This guide describes the steps needed to add session-based authentication to a Node.js app using the Express web framework.

Middleware

Add session support by installing express-session:

$ npm install express-session

Use it as application-level middleware.

var session = require('express-session');

app.use(session({
  secret: 'keyboard cat',
  resave: false,
  saveUninitialized: false,
  cookie: { secure: true }
}));

Configure

Register functions that serialize and deserialize user information to and from the session.

var passport = require('passport');

passport.serializeUser(function(user, cb) {
  process.nextTick(function() {
    return cb(null, {
      id: user.id,
      username: user.username,
      picture: user.picture
    });
  });
});

passport.deserializeUser(function(user, cb) {
  process.nextTick(function() {
    return cb(null, user);
  });
});

Routes

Authenticate all routes by using passport.authenticate() as application-level middleware.

app.use(passport.authenticate('session'));

Note that this middleware must be use()'d after session() middleware added in the previous step.

Alternatively, authenticate specific routes by using passport.authenticate() on routes mounted at a path.

app.get('/pages',
  passport.authenticate('session'),
  function(req, res, next) {
    /* ... */
  });