Beginning Node.js – local authentication with Passport-Local Mongoose – part 6

Disclaimer: This is a series about me, creating a web application in Node.js. The completed example is available here.

I have a deep respect for all those developers out there that write fantastic modules I can use in my projects. One little gem is passport-local-mongoose. I've written about it before but as you see I'm doing it again.

What is passport-local-mongoose?

You can plug-in passport-local-mongoose into your Mongoose Userschema. This decorates the User object with a set of methods. E.g.

  • authenticate
  • register
  • setPassword
  • serialize
  • deserialize

It also hashes the passwords. This saves a lot of work.

What we should work on

  • Users should be able to register
  • Users should be able to authenticate
  • Users should be able to change their password
  • Users should be able to change their e-mail address
  • There should be a 'forgot password' procedure
  • Users should be able to delete their accounts

This article covers only 'register' and 'authenticate'. You can go ahead and clone the restaurant github repo for a full example.

To add local authentication to your app you'll need to run:

Of course, you may add your own properties to the model:

var mongoose = require('mongoose'),
    Schema = mongoose.Schema,
    passportLocalMongoose = require('passport-local-mongoose');

var User = new Schema({
    uuid: {
        type: String,
        required: false
    firstname: {
        type: String,
        required: true
    active: {
        type: String,
        required: false

var options = ({missingPasswordError: "Wrong password"});

module.exports = mongoose.model('User', User)

Now let's hook up Passport in our app.


Let's create a user controller which contains the register, the login and the getLogin functions (to check if a user has logged in).
Create a file named controller.user.js and put it in the app folder:

var mongoose = require('mongoose');
var User = require('./model.user');

exports.register = function (req, res) {
    console.log("registering: " + req.body.firstName);
    User.register(new User({
        username: req.body.username,
        firstname: req.body.firstname
    }), req.body.password, function (err, user) {
        if (err) {
            return res.send(err);
        } else {
                success: true,
                user: user

exports.login = function (req, res, next) {

    User.authenticate()(req.body.username, req.body.password, function (err, user, options) {
        if (err) return next(err);
        if (user === false) {
                message: options.message,
                success: false
        } else {
            req.login(user, function (err) {
                    success: true,
                    user: user


exports.getLogin = function (req, res) {
    if (req.user) {

        return res.send({
            success: true,
            user: req.user

    } //res.send(500, {status:500, message: 'internal error', type:'internal'}); == deprecated

        success: false,
        message: 'not authorized'

What happens?
1. User.authenticate and User.register:
The User.authenticate and User.register are functions we get from passport-local-mongoose. I just took this code as an example.

2. Check if a user is logged in with 'if(req.user)'
If a user is logged in, the req.user property is populated with the user object.
So if it exists, the user is logged in.


var mongoose = require('mongoose');
var User = require('./model.user');

var users = require('./controller.user');
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;
var cookieParser = require('cookie-parser');
var session = require('express-session');

module.exports = function (app) {

    //initialize passport
    // use static serialize and deserialize of model for passport session support

    //need this according to passport guide
        secret: 'the princess and the frog',
        saveUninitialized: true,
        resave: true


Add this file to main.js, like so:


This will be your completed main.js:

var express = require('express');
var app = express();
var bodyparser = require('body-parser');
var mongoose = require('mongoose');

  extended: true




app.use(express.static(__dirname + '/public'));

app.set('port', process.env.PORT || 3001);
console.log("the server is running on http://localhost:" + app.get('port'));

Let's try this

Install Postman or another REST API test tool.

  • Don't forget to configure the headers: Content-Type application/json

First, let's register a user (click POST):


Second, let's login:


Check the login status:


The end of this series

This is where this series end. I hope anyone will enjoy this and at least learns something from my struggles. I know I did!
Your feedback is more than welcome by the way.

One Reply to “Beginning Node.js – local authentication with Passport-Local Mongoose – part 6”

  • Hello Jaqueline and thank you for the useful article! I have the following question, I see in your github repo ( how you use the setPassword method of passport-local-mongoose. My question is how to I create a password change form, where a user would submit in the same form his old password and his new one. Obviously for this to work I would have to check his old password to see that it matches to the one already in the database and if it matched I would update his password using the setPassword method, my question is what is the optimal way taking into account security issues, to implement this first step (password comparison).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: