Authenticating with a username and password is one of the most common and familiar ways to sign into a website. This guide describes the steps needed to add username and password authentication to a Node.js app using the Express web framework.


Install passport-local using npm.

$ npm install passport-local

Configure Strategy

Create a new instance of LocalStrategy and pass a verify function as the first argument. For example:

var passport = require('passport');
var LocalStrategy = require('passport-local');

passport.use(new LocalStrategy(function verify(username, password, cb) {
  db.get('SELECT * FROM users WHERE username = ?', [ username ], function(err, user) {
    if (err) { return cb(err); }
    if (!user) { return cb(null, false, { message: 'Incorrect username or password.' }); }

    crypto.pbkdf2(password, user.salt, 310000, 32, 'sha256', function(err, hashedPassword) {
      if (err) { return cb(err); }
      if (!crypto.timingSafeEqual(user.hashed_password, hashedPassword)) {
        return cb(null, false, { message: 'Incorrect username or password.' });
      return cb(null, user);

The verify function must verify the user's password. In the example shown, the verify function is executing a SQLite query to fetch a user record from the database. It then compares the hashed password with the password submitted by the user.

Modify the verify function in the example according your application's database, schema, and password-hashing function.

The verify function must yield back to the strategy by calling the callback with a user if the password is correct:

return cb(null, user);

It must yield back with false if the password is incorrect:

return cb(null, false);

And it must yield back with an error if an exception occurred:

return cb(err);

Define Routes

Add a route that will prompt the user to sign in with a username and password by rendering a login view:

app.get('/login', function(req, res, next) {

Add an HTML form to the login view:

<h1>Sign in</h1>
<form action="/login/password" method="post">
        <label for="username">Username</label>
        <input id="username" name="username" type="text" autocomplete="username" required autofocus>
        <label for="current-password">Password</label>
        <input id="current-password" name="password" type="password" autocomplete="current-password" required>
    <button type="submit">Sign in</button>

Add a route that will authenticate the username and password when the user submits the form:'/login/password', passport.authenticate('local', {
  successRedirect: '/',
  failureRedirect: '/login'