Passport login and persisting session

Question

Background

I have a MEAN application with CRUD capabilities fully tested with postman. I have been trying to persist login for quite some time now with no luck. I

Answer 1

Is the user now in a session on my server?

No, You need to use the express-session middleware before app.use(passport.session()); to actually store the session in memory/database. This middleware is responsible for setting cookies to browsers and converts the cookies sent by browsers into req.session object. PassportJS only uses that object to further deserialize the user.

Should I send the req.session.passport.user back to the client?

If your client expects a user resource upon login, then you should. Otherwise, I don't see any reason to send the user object to the client.

Do I need the session ID on all future requests?

Yes, for all future requests, the session id is required. But if your client is a browser, you don't need to send anything. Browser will store the session id as cookie and will send it for all subsequent requests until the cookie expires. express-session will read that cookie and attach the corresponding session object as req.session.

Testing the Session

passport.authenticate('local') is for authenticating user credentials from POST body. You should use this only for login route.

But to check if the user is authenticated in all other routes, you can check if req.user is defined.

function isAuthenticated = function(req,res,next){
   if(req.user)
      return next();
   else
      return res.status(401).json({
        error: 'User not authenticated'
      })

}
router.get('/checkauth', isAuthenticated, function(req, res){

    res.status(200).json({
        status: 'Login successful!'
    });
});