passport-local
Passport.js strategy for local username/password authentication. Verifies credentials against a custom verification callback that checks the user database. Integrates with Express.js via Passport.js middleware. Part of the Passport.js ecosystem — works with passport-jwt, passport-google-oauth20, and 500+ other strategies through a unified authentication interface.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Implements authentication — security depends heavily on correct implementation. Password hashing (bcrypt) must be done in verify callback. Session security depends on express-session configuration. HTTPS required for production. Rate limiting must be added separately.
⚡ Reliability
Best When
You're building a traditional Express.js web application with session-based username/password authentication and may add multiple auth strategies (local + social OAuth).
Avoid When
You're building a stateless REST API — use passport-jwt or a simpler JWT middleware. For new projects, consider passwordless auth (magic links, OAuth) over username/password.
Use Cases
- • Implement traditional username/password login flow for Express.js web applications
- • Add agent API authentication with local credential verification as a fallback alongside OAuth strategies
- • Build multi-strategy authentication combining local login with social OAuth in a single Passport.js configuration
- • Implement admin panel authentication for internal agent management interfaces
- • Add session-based authentication to Express APIs that also need cookie-based auth for browser clients
Not For
- • Stateless JWT-based APIs — use passport-jwt or simple JWT middleware without Passport for REST APIs
- • Modern passwordless authentication — use WebAuthn/Passkeys, magic links, or OAuth instead of username/password flows
- • Non-Express frameworks — Passport.js is tightly coupled to Express.js middleware conventions
Interface
Authentication
Implements local authentication — the library IS the auth mechanism. No external service credentials needed.
Pricing
MIT licensed. Zero cost.
Agent Metadata
Known Gotchas
- ⚠ Requires express-session middleware to be configured BEFORE passport.initialize() and passport.session() — incorrect middleware order causes silent auth failures
- ⚠ passport.serializeUser() and passport.deserializeUser() must be implemented — without these, session-based auth silently fails after successful login
- ⚠ The verify callback signature is (username, password, done) — async/await not natively supported; wrap in async: new LocalStrategy(async (username, password, done) => { try { ... } catch(err) { done(err); } })
- ⚠ passReqToCallback: true option passes the request object as first argument — needed for multi-tenant auth where the req contains tenant context
- ⚠ passport-local is for SESSION-based auth — for stateless JWT APIs, use passport-jwt; mixing strategies requires careful route-level configuration
- ⚠ Failed login attempts are not rate-limited by passport-local — must add express-rate-limit or similar to login routes to prevent brute force attacks
Alternatives
Full Evaluation Report
Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for passport-local.
Scores are editorial opinions as of 2026-03-06.