Get Even More Visitors To Your Blog, Upgrade To A Business Listing >>

How can I report an invalid login properly with Express and PassportJS?

How can I report an invalid login properly with Express and PassportJS?


I've successfully implemented passport-local into my Express/Mongoose web-app but I'm having trouble figuring out how to render a failed Login message properly.

Here's my login route:

app.get('/login', function(req, res) {
   res.render('user/login', {

With a route like that how am I supposed to report an invalid login? If the login is successful it will write the id/username to the req.user object but that doesn't help me in the "GET /login" route because if it's successful you will get redirected to the page you want to go.

That means req.user will always be undefined when you GET the login page.

I want to be able to write out a message saying something like 'yo, invalid login!' when the following things happen:

  1. The user does not exist.
  2. The password supplied does not match but the user existed.

I might want to output a different message depending on what occurred.

When I implemented the LocalStrategy I used this code:

passport.use(new LocalStrategy({
    usernameField: 'email'
function(email, password, fn) {
  User.findOne({'': email}, function(err, user) {
    // Error was thrown.
    if (err) {
      return fn(err);

    // User does not exist.
    if (!user) {
      return fn(null, false);

    // Passwords do not match.
    if (user.login.password != utility.encryptString(user.login.salt + password)) {
      return fn(null, false);

    // Everything is good.
    return fn(null, user);

As you can see there are some problems but this is how the author of PassportJS set up his application. How are we supposed to access what the Strategy returns?

Like if it throws an error, what am I supposed to even call to get access to err?


Problem courtesy of: AntelopeSalad


You can use the custom callback or middleware functionality to have more control. See the Authentication section of the guide for examples.

For example, a custom callback might look like:

app.get('/login', function(req,res,next) {
    passport.authenticate('local', function(err,user) {
            if(!user) res.send('Sorry, you\'re not logged in correctly.');
            if(user) res.send('Skeet skeet!');

Alternatively, you could always redirect both responses:

    passport.authenticate('local', { successRedirect: '/winner',
                                     failureRedirect:'/loser' }));

Or redirect the failure with simple middleware:

app.get('/login', ensureAuthenticated,
    function(req,res) {
                // successful auth
                // do something for-the-win

    // reusable middleware
    function ensureAuthenticated(req,res,next) {
        if(req.isAuthenticated()) {return next();}
        res.redirect('/login/again'); // if failed...
Solution courtesy of: Wes Johnson


View additional discussion.

This post first appeared on Node.js Recipes, please read the originial post: here

Share the post

How can I report an invalid login properly with Express and PassportJS?


Subscribe to Node.js Recipes

Get updates delivered right to your inbox!

Thank you for your subscription