Passport-authentication-middleware-BASIC-FLOW.

Last updated: February 8, 2026Reviewed date: February 8, 2026Reading time: 8 min read
Patient Tools

Read, save, and share this guide

Use these quick tools to make this medical article easier to read, print, save, or share with a family member.

Article Summary

Passport is a framework, and a Node.js middleware, that is extremely flexible and modular. It allows you to work with the main authentication strategies: Basic & Digest, OpenID, OAuth, OAuth 2.0 and JWT. And also allows you to work with external services authentication, such as Facebook, Google+, Twitter and more. Per its official site, there is a list with +300 authentication strategies, created and maintained...

Key Takeaways

  • This article explains The actual implementation steps - How passport validation work-flow works (passport-jwt strategy and jsonwebtoken) in simple medical language.
Educational health guideWritten for patient understanding and clinical awareness.
Reviewed content workflowUse writer and reviewer profiles for stronger trust.
Emergency safety firstUrgent warning signs are highlighted below.

Seek urgent medical care if you notice

These warning signs are general safety guidance. Local emergency numbers and clinical judgment should always come first.

  • Severe symptoms, breathing difficulty, fainting, confusion, or rapidly worsening illness.
  • New weakness, severe pain, high fever, or symptoms after a serious injury.
  • Any symptom that feels urgent, unusual, or unsafe for the patient.
1

Emergency now

Use emergency care for severe, sudden, rapidly worsening, or life-threatening symptoms.

2

See a doctor

Book a professional medical evaluation if symptoms persist, worsen, recur often, affect daily activities, or occur in a high-risk patient.

3

Learn safely

Use this article to understand possible causes, tests, treatment options, prevention, and questions to ask your clinician.

Passport is a framework, and a Node.js middleware, that is extremely flexible and modular. It allows you to work with the main authentication strategies: Basic & Digest, OpenID, OAuth, OAuth 2.0 and JWT. And also allows you to work with external services authentication, such as Facebook, Google+, Twitter and more. Per its official site, there is a list with +300 authentication strategies, created and maintained by 3rd-party.

First note the actual implemented code and flow, in a typical node app, the token is generated with jsonwebtoken npm package using jwt.sign() function in the auth.js backend route or controller. Like below

var token = jwt.sign(
  {
    username: user.username,
    id: user._id,
    employerType: user.employerType
  },
  settings.secret,
  {
    expiresIn: "15s"
  }
);
// return the information including token as JSON and the imageUrl as an additional data-point so I can get it in the front end to be renderer in the header for the logged-in user

res.json({
  success: true,
  token: "JWT " + token,
  imageUrl: user.images,
  username: user.name
});

And the way this token is saved in the localStroge in the frontend is within Login.js file in React, i.e. the file that creates a POST request to the backend’s auth.js’s login route (‘/login’) like below

axios.post("/api/auth/login", { username, password }).then(result => {
  localStorage.setItem("user", JSON.stringify(result.data));

  this.setState(() => ({
    message: "",
    redirectToReferrer: true
  }));
});
So Passport is not for any specific method of authentication, the method for authentication like OAuth, JWT is implemented in Passport by Strategy pattern, so it means that you can swap the authentication mechanism without affecting other parts of your application.
Passport JWT (passport-jwt) is only for authenticating requests. And I will need another tool to actually generate a token, and for which job I use jsonwebtoken.
The JWT token, which you generate in the backend within the auth route (when user sends a POST request to ‘/login’ route in the backend) and return to whatever original client-route made the request. So, the backend creates a signed token and returns it in response. The client saves the token ( the one returned by backend in response ) locally (typically in localStorage)
Now when any protected-client route makes a request, this token needs to be present in the header (“Authorization: JWT eyJ0eXAiO…”) on all subsequent requests, that for all subsequent requst to a protected-route, which needs authentication. Passwort-jwt in the backend for that specific protected-route, checks this auth header and verifies it’s validity. If it is invalid, it returns a 401, otherwise it populate your req.user.

The actual implementation steps – How passport validation work-flow works (passport-jwt strategy and jsonwebtoken)

1> passport.js works with the concept of strategies. They basically are a middleware function that a requests runs through before getting to the actual route. If your defined authentication strategy fails, which means that the callback will be called with an error that is not null or false as the second argument, the route will not be called, but a 401 Unauthorized response will be sent.

In this example I am using passport-jwt strategy and jsonwebtoken (its from my Developer-Profiler app(https://github.com/rohan-paul/Developer-Profile-App)).

2> passport-jwt

My passport.js file below

const opts = {};
opts.jwtFromRequest = ExtractJwt.fromAuthHeaderAsBearerToken();
/* The above is for Extracting the JWT from the request. The JWT is parsed from the request by a user-supplied callback passed in as the jwtFromRequest parameter. This callback, from now on referred to as an extractor, accepts a request object as an argument and returns the encoded JWT string or null.
A number of extractor factory functions are provided in passport-jwt.ExtractJwt. These factory functions return a new extractor configured with the given parameters. fromAuthHeaderAsBearerToken() is one such function, as my scheme here was ‘bearer’ as stated in my user.js routes file. */

opts.secretOrKey = keys.secretOrKey;

module.exports = passport => {
  passport.use(
    new JwtStrategy(opts, (jwt_payload, done) => {
      // console.log(jwt_payload);
      User.findById(jwt_payload.id)
        .then(user => {
          if (user) {
            return done(null, user);
          }
          return done(null, false);
        })
        .catch(err => console.log(err));
    })
  );
};

In this strategy above, I assume that the client will send the JWT token in Authorization Header as a Bearer Token when logging in. Server validates user credentials and returns encrypted user object i.e token. Client can save token using cookie, local-storage, or other mechanism. Then on every user request it validates token and only on successful validation proceed with the request.

One great advantage of tokens is that we don’t have to lookup the token in a database on every api call as it contains all needed information in itself. This should help keeping the authentication process small. The biggest downside of that is the inability of revoking a token without having a whitelist or blacklist somewhere. This is the reason we keep the lifetime of the token small (like for example 120 minutes).

This passport middleware will be injected via passport.use(strategy) function. To finish, two functions will be included from Passport to be used on the application. They are the initialize() function which starts the Passport and authenticate() which is used to authenticate the access for a route.

https://stackoverflow.com/questions/42306821/why-would-i-need-to-use-passport-package-with-jsonwebtoken-for-applying-token-ba

3> Understanding the main function of official dox (https://github.com/themikenicholson/passport-jwt#configure-strategy)

passport.use(
  new JwtStrategy(opts, function(jwt_payload, done) {
    User.findOne({ id: jwt_payload.sub }, function(err, user) {
      if (err) {
        return done(err, false);
      }
      if (user) {
        return done(null, user);
      } else {
        return done(null, false);
        // or you could create a new account
      }
    });
  })
);

A> In the above I pass-in a new instance of JwtStrategy and then pass in options and a callback.

B> ‘jwt_payload’ is an object literal containing the decoded JWT payload. Inside the callback the jwt_payload will contain all my user data, that I included in ../routes/api/users.js file https://github.com/rohan-paul/Developer-Profile-App/blob/master/routes/api/users.js#L101

const payload = { id: user.id, name: user.name, avatar: user.avatar };

So, this payload will have the attribute id that will be a user id to be used as argument to search a user in the database.

C> Once I do that, I want to find that user

D> ‘done’ is a passport error-first callback accepting arguments done(error, user, info)

2-nd Implemented project, where also I am using passport (with jwt strategy) and jsonwebtoken

/home/paul/codes-Lap/React/Volteo/AP-Ports/frontend-portal-MY-WORK-push-to-github/Phase-2/server/config/passport.js

Here’s my passport.js file

module.exports = function(passport) {
  var opts = {};
  opts.jwtFromRequest = ExtractJwt.fromAuthHeaderWithScheme("jwt");
  opts.secretOrKey = settings.secret;
  passport.use(
    new JwtStrategy(opts, function(jwt_payload, done) {
      console.log("payload received", jwt_payload);
      // Now the usual database call
      User.findOne({ _id: jwt_payload.id }, function(err, user) {
        if (err) {
          return done(err, false);
        }
        if (user) {
          done(null, user);
        } else {
          done(null, false);
        }
      });
    })
  );
};

And in my ..server/routes/auth.js for the router.post(‘/login) – I had the below

var token = jwt.sign(
  {
    username: user.username,
    id: user._id,
    employerType: user.employerType
  },
  settings.secret,
  {
    expiresIn: "4h"
  }
);

To see the actual contents of the jwt_payload – put this < console.log(“payload received”, jwt_payload) > inside the passport.js file as above.

Now, after using any protected route (for example adding a new tidal data under /tidal/create) route (which had passport.authenticate as the middleware) I will get the following printed in Terminal (which are actual user’s email, the saved mongo _id and employer type)

payload received { username: 'actual_user-email@gmail.com',
   id: '664633411681589161646',
   employerType: 'port',
   iat: 1544424322,
   exp: 1544438722 }

Then the below is how, the middleware check is implemented in the backend protected route for adding a new tidal data at “/createtide” route in the backend.

The getToken() function is merely for getting the actual token from headers so I can check the existence of a token) – which is mainly required in the frontend to conditionally show “Login” or “Logout” button. And in the backend its just another layer of check (but not really required)

// route to Add a new Tidal data ( Protected routes )
router.post(
  "/createtide",
  passport.authenticate("jwt", { session: false }),
  (req, res) => {
    var token = getToken(req.headers);
    if (token) {
      var tide = new Tide(req.body);
      tide.save(function(err, newTide) {
        if (err) throw err;
        res.status(200).send(newTide);
      });
    } else {
      return res.status(403).send({ success: false, msg: "Unauthorized." });
    }
  }
);

3-rd Implemented project – Herer, I got passport-local strategy (as opposed to ‘jwt’)- (https://github.com/rohan-paul/SignUp-Form-with-Passport) app. For more details see – https://www.sitepoint.com/local-authentication-using-passport-node-js/

In serializeUser passport attaches the profile information to req.user. This occurs as a direct result of the serializeUser() and deserializeUser() functions. – https://hackernoon.com/passportjs-the-confusing-parts-explained-edca874ebead

In deserializeUser(), the first argument is an id which is the same id that was passed in done(null, user.id) of serializeUser(). deserializeUser() then makes a request to our DB to find the full profile information for the user and then calls done(null, user). This is where the user profile is attached to the request handler at req.user. Then finally after all this occurs, the user is routed back to the /login/google/return route handler where we can finally access the user profile information on req.user. – https://hackernoon.com/passportjs-the-confusing-parts-explained-edca874ebead

General Resources to refer

1> https://jonathanmh.com/express-passport-json-web-token-jwt-authentication-beginners/

Patient safety assistant

Check your symptom safely

Hi, I am RX Symptom Navigator. I can help you understand what to read next and what warning signs need care.
Warning: Do not use this in emergencies, pregnancy, severe illness, or as a substitute for a doctor. For children or teens, use with a parent/guardian and clinician.
A rural-friendly guide: warning signs, when to see a doctor, related articles, tests to discuss, and OTC safety education.
1 Symptom 2 Severity 3 Safe guidance
First safety question

Is there chest pain, breathing trouble, fainting, confusion, severe bleeding, stroke-like weakness, severe injury, or pregnancy danger sign?

Choose quickly

Browse by body area
Start here: Write or select a symptom. The guide will show warning signs, doctor guidance, diagnostic tests to discuss, OTC safety education, and related RX articles.

Important: This tool is educational only. It cannot diagnose, treat, or replace a doctor. OTC information is not a prescription. In an emergency, contact local emergency services or go to the nearest hospital.

Doctor visit helper

Prepare before seeing a doctor

A simple rural-patient checklist to help you explain symptoms clearly, ask better questions, and avoid unsafe self-treatment.

Safety note: This is not a prescription or diagnosis. For severe symptoms, pregnancy danger signs, children with serious illness, chest pain, breathing difficulty, stroke-like weakness, or major injury, seek urgent care.

Which doctor may help?

Start with a registered doctor or the nearest qualified health center.

What to tell the doctor

  • Write when the problem started and how it changed.
  • Bring old prescriptions, investigation reports, and current medicines.
  • Write allergies, pregnancy status, diabetes, kidney/liver disease, and major past illnesses.
  • Bring one family member if the patient is weak, elderly, confused, or a child.

Questions to ask

  • What is the most likely cause of my symptoms?
  • Which danger signs mean I should go to hospital quickly?
  • Which tests are necessary now, and which can wait?
  • How should I take medicines safely and what side effects should I watch for?
  • When should I come for follow-up?

Tests to discuss

  • Vital signs: temperature, pulse, blood pressure, oxygen saturation
  • Basic physical examination by a clinician
  • CBC, urine test, blood sugar, or imaging only when clinically needed

Avoid these mistakes

  • Do not use antibiotics, steroid tablets/injections, or strong painkillers without proper medical advice.
  • Do not hide pregnancy, kidney disease, ulcer, allergy, or blood thinner use.
  • Do not delay emergency care when danger signs are present.

Medicine safety and first-aid guide

This section is for patient education only. It does not replace a doctor, pharmacist, or emergency care.

Safe first steps

  • Rest, drink safe water, and observe symptoms carefully.
  • Keep a written note of symptoms, duration, temperature, medicines already taken, and allergy history.
  • Seek medical care quickly if symptoms are severe, worsening, or unusual for the patient.

OTC medicine safety

  • For mild pain or fever, ask a registered pharmacist or doctor before using common over-the-counter pain/fever medicines.
  • Do not combine multiple pain medicines without advice, especially if you have kidney disease, liver disease, stomach ulcer, asthma, pregnancy, or take blood thinners.
  • Do not give adult medicines to children unless a qualified clinician advises it.

Avoid these mistakes

  • Do not start antibiotics without a proper medical decision.
  • Do not use steroid tablets or injections casually for quick relief.
  • Do not delay emergency care because of home remedies.

Get urgent help if

  • Severe symptoms, confusion, fainting, breathing difficulty, chest pain, severe dehydration, or sudden weakness need urgent medical care.
Medicine names, dose, and timing must be decided by a qualified clinician or pharmacist after checking age, pregnancy, allergy, other diseases, and current medicines.

For rural patients and family caregivers

Patient health record and symptom diary

Write your symptoms, medicines already taken, test results, and questions before visiting a doctor. This note stays on your device unless you print or copy it.

Doctor to discuss: Doctor / qualified healthcare provider
Tests to discuss with doctor
  • Basic vital signs: temperature, pulse, blood pressure, oxygen level if needed
  • Relevant blood, urine, imaging, or specialist tests only after clinical assessment
Questions to ask
  • What is the most likely cause of my symptoms?
  • Which warning signs mean I should go to emergency care?
  • Which tests are really needed now?
  • Which medicines are safe for my age, pregnancy status, allergy, kidney/liver/stomach condition, and current medicines?

Emergency warning signs such as chest pain, severe breathing difficulty, sudden weakness, confusion, severe dehydration, major injury, or loss of bladder/bowel control need urgent medical care. Do not wait for online information.

Safe pathway to proper treatment

Patient care roadmap

Use this simple roadmap to understand the next safe steps. It is educational and does not replace examination by a doctor.

Go to emergency care if you notice:
  • Severe or rapidly worsening symptoms
  • Breathing difficulty, chest pain, fainting, confusion, severe weakness, major injury, or severe dehydration
Doctor / service to discuss: Qualified healthcare provider; specialist depends on symptoms and examination.
  1. Step 1

    Check danger signs first

    If danger signs are present, seek emergency care and do not wait for online information.

  2. Step 2

    Record the symptom story

    Write when symptoms started, severity, medicines already taken, allergies, pregnancy status, and test results.

  3. Step 3

    Visit a qualified clinician

    A doctor, nurse, or qualified healthcare provider can examine you and decide which tests or treatment are needed.

  4. Step 4

    Do only useful tests

    Do tests after clinical assessment. Avoid unnecessary tests, random antibiotics, or repeated medicines without diagnosis.

  5. Step 5

    Follow up and return early if worse

    If symptoms worsen, new warning signs appear, or treatment is not helping, return for review quickly.

Rural patient practical tips
  • Take a written symptom diary and all previous prescriptions/test reports.
  • Do not hide medicines already taken, even herbal or over-the-counter medicines.
  • Ask which warning signs mean urgent referral to hospital.

This roadmap is for education. A real diagnosis and treatment plan requires history, examination, and clinical judgment.

RX Patient Help

Ask a health question safely

Write your symptom story. A health professional or site editor can review it before any answer is prepared. This box is not for emergency care.

Emergency first: Severe chest pain, breathing trouble, unconsciousness, stroke signs, severe injury, heavy bleeding, or rapidly worsening symptoms need urgent local medical care now.

Frequently Asked Questions

Is this article a replacement for a doctor?

No. It is educational content only. Patients should consult a qualified clinician for diagnosis and treatment.

When should I seek urgent care?

Seek urgent care for severe symptoms, rapidly worsening condition, breathing difficulty, severe pain, neurological changes, or any emergency warning sign.

References

Add references, clinical guidelines, textbooks, journal articles, or trusted medical sources here. You can edit this area from the RX Article Professional Blocks panel.

More from this topic
  1. How To Speed Up a WordPress (WP) Web Site

    To speed up a WordPress (WP) site, you need a combination of a solid foundation (hosting, theme) and optimization techniques (caching, image compression, code minification). These improvements...

    November 4, 2025 PHP, JS, CSS, Python, and Machine Learning Technology
  2. JavaScript Frameworks and Libraries List

    JavaScript frameworks and libraries are collections of pre-written JavaScript code designed to streamline and enhance web development. While both provide reusable code, their primary distinction lies in...

    October 26, 2025 PHP, JS, CSS, Python, and Machine Learning Technology
  3. Types of Linux

    Linux is most widely used by advanced users who always want to have more control over their system. In this user are allowed to easily install...

    November 7, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  4. User Agents for Web Scraping

    When scraping large amounts of information, the main problem is the risk of blocking and how to avoid it. We have already discussed that you can...

    September 28, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  5. Solid-State Drive (SSD)

    Solid-State Drive (SSD) is a solid-state storage device that uses integrated circuit assemblies to store data persistently, typically using flash memory. SSDs store data in semiconductor cells....

    July 5, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  6. HEADer.php Metadata

    To turn your web pages into graph objects, you need to add basic metadata to your page. We’ve based the initial version of the protocol on RDFa which...

    June 28, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  7. Largest Contentful Paint

    Developers today don’t have a reliable metric that correlates with their user’s visual rendering experience. Existing metrics such as First Paint and First Contentful Paint focus...

    June 11, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  8. Computer Short Code

    বর্তমান দিনে কম্পিউটার ছাড়া আমাদের এক পা এগোনো খুব কঠিন হয়ে উঠেছে।আপনি কয়েক সেকেন্ডের মধ্যে কিভাবে কম্পিউটার শিখতে ও চালাতে পারবেন সেই জন্য এই পোস্ট  Ctrl...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  9. What is Largest Contentful Paint

    Developers today don’t have a reliable metric that correlates with their user’s visual rendering experience. Existing metrics such as First Paint and First Contentful Paint focus...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology
  10. What is HTML5?

    HTML is the core foundational standard being worked on by the WHATWG community. It is continuously maintained and supersedes HTML4, XHTML1, DOM Level 2 HTML, and all...

    June 3, 2024 PHP, JS, CSS, Python, and Machine Learning Technology