Express Authentication Methods: Syntax and Results

Posted on Feb 3, 2026 in Management Computer Engineering and Information Systems

1. Basic Authentication (Stateless)

What it is: A very simple authentication where a username and password are sent in the Authorization header (Base64 encoded). Not safe unless over HTTPS.

Example (express-basic-auth)

const express = require("express");
const basicAuth = require("express-basic-auth");

const app = express();

app.use(
  basicAuth({
    users: { admin: "pass123" },
    challenge: true,
    unauthorizedResponse: "Invalid credentials"
  })
);

app.get("/", (req, res) => {
  res.send("Welcome, authenticated user!");
});

app.listen(3000);

Expected Output

• Browser will show a login popup asking for username/password.
• After correct credentials: Welcome, authenticated user!
• After wrong credentials: Invalid credentials

2. Session-Based Authentication (Stateful)

What it is: Server stores session data (e.g., logged‑in user), and the client keeps a session cookie.

Example (express-session)

const express = require("express");
const session = require("express-session");

const app = express();

app.use(session({
  secret: "secret_key",
  resave: false,
  saveUninitialized: false
}));

app.post("/login", (req, res) => {
  // Simplest example (no actual DB check)
  req.session.user = { id: 1, username: "john" };
  res.send("Logged in successfully!");
});

app.get("/dashboard", (req, res) => {
  if (req.session.user) {
    res.send("Dashboard — User: " + req.session.user.username);
  } else {
    res.status(401).send("Unauthorized");
  }
});

app.listen(3000);

Expected Output

• POST /login → “Logged in successfully!”
• GET /dashboard → “Dashboard — User: john” (if logged in)

3. JWT (JSON Web Token) Authentication (Stateless)

What it is: Server issues a signed token after login. The client sends that token on later requests.

Example

const express = require("express");
const jwt = require("jsonwebtoken");

const app = express();
const JWT_SECRET = "supersecret";

app.use(express.json());

app.post("/login", (req, res) => {
  // Example, no DB here
  const token = jwt.sign({ id: 1, username: "john" }, JWT_SECRET, { expiresIn: "1h" });
  res.json({ token });
});

app.get("/protected", (req, res) => {
  const authHeader = req.headers.authorization;
  if (!authHeader) return res.status(401).send("No token");

  const token = authHeader.split(" ")[1];
  
  try {
    const user = jwt.verify(token, JWT_SECRET);
    res.send("Hello " + user.username);
  } catch (e) {
    res.status(403).send("Invalid token");
  }
});

app.listen(3000);

Expected Output

• POST /login → { "token": "eyJ…" }
• GET /protected with header Authorization: Bearer <token> → Hello john

4. OAuth 2.0 Authentication (Third-Party Login)

What it is: Use a provider (Google/Facebook) so the user logs in via them without creating a local password.

Example (Google + Passport)

const express = require("express");
const passport = require("passport");
const GoogleStrategy = require("passport-google-oauth20").Strategy;

passport.use(new GoogleStrategy({
  clientID: "GOOGLE_CLIENT_ID",
  clientSecret: "GOOGLE_SECRET",
  callbackURL: "/auth/google/callback"
},
(accessToken, refreshToken, profile, done) => {
  return done(null, profile);
}
));

const app = express();

app.use(passport.initialize());

app.get("/auth/google",
  passport.authenticate("google", { scope: ["profile", "email"] })
);

app.get("/auth/google/callback",
  passport.authenticate("google", { failureRedirect: "/login" }),
  (req, res) => {
    res.send("Google Auth success!");
  }
);

app.listen(3000);

Expected Output

• Visit /auth/google → redirected to Google
• After login → redirect callback → “Google Auth success!”

5. Passport Local Strategy

What it is: Passport middleware lets you handle username/password login with flexible strategies.

Example

const passport = require('passport');
const LocalStrategy = require('passport-local').Strategy;

passport.use(new LocalStrategy(
  function(username, password, done) {
    if (username === 'admin' && password === '1234') {
      return done(null, { id: 1, username });
    }
    return done(null, false);
  }
));

Expected Output

• passport.authenticate('local') checks credentials and either logs in or fails.

Summary Table