Implement Multiple Local User Authentication Strategies in Passport.js

Introduction

User authentication is complicated.

Writing user authentication from scratch is even more complicated. You’ll need to make complex security considerations that can delay progress on your Node.js application.

The good news is that the npm package Passport.js abstracts a good amount of this complication away from us, empowering us to create solutions for user authentication that are modular, maintainable, and extensible — however the Passport documentation is less than helpful. It gives great explanation of the API, but skips over very useful module extensibility features.

This article serves to demonstrate one capability offered by Passport.js which is not explicitly outlined in the documentation: Authenticate multiple local user types with multiple local strategies. Each strategy will be using different user models with different user roles, while at the same time utilizing Passport's native serialization methods to authenticate and authorize user sessions.

Creating Local Strategies for Two User Types

Although it isn't required, Passport.js's passport.use(); method does take one optional parameter that is not mentioned in the documentation:

1  /**
2  * @param {string} strategyName
3  * @param {LocalStrategy} LocalStrategy
4  */
5passport.use([ strategy-name,] new LocalStrategy);

The passport.use method is similar to Express's app.use in that it mounts a specified strategy to the Passport object, which is called when the route handler callback invokes the authenticate(); method (e.g., app.get( "/path", passport.authenticate('strategyName'));).

So, you can add many different named strategies to your app's Passport object to be used in other parts of your application, and Passport is programmed to validate requests using those strategies anytime you want via the authenticate(); method.

In a typical application that only needs one type of user authentication, you would see something like:

1// app.js
2const passport = require("passport");
3require("./config/passport")(passport);

1// config/passport.js
2const passport = require("passport");
3const LocalStrategy = require("passport-local").Strategy;
4
5module.exports = function(passport) {
6  passport.use('local-signup', new LocalStrategy({
7    // logic that checks the request's data against the application database
8    // for an existing username, if no username exists, create
9    // and save it to the database along with a hashed
10    // version of the password
11  });
12}

1// routes.js
2const express = require("express");
3const passport = require("passport");
4
5app.post(
6  "/login",
7  passport.authenticate("local-signup", {
8    successRedirect: "/",
9    failureRedirect: "/login",
10  }),
11);

In the app.js file, we are importing the passport object, and then passing it as an argument into our config/passport.js file which will initialize the specified strategies in the app's Passport object.

In order to change the code above so that you can use multiple local strategies, is to add a

passport.use method with names of the strategies we want to include. I have included an example below:

1// app.js
2const passport = require("passport");
3require("./config/passport")(passport);

1// config/passport.js
2const passport = require("passport");
3const LocalStrategy = require("passport-local").Strategy;
4
5module.exports = function(passport) {
6  passport.use('local-signup', new LocalStrategy({
7    // Include logic that searches the application database
8    // for an existing username, if no username exists, create
9    // and save it to the database along with a hashed
10    // version of the password
11  });
12
13  passport.use('local-otherUser-signup', new LocalStrategy({
14    // Include logic that searches the application database
15    // for an existing username, if no username exists, create
16    // and save it to the database along with a hashed
17    // version of the password
18  });
19}

1// routes.js
2const express = require("express");
3const passport = require("passport");
4
5app.post('/signup-1', passport.authenticate('local-signup', { ... });
6app.post('/signup-2', passport.authenticate('local-otherUser-signup', { ... });

If you'd like more detail and examples than what is provided above, issue #50 from the Passport.js repository on GitHub shows Jared Hanson explaining the same concept.

Extending passport.serializeUser(); and passport.deserializeUser();

Once you've completed the steps above, you won't yet be able to use the named local authentication strategies from the config/passport.js file that you created above, and your application is likely crashing silently.

The next step is to extend the Passport serialization methods with a function that both checks which Passport strategy was used to generate that client, and then generates a unique code to serialize that user with so that they can be deserialized with each request thereafter.

Before moving on, take a look at the serialization methods in the documentation. The user ID (you provide as the second argument of the "done" function in the serializeUser method) is saved in the session and is later used to retrieve the whole object via the deserializeUser function. serializeUser determines, which data of the user object should be stored in the session. The result of the

serializeUser method is attached to the session as req.session.passport.user = {}. The first argument of deserializeUser corresponds to the key of the user object that was given to the done function (see 1.). So your whole object is retrieved with help of that key.

If you do not make your user ID unique across each user Model, your serializeUser function will not know which database to query to retrieve the user you are trying to deserialize.

There are a few ways to fix this, but I included a session ID constructor below:

1// config/passport.js
2const LocalStrategy = require('passport-local').Strategy;
3const Guest = require('../models/guest');
4const Resident = require('../models/resident');
5
6function SessionConstructor(userId, userGroup, details) {
7  this.userId = userId;
8  this.userGroup = userGroup;
9  this.details = details;
10}
11
12module.exports = function(passport) {
13
14  passport.serializeUser(function (userObject, done) {
15    // userObject could be a Model1 or a Model2... or Model3, Model4, etc.
16    let userGroup = "model1";
17    let userPrototype =  Object.getPrototypeOf(userObject);
18
19    if (userPrototype === Model1.prototype) {
20      userGroup = "model1";
21    } else if (userPrototype === Resident.prototype) {
22      userGroup = "model2";
23    }
24
25    let sessionConstructor = new SessionConstructor(userObject.id, userGroup, '');
26    done(null,sessionConstructor);
27  });
28
29  passport.deserializeUser(function (sessionConstructor, done) {
30
31    if (sessionConstructor.userGroup == 'model1') {
32      Model1.findOne({
33          _id: sessionConstructor.userId
34      }, '-localStrategy.password', function (err, user) { // When using string syntax, prefixing a path with - will flag that path as excluded.
35          done(err, user);
36      });
37    } else if (sessionConstructor.userGroup == 'model2') {
38      Model2.findOne({
39          _id: sessionConstructor.userId
40      }, '-localStrategy.password', function (err, user) { // When using string syntax, prefixing a path with - will flag that path as excluded.
41          done(err, user);
42      });
43    }
44
45  });
46
47  passport.use( ... );
48
49}