First of all - I basically don't know why you'd want to use
firstOrCreate for the local strategy. Making empty users in the
authentication stage is a bad idea. Second, the fallback for
firstOrCreate was just basically an alias for findOne - it didn't
need to be in there at all.
The big problem, as described in issue #9, is that without the
where key in the firstOrCreate query it will match the first
User in the User collection rather than the user with the email
intended to be authenticated.