// the find
jaredhanson/passport
Simple, unobtrusive authentication for Node.js.
Passport is Express middleware that handles authentication by delegating the actual auth logic to swappable strategy plugins. You wire up one or more strategies (local, OAuth2, SAML, etc.), implement serialize/deserialize hooks, and it handles the rest. It's been the default auth solution for Express apps for over a decade.
480+ community strategies means you're rarely writing OAuth dance code from scratch — passport-google-oauth2, passport-azure-ad, passport-saml all exist and work. The core is tiny (a handful of files in lib/) and stays out of your way — no opinions on your database schema or session store. The strategy abstraction is clean enough that writing a custom strategy is genuinely straightforward. Test coverage in the core package is solid, with granular per-scenario test files for the authenticate middleware.
The main package hasn't had a meaningful commit since mid-2024 and the ecosystem is fragmented — strategy quality varies wildly, and many popular ones are years behind on maintenance. The README still shows callback-style code everywhere with no async/await examples, which will confuse anyone starting a modern project. The session-based flow requires express-session wired up correctly, and the README literally uses 'keyboard cat' as a session secret in its example — not a good look for security-sensitive middleware. If you need PKCE, refresh token rotation, or anything beyond basic OAuth2 flows, you'll be digging into individual strategy repos that may or may not support it.