Skip to content
Username and password authentication strategy for Passport and Node.js.
JavaScript Makefile
Branch: master
Clone or download

Latest commit

Latest commit 2bf3939 May 23, 2019


Type Name Latest commit message Commit time
Failed to load latest commit information.
.github Update README. May 24, 2019
lib docs: fix typo Jun 21, 2016
test Delint tests. Mar 8, 2014
.gitignore Update support files. Mar 6, 2014
.jshintrc Update support files. Mar 6, 2014
.npmignore Update support files. Mar 6, 2014
.travis.yml Update Makefile and CI. Mar 10, 2019 Add GitHub templates. Oct 8, 2018
LICENSE Update support files. Mar 6, 2014
Makefile Update Makefile and CI. Mar 10, 2019 Update README. May 24, 2019
package.json Update Makefile and CI. Mar 10, 2019


Passport strategy for authenticating with a username and password.

This module lets you authenticate using a username and password in your Node.js applications. By plugging into Passport, local authentication can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.

1Password, the only password manager you should trust. Industry-leading security and award winning design.

npm build coverage ...


$ npm install passport-local


Configure Strategy

The local authentication strategy authenticates users using a username and password. The strategy requires a verify callback, which accepts these credentials and calls done providing a user.

passport.use(new LocalStrategy(
  function(username, password, done) {
    User.findOne({ username: username }, function (err, user) {
      if (err) { return done(err); }
      if (!user) { return done(null, false); }
      if (!user.verifyPassword(password)) { return done(null, false); }
      return done(null, user);
Available Options

This strategy takes an optional options hash before the function, e.g. new LocalStrategy({/* options */, callback}).

The available options are:

  • usernameField - Optional, defaults to 'username'
  • passwordField - Optional, defaults to 'password'

Both fields define the name of the properties in the POST body that are sent to the server.


By default, LocalStrategy expects to find credentials in parameters named username and password. If your site prefers to name these fields differently, options are available to change the defaults.

passport.use(new LocalStrategy({
    usernameField: 'email',
    passwordField: 'passwd',
    session: false
  function(username, password, done) {
    // ...

When session support is not necessary, it can be safely disabled by setting the session option to false.

The verify callback can be supplied with the request object by setting the passReqToCallback option to true, and changing callback arguments accordingly.

passport.use(new LocalStrategy({
    usernameField: 'email',
    passwordField: 'passwd',
    passReqToCallback: true,
    session: false
  function(req, username, password, done) {
    // request object is now first argument
    // ...

Authenticate Requests

Use passport.authenticate(), specifying the 'local' strategy, to authenticate requests.

For example, as route middleware in an Express application:'/login', 
  passport.authenticate('local', { failureRedirect: '/login' }),
  function(req, res) {


Developers using the popular Express web framework can refer to an example as a starting point for their own web applications.

Additional examples can be found on the wiki.


The MIT License

Copyright (c) 2011-2015 Jared Hanson <>

You can’t perform that action at this time.