developers

Node.js and Express Authentication Using Passport

Learn how to use Passport.js to add user authentication to a web app built with Node.js and Express.

Dan Arias

Staff Developer Advocate

Jul 24, 201928 min read

In this tutorial, you'll learn how to secure Node.js web application built with the Express framework. You'll use Passport.js with Auth0 to manage user authentication and protect routes of a client that consumes an API. The client is server-side rendered using Pug templates styled with CSS.

Security for Express and Pug

Look for the 🛠️️ emoji if you'd like to skim through the content while focusing on the build steps.

Are you starting from this chapter?

If you are starting from this chapter, follow these steps to set up a simple web app built with Express and Pug, which is the basis for this chapter's security exercises:

🛠️️ Clone the project repository:

git clone -b starter git@github.com:auth0-blog/wab-portal-express.git

To quickly copy commands, triple-click them to select them fully.

🛠️️ Make 

wab-portal-express
the current working directory:

cd wab-portal-express

🛠️️ Install the project dependencies:

npm i

🛠️️ Run the server using 

nodemon
under the hood:

npm run dev

🛠️️ In a separate terminal window, serve the client from a static server using Browsersync under the hood:

npm run ui

Browsersync proxies the server running on port 

8000
with 
nodemon
. Check out the npm script commands present in 
package.json
for more details.

🛠️️ To see the app in action, visit 

http://localhost:3000
on your browser.

What You Will Build

You'll secure the login portal for a restaurant named WHATABYTE using Passport.js with Auth0:

Styled page created with background image using Pug, Express, and CSS

We tested this tutorial using Node.js 

v12.16.0
and npm 
v6.13.4
. If you need to install Node.js and npm, use any of the official Node.js installers provided for your operating system.

Set Up Real-World Authentication for Node.js

This tutorial's core objective is to teach you how to set up real-world authentication in a Node.js Express app. For that reason, you'll start by setting up Auth0 to interact with a real authentication server throughout the tutorial. Otherwise, Passport.js gives you a ton of error messages in the terminal, and the app won't run.

Auth0 is a global leader in Identity-as-a-Service (IDaaS). Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises.

The best part of the Auth0 platform is how streamlined it is to get started by following these three easy steps.

Step 1: Sign up and create an Auth0 application

🛠️️ If you are new to Auth0, sign up for a free Auth0 account here. A free account offers you:

Try out the most powerful authentication platform for free.

Get started →

🛠️️ During the sign-up process, you'll create something called a Tenant, representing the product or service to which you are adding authentication — more on this in a moment.

🛠️️ Once you are signed in, you are welcomed into the Auth0 Dashboard. In the left sidebar menu, click on "Applications".

What's the relationship between Auth0 Tenants and Auth0 Applications?

Let's say that you have a photo-sharing React app called "Noddit". You then would create an Auth0 tenant called 

noddit
.

Now, say that Noddit is available on three platforms: web as a single-page application and as a native mobile app for Android and iOS. If each platform needs authentication, you need to create three Auth0 applications to provide the product with everything it needs to authenticate users through that platform.

🛠️️ Next, click on the Create Application button present in the "Applications" view. A modal titled "Create Application" opens up. You can provide a Name for the application and choose its type:

Name: WHATABYTE Express Portal

Application type: Regular Web Applications

🛠️️ Click on Create.

The Quick Start tab of your application page loads up, where Auth0 provides different guides to get you up and running with setting up a project. If you are curious, check out the Node.js quickstart; otherwise, keep on reading.

Step 2: Create a communication bridge between Express and Auth0

To reduce the overhead of adding and managing authentication, Auth0 offers the Universal Login page, which is the most secure way to easily authenticate users for web applications without having to worry about login forms.

How does Universal Login work?

Calling the 

GET /login
endpoint from your application takes your users to an Auth0 login page.

Auth0 Universal Login

Once they log in, Auth0 redirects them back to your application. With security in mind, for this to happen, you need to configure your Auth0 application with URLs that it can use to redirect users once it authenticates them.

Watch a video on how Auth0 Universal Login works.

🛠️️ To configure your Auth0 application, click on the Settings tab. Once there, populate the following fields like so:

  • 🛠️️ Allowed Callback URLs:
http://localhost:3000/callback, http://localhost:8000/callback
  • 🛠️️ Allowed Logout URLs:
http://localhost:3000/, http://localhost:8000/

If you take a look at 

package.json
, you'll see that you can run two npm scripts in this project:

  • dev
    runs your Node.js application using 
    nodemon
    on port 
    8000
    .

  • ui
    creates a static server to serve the client on port 
    3000
    .

To ensure that Auth0 can connect with any of these two environments, you enter URLs that use both port numbers.

🛠️️ Save these settings by scrolling down and clicking on Save Changes.

Step 3: Add Auth0 configuration variables to Node.js

🛠️️ Under the project directory, create a hidden file called 

.env
to store configuration variables and secrets that your app needs.

touch .env

Make sure to add this file to 

.gitignore
so that it isn't committed to version control.

🛠️️ Add the following to 

.env
:

AUTH0_CLIENT_ID=
AUTH0_DOMAIN=
AUTH0_CLIENT_SECRET=

🛠️️ Head back to your Auth0 application Settings tab and populate each property of the 

.env
hidden file with its corresponding Auth0 application value:

  • 🛠️️ 
    AUTH0_DOMAIN
    is your Domain value

When you created a new account with Auth0, you picked a name for your tenant. This name is used as a subdomain of 

auth0.com
and becomes your unique Auth0 application domain. It's the base URL you use to access the Auth0 API and the URL where your application redirects users for Auth0 to authenticate them.

You can also use custom domains to let Auth0 do the authentication heavy lifting for you without compromising on branding experience.

  • 🛠️️ 
    AUTH0_CLIENT_ID
    is your Client ID

Auth0 assigns to each application a Client ID upon creation, which is an alphanumeric string that acts as a unique identifier for your application (such as 

q8fij2iug0CmgPLfTfG1tZGdTQyGaTUA
). It cannot be modified, and it's used by your application when making Auth0 API calls.

  • 🛠️️ 
    AUTH0_CLIENT_SECRET
    is your Client Secret

The Auth0 Client Secret is a critical value as it protects your resources by only granting authentication-related credentials in the form of tokens to requestors if they're authorized. Think of it as your application's password, which must be kept confidential at all times. If anyone gains access to your Client Secret, they can impersonate your application and access protected resources.

Together, these variables let your application identify itself as an authorized party to interact with the Auth0 authentication server.

Add User Authentication to an Express App

With a real authentication server now set up, you are ready to learn how to add user authentication to an Express app using Passport.

🛠️️ To start, you need to create a 

GET /login
endpoint in your API to manage everything related to user authentication, which means verifying a user's identity.

Saying that implementing authentication is challenging is not an understatement. The authentication process itself is relatively straightforward; however, it is complicated to correctly and securely implement each step of the process and follow best practices as suggested by the Open Web Application Security Project (OWASP), which include:

  • Implementing proper password strength controls such as password length, complexity, and topology.
  • Implementing secure password recovery mechanisms.
  • Storing passwords securely, which includes hashing passwords with a salt.
  • Transmitting passwords only over TLS or other strong transport.
  • Correctly implementing authentication and error messages that mitigate user ID and password enumeration.
  • Preventing brute-force attacks.

These authentication best practices address different attack vectors and mitigate vulnerabilities in the authentication process that could compromise your users' identity. Technically, your team can implement all of these authentication steps, but that's a risky undertaking as you've learned so far. Instead, you can offload the risk and responsibility of strong authentication to an identity platform such as Auth0, so that you can focus on building features without worrying about security details.

🛠️️ To connect your app with Auth0, you'll use the Node.js SDKs. Then, any time a user tries to authenticate, the Auth0 authentication server will verify their identity and send the required information back to your app.

Use middleware for authentication

As explained in the "Using middleware" section of the Express docs, an Express application is essentially a series of middleware function calls that execute during the request-response cycle. Each function can modify the request and response objects as needed and then either pass control to the next middleware function or end the request-response cycle.

When creating protected routes in Express, you need to know the user's authentication status before executing the logic of route controllers. Thus, authentication in Express is a step in the request-response cycle, which you can implement as middleware.

To make the implementation of authentication easier, instead of writing all the code needed to structure the authentication middleware, you'll use Passport.js, a simple and unobtrusive authentication middleware for Node.js created by Jared Hanson, a former Principal Architect at Auth0.

Set up Passport.js with Node and Express

As explained in the Passport.js "Overview" document, authentication takes a variety of forms: users may log in by providing a username and password or single sign-on using an OAuth provider such as Facebook or Twitter.

Passport.js offers different authentication mechanisms, known as strategies, to cater to the unique authentication requirements each application has. Passport.js packages strategies as individual modules, and you can choose which strategies to employ, without creating unnecessary dependencies.

🛠️️ You are going to use the Auth0 authentication strategy with Passport.js so that you don't have to worry about creating and managing user credentials yourself. To start, install the following packages:

npm i passport passport-auth0 express-session dotenv

Here's a breakdown of each package you are installing:

  • passport
    : As discussed, Passport.js is Express-compatible authentication middleware for Node.js.

  • passport-auth0
    : This is the Auth0 authentication strategy for Passport.js.

  • express-session
    : This is a module to create and manage session middleware.

  • dotenv
    : This is a zero-dependency module that loads environment variables from a 
    .env
    file into 
    process.env
    .

Configure 
express-session

🛠️️ Next, open 

index.js
and add the following under the 
Required External Modules
section:

// index.js

/**
 * Required External Modules
 */

const express = require("express");
const path = require("path");

const expressSession = require("express-session");
const passport = require("passport");
const Auth0Strategy = require("passport-auth0");

require("dotenv").config();

You are adding imports for 

express-session
, 
passport
, and 
passport-auth0
, which you'll configure in the next sections. You also use 
dotenv
to load the environmental variables that you are storing in 
.env
.

🛠️️ Between the 

App Variables
and 
App Configuration
sections, create two new sections, 
Session Configuration
and 
Passport Configuration
:

// index.js

/**
 * App Variables
 */

const app = express();
const port = process.env.PORT || "8000";

/**
 * Session Configuration (New!)
 */



/**
 * Passport Configuration (New!)
 */



/**
 *  App Configuration
 */
 
// Rest of code...

Order matters in Express. Please ensure that you add the sections in the right order.

🛠️️ Under 

Session Configuration
, configure 
expressSession
as follows:

// index.js

/**
 * Session Configuration
 */

const session = {
  secret: process.env.SESSION_SECRET,
  cookie: {},
  resave: false,
  saveUninitialized: false
};

if (app.get("env") === "production") {
  // Serve secure cookies, requires HTTPS
  session.cookie.secure = true;
}

expressSession
takes a configuration object, 
session
, that defines what options to enable in a session. Here, you are configuring the following options:

  • secret
    : This is the secret used to sign the session ID cookie, which can be either a string for a single secret or an array of multiple secrets. You'll create the 
    SESSION_SECRET
    environmental variable shortly.

  • cookie
    : This is the settings object for the session ID cookie. The default value is 
    { path: '/', httpOnly: true, secure: false, maxAge: null }
    . You are setting this to be an empty object.

  • resave
    : This option forces the session to be saved back to the session store, even if the application doesn't modify the session during the request. For the Auth0 Passport.js strategy, you need this to be 
    false
    .

  • saveUninitialized
    : This forces a session that is new, but not modified, uninitialized, to be saved to the store. Passport.js handles the modification of the session so you can set it to 
    false
    . If set to 
    true
    , when your web page gets crawled by bots, it creates a session for them in addition to users who only visit your front page but don't log in, which uses up more sessions and memory.

For more details, read this comment by Gabe de Luca, pointing out the downsides of savings uninitialized sessions.

You now need to create the session secret for the app.

🛠️ Open 

.env
and add a 
SESSION_SECRET
and 
AUTH0_CALLBACK_URL
variable below 
AUTH0_CLIENT_SECRET
:

AUTH0_CLIENT_ID="..."
AUTH0_DOMAIN="..."
AUTH0_CLIENT_SECRET="..."
SESSION_SECRET=
AUTH0_CALLBACK_URL=http://localhost:3000/callback

🛠️ Execute the following command to generate a suitable string for the session secret:

node -e "console.log(crypto.randomBytes(32).toString('hex'))"

🛠️ Copy and paste the output of the command above as the value for 

SESSION_SECRET
in 
.env
.

You'll learn what 

AUTH0_CALLBACK_URL
does for your application once you configure Passport.js in the next section.

🛠️ Restart the server running on port 

8000
so that Express can recognize these new variables. Then, refresh the page where the user interface is running.

Additionally, when your app is running as a production instance, you'll only send cookies over HTTPS:

if (app.get("env") === "production") {
  // Serve secure cookies, requires HTTPS
  session.cookie.secure = true; 
}

With 

session.cookie.secure
set to 
true
, compliant clients won't send cookies back to the server if the browser doesn't have an HTTPS connection. Thus, using secure cookies requires an HTTPS-enabled website.

🛠️️ Next, under the 

App Configuration
section, tell your Express app to use 
expressSession
with the 
session
object you just created:

// index.js

/**
 *  App Configuration
 */

app.set("views", path.join(__dirname, "views"));
app.set("view engine", "pug");
app.use(express.static(path.join(__dirname, "public")));

app.use(expressSession(session));

🛠️️ With the session middleware configured, you are ready to add and configure Passport.js in your application.

Configure Passport with the application settings

In this section, you'll focus on wiring up Passport.js with your Express app.

🛠️️ With 

Auth0Strategy
already imported, proceed to define this strategy under the 
Passport Configuration
section in 
index.js
:

// index.js

/**
 * Passport Configuration
 */

const strategy = new Auth0Strategy(
  {
    domain: process.env.AUTH0_DOMAIN,
    clientID: process.env.AUTH0_CLIENT_ID,
    clientSecret: process.env.AUTH0_CLIENT_SECRET,
    callbackURL: process.env.AUTH0_CALLBACK_URL
  },
  function(accessToken, refreshToken, extraParams, profile, done) {
    /**
     * Access tokens are used to authorize users to an API
     * (resource server)
     * accessToken is the token to call the Auth0 API
     * or a secured third-party API
     * extraParams.id_token has the JSON Web Token
     * profile has all the information from the user
     */
    return done(null, profile);
  }
);

Here, the 

Auth0Strategy
method takes your Auth0 credentials and initializes the strategy. It's essential to understand what the 
Auth0Strategy
is doing for you:

  1. The callback function passed to the 

    Auth0Strategy
    method is known as the verify callback, which has the purpose of finding the user that possesses a set of credentials.

  2. When Passport.js authenticates a request, it parses the credentials or any other authentication information contained in the request.

  3. It then invokes the verify callback with the authentication data as arguments, in this case, 

    accessToken
    , 
    refreshToken
    , 
    extraParams
    , and 
    profile
    .

  4. Since Passport.js is a middleware function, the verify callback also receives 

    done
    as an argument to pass control to the next middleware function.

  5. As Auth0 does all the credential validation for you, the verify callback invokes 

    done
    to supply Passport with the user that authenticated through the 
    profile
    object.

🛠️️ Once the 

strategy
is defined, you need to have Passport.js use it. In Express applications, you are also required to initialize Passport and modify the persistent login session using Passport and the 
app.use()
method from Express. To achieve these tasks, update the 
App Configuration
section in 
index.js
as follows:

/**
 *  App Configuration
 */

app.set("views", path.join(__dirname, "views"));
app.set("view engine", "pug");
app.use(express.static(path.join(__dirname, "public")));

app.use(expressSession(session));

passport.use(strategy);
app.use(passport.initialize());
app.use(passport.session());

You must ensure that 

passport.initialize()
and 
passport.session()
are added after binding the 
express-session
middleware, 
expressSession(session)
, to the application-level middleware.

Store and retrieve user data from the session

🛠️️ The last step in setting up Passport.js is to support login sessions by serializing and deserializing user instances to and from the session. To integrate this functionality, once again, update the 

App Configuration
section as follows:

// index.js

/**
 *  App Configuration
 */

app.set("views", path.join(__dirname, "views"));
app.set("view engine", "pug");
app.use(express.static(path.join(__dirname, "public")));

app.use(expressSession(session));

passport.use(strategy);
app.use(passport.initialize());
app.use(passport.session());

passport.serializeUser((user, done) => {
  done(null, user);
});

passport.deserializeUser((user, done) => {
  done(null, user);
});

It's essential to keep the amount of data stored within the session small to ensure good performance and fast user lookup. The application only serializes the user object into the session. When the server receives subsequent requests, this stored object is used to locate the user and reassign it to 

req.user
.

Now that you have configured Passport.js, the next step is to add authentication endpoints to your API to handle user login and logout and provide an endpoint for the Auth0 authentication server to communicate with your app.

Despite the complexities involved in authentication, code does not have to be complicated. That's the philosophy behind Passport.js, which provides simple, unobtrusive authentication middleware for Node.js

Tweet This

Create Express Authentication Endpoints

🛠️️ In this section, you will create three endpoints that handle the application's authentication flow:

GET /login

GET /logout

GET /callback

To manage these endpoints better, you will create them within an authentication module and export them through an Express router so that your Express application can use them.

🛠️️ To start, create an 

auth.js
file under the project directory.

touch auth.js

Populate it with this template to define its structure:

// auth.js

/**
 * Required External Modules
 */

/**
 * Routes Definitions
 */


/**
 * Module Exports
 */

🛠️️ Next, add the following under the 

Required External Modules
section to import packages that are needed and load your environmental variables:

// auth.js

/**
 * Required External Modules
 */

const express = require("express");
const router = express.Router();
const passport = require("passport");
const querystring = require("querystring");

require("dotenv").config();

Here's an overview of the new modules you are using:

  • router
    : A router object is an isolated instance of middleware and routes. It is capable only of performing middleware and routing functions. Every Express application has a built-in app router.

  • util
    : This module is designed to support the needs of Node.js internal APIs by providing useful utility functions to perform tasks like formatting and encoding strings.

  • url
    : This module provides utilities for URL resolution and parsing.

  • querystring
    : This module provides utilities for parsing and formatting URL query strings.

You'll soon see how these modules streamline your route controller logic.

🛠️️ The first endpoint you'll create is the 

GET /login
one. Update the 
Routes Definitions
section of your 
auth.js
file as follows:

// auth.js

/**
 * Routes Definitions
 */

router.get(
  "/login",
  passport.authenticate("auth0", {
    scope: "openid email profile"
  }),
  (req, res) => {
    res.redirect("/");
  }
);

🛠️️ 

GET /login
performs the user login. This endpoint demonstrates how an Express route can take multiple callbacks after defining the route 
path
(first argument). Here, you pass two callback functions:

  • The 

    passport.authenticate()
    method, which gets the Passport.js strategy and an 
    options
    object that defines the application 
    scopes
    as arguments.

  • A custom callback is called after 

    passport.authenticate()
    finishes. This callback handles authentication success or failure and issues a response to the client.

🛠️️ After the authentication server identifies and validates the user, it calls the 

GET /callback
endpoint from your API to pass all the required authentication data. Implement that endpoint by appending the following 
GET /callback
definition to the 
Routes Definitions
section:

// auth.js

/**
 * Routes Definitions
 */

router.get("/login", ... );

router.get("/callback", (req, res, next) => {
  passport.authenticate("auth0", (err, user, info) => {
    if (err) {
      return next(err);
    }
    if (!user) {
      return res.redirect("/login");
    }
    req.logIn(user, (err) => {
      if (err) {
        return next(err);
      }
      const returnTo = req.session.returnTo;
      delete req.session.returnTo;
      res.redirect(returnTo || "/");
    });
  })(req, res, next);
});

GET /callback
performs the final stage of authentication and redirects to the previously requested URL or 
/
if that URL doesn't exist. Within the custom callback function, you check for the presence of an error, 
err
, and if the 
user
object is defined. If there's an error, you pass control to the next middleware function along with the error object. If authentication has failed, 
user
is false, and you redirect the user back to the 
/login
page.

Since you call the 

passport.authenticate()
method within the route controller, it has access to the request, 
req
, and response, 
res
, objects through a closure. If authentication is successful, you call 
req.LogIn()
to establish a login session. 
req.logIn()
is a function exposed by Passport.js on the 
req
object. When the login operation completes, the 
req
object gets a 
user
property added, containing all the user information.

After establishing a login session, you can improve your app's user experience by redirecting your users to the page they were visiting before the authentication request took place. The route of such a page is the value of 

req.session.returnTo
, which you assign to the 
returnTo
variable before deleting it. If 
returnTo
is defined, you redirect the user to that route; otherwise, you take them to a 
/user
page that should, ideally, present the user with their information.

You can redirect to any other routes.

As you can see, 

GET /callback
acts as the bridge between your application and the Auth0 authentication server. Using Passport.js, you can streamline the process of creating a login session and an active user in your app.

🛠️️ You are almost done. The last authentication endpoint to implement is 

GET /logout
, and it's the most complex one. Append the following 
GET /logout
definition to the 
Routes Definitions
section:

// auth.js

/**
 * Routes Definitions
 */

router.get("/login", ... );

router.get("/callback", ... );

router.get("/logout", (req, res) => {
  req.logOut();

  let returnTo = req.protocol + "://" + req.hostname;
  const port = req.connection.localPort;

  if (port !== undefined && port !== 80 && port !== 443) {
    returnTo =
      process.env.NODE_ENV === "production"
        ? `${returnTo}/`
        : `${returnTo}:${port}/`;
  }

  const logoutURL = new URL(
    `https://${process.env.AUTH0_DOMAIN}/v2/logout`
  );

  const searchString = querystring.stringify({
    client_id: process.env.AUTH0_CLIENT_ID,
    returnTo: returnTo
  });
  logoutURL.search = searchString;

  res.redirect(logoutURL);
});

This route performs a session logout and redirects the user to the homepage.

Passport.js also exposes a 

logOut()
function on the request object, 
req
, which you can call from any route controller that needs to terminate a login session. Calling 
req.logOut()
removes the 
req.user
property and clears the existing login session. After that, you build the URL that users are redirected to once the logout is complete as follows:

  • Start the URL string with the protocol and hostname:
let returnTo = req.protocol + "://" + req.hostname;
  • Determine if you are using a local port. If the port is neither 
    undefined
    , the default port number for web servers using HTTP (
    80
    ), nor the default port for web servers using HTTPS (
    443
    ), you append this port to the 
    returnTo
    URL string if the current Node environment is 
    development
    :
const port = req.connection.localPort;

if (port !== undefined && port !== 80 && port !== 443) {
  returnTo =
    process.env.NODE_ENV === "production"
      ? `${returnTo}/`
      : `${returnTo}:${port}/`;
}
  • Use the Node.js 
    URL()
     constructor along with the 
    util.format()
     to return a formatted string by replacing format specifiers (characters preceded by the percentage sign, 
    %
    ) with a corresponding argument. In this case, the string specifier, 
    %s
    , gets replaced with the value of 
    process.env.AUTH0_DOMAIN
    . You will set the Auth0 variables in the next section.
const logoutURL = new URL(
  `https://${process.env.AUTH0_DOMAIN}/v2/logout`
);
  • Using 
    querystring.stringify
    , create a URL query string from an object that contains the Auth0 client ID and the 
    returnTo
    URL:
const searchString = querystring.stringify({
  client_id: process.env.AUTH0_CLIENT_ID,
  returnTo: returnTo
});
  • Using 
    url.search
    , get and set the serialized query portions of 
    logoutURL
    :
logoutURL.search = searchString;
  • Finally, redirect the user to 
    logoutURL
    :
res.redirect(logoutURL);

The 

GET /logout
endpoint isn't too long, but it's quite complex. It leverages different Node APIs to dynamically build a logout path depending on the active Node environment, the port that the server uses, and the configuration variables.

🛠️️ All the authentication API endpoints are now complete. You now need to export the router and use it with your Express app. First, add this line under the 

Module Exports
section of 
auth.js
:

// auth.js

/**
 * Module Exports
 */

module.exports = router;

🛠️️ Then, open 

index.js
and import the authentication router in the 
Required External Modules
section:

// index.js

/**
 * Required External Modules
 */

const express = require("express");
const path = require("path");

const expressSession = require("express-session");
const passport = require("passport");
const Auth0Strategy = require("passport-auth0");

require("dotenv").config();

const authRouter = require("./auth");

🛠️️ Now, mount 

authRouter
on the root path, 
/
, of your Express app by updating the 
App Configuration
section as follows:

// index.js

/**
 *  App Configuration
 */

app.set("views", path.join(__dirname, "views"));
app.set("view engine", "pug");
app.use(express.static(path.join(__dirname, "public")));

app.use(expressSession(session));

passport.use(strategy);
app.use(passport.initialize());
app.use(passport.session());

passport.serializeUser( ... );

passport.deserializeUser( ... );

// Router mounting
app.use("/", authRouter);

🛠️️ You have a 

GET /login
endpoint, but you don't have a login button. Update 
views/index.pug
to include it:

extends layout

block layout-content
  div.View.WelcomeView
    h1.Banner WHATABYTE
    div.Message
      div.Title
        h3 Making the Best
        h1 Food For Devs
      span.Details Access the WHATABYTE Team Portal
    div.NavButtons
      if isAuthenticated
        a(href="/user")
          div.NavButton Just dive in!
      else
        a(href="/login")
          div.NavButton Log in

Now, when you click on the login button on the index page, the 

GET /login
endpoint gets called. As mentioned before, the 
/login
endpoint presents the user with a login page, but where's that page? When using Auth0 as your identity platform, you don't need to create a login page, Auth0 provides one for you with a proper form and secure authentication error messages and prompts.

🛠️️ The last thing that you need to do is to mount a middleware function at the application level to define the value of the 

isAuthenticated
variable used in the 
index.pug
template.

Create custom middleware with Express

🛠️️ In 

index.js
, update the 
App Configuration
section to enhance the response object, 
res
, with data from the authentication server. Do this right above the mounting of the authentication router:

// index.js

/**
 *  App Configuration
 */

app.set("views", path.join(__dirname, "views"));
app.set("view engine", "pug");
app.use(express.static(path.join(__dirname, "public")));

app.use(expressSession(session));

passport.use(strategy);
app.use(passport.initialize());
app.use(passport.session());

passport.serializeUser( ... );

passport.deserializeUser( ... );

// Creating custom middleware with Express
app.use((req, res, next) => {
  res.locals.isAuthenticated = req.isAuthenticated();
  next();
});

app.use("/", authRouter);

res.locals
is a property used to expose request-level information, such as the authenticated user and user settings. This information is then available to the views rendered during that request-response cycle, such as the templates that use the 
isAuthenticated
variable.

Now, the button present on the index page can change its content based on whether the user is logged in with Auth0 or not.

// views/index.pug
// ...
    div.NavButtons
      if isAuthenticated
        a(href="/user")
          div.NavButton Just dive in!
      else
        a(href="/login")
          div.NavButton Log in

Log into a Node.js Express app

🛠️️ Head to the browser tab where your application is running and click the login button to test that it is communicating correctly with Auth0 and that you can get authenticated.

🛠️️ If you've set up everything correctly, the application redirects you to the Universal Login page.

Auth0 Universal Login

As explained earlier, this login page is provided by Auth0 with batteries included. It powers not only the login but also the sign-up of new users into your application. If you already have an existing user account, go ahead and log in; otherwise, sign up as a new user.

🛠️️ Alternatively, you may sign up and log in with Google as it is turned on by default as a social provider.

🛠️️ If you are signing into an application using Auth0 for the first time, you'll see a dialog asking you to authorize your application to access user profile data. Go ahead and click the green arrow button to authorize access.

Auth0 authorization modal

An advantage of the Universal Login page is that it is part of the Auth0 domain. It lets you delegate user authentication, including registration, to Auth0, which makes it both convenient and secure.

Unless you signed up with Google, if you created a new user through the sign-up process, you will receive an email asking you to verify your email address. There are tons of settings that you can tweak to customize the sign-up and login experience of your users, such as requiring a username for registration. Feel free to check out the different options presented to you by Auth0 within the Dashboard and the Auth0 documentation.

🛠️️ Once you are signed up or logged in, Auth0 takes you back to the home page of your Express app.

Notice that the label of the button on the home page changed from 

Login
to 
Just Dive in!
, which means that the application has successfully authenticated you.

Index page for authenticated user

Access Guarded Routes

In your application, you protect the 

GET /user
endpoint using Passport.js middleware to prevent navigation to it if the application has not authenticated the user. Since you have logged in, when you click on the Just Dive In! button that points to 
/user
, you are successfully taken to that view. In case that you were logged out, you should be taken to the Auth0 login screen when trying to access the 
/user
route.

🛠️️ To start, create a middleware function named 

secure
to protect your 
/user
route and ensure it is only accessible if the user is logged in. Under the 
Routes Definitions
section of 
index.js
, add the following 
secured
middleware function:

// index.js

/**
 * Routes Definitions
 */

const secured = (req, res, next) => {
  if (req.user) {
    return next();
  }
  req.session.returnTo = req.originalUrl;
  res.redirect("/login");
};

// Defined routes
app.get("/", ... );

app.get("/user", ... );

🛠️️ Then, still under the 

Routes Definitions
section, refactor the 
GET /user
controller so that it uses that middleware function as follows:

// index.js

/**
 * Routes Definitions
 */

const secured = (req, res, next) => { ... };

app.get("/", ... );

app.get("/user", secured, (req, res, next) => {
  const { _raw, _json, ...userProfile } = req.user;
  res.render("user", {
    title: "Profile",
    userProfile: userProfile
  });
});

You use Javascript object destructuring to unpack values from the 

req.user
object into distinct variables. Using the optional object argument of the 
res.render()
method, you pass the 
userProfile
variable to the user view template along with the page title.

🛠️️ Visit 

http://localhost:3000/user
on the browser, if you are logged in, you now see your nickname in the greeting banner and the 
userProfile
object shown formatted as JSON within the content container.

🛠️️ If you click on the Log Out button, the application takes you to the index page. Visit 

http://localhost:3000/user
again, and it takes you to the login page provided by Auth0. Log in again, and you'll be back to the user page.

Learn how to set up Node.js and Express authentication with Passport.js and Auth0.

Tweet This

Authentication Integration Completed

That's it! In this tutorial, you learned how Passport.js works, how to configure it, and how to integrate it with Node.js and Auth0 to add authentication to web applications. You also learned about security and identity best practices and how an identity platform such as Auth0 lets you delegate to a team of experts the giant responsibility of keeping logins secure.

All that is left is for you to continue building this application as you may like. Feel free to dive deeper into the Auth0 Documentation to learn more about how Auth0 helps you save time on implementing and managing identity. Use the comments below this blog post to ask questions or join the Auth0 Community to connect with other developers like yourself.

Thank you for your time!

I ran into an issue