary
serialization and deserialization logic. In a typical application, this will be
as simple as serializing the user ID, and finding the user by ID when
deserializing.
passport.serializeUser(function(user, done) {
done(null, user.id);
});
passport.deserializeUser(function(id, done) {
User.findById(id, function (err, user) {
done(err, user);
});
});
Middleware
To use Passport in an Express or
Connect-based application, configure it
with the required passport.initialize()
middleware. If your application uses
persistent login sessions (recommended, but not required), passport.session()
middleware must also be used.
app.configure(function() {
app.use(express.static(__dirname + '/../../public'));
app.use(express.cookieParser());
app.use(express.bodyParser());
app.use(express.session({ secret: 'keyboard cat' }));
app.use(passport.initialize());
app.use(passport.session());
app.use(app.router);
});
Authenticate Requests
Passport provides an authenticate()
function, which is used as route
middleware to authenticate requests.
app.post('/login',
passport.authenticate('local', { failureRedirect: '/login' }),
function(req, res) {
res.redirect('/');
});
Strategies
Passport has a comprehensive set of over 140 authentication strategies
covering social networking, enterprise integration, API services, and more.
The complete list is
available on the wiki.
The following table lists commonly used strategies:
Examples
- For a complete, working example, refer to the login example
included in passport-local.
- Please refer to this tutorial on setting up various social authentication strategies, including a working example found on this repo.
Related Modules
The modules page on the
wiki lists other useful modules
that build upon or integrate with Passport.
Tests
$ npm install --dev
$ make test
Credits
License
The MIT License
Copyright (c) 2011-2013 Jared Hanson <http://jaredhanson.net/>