

Ask HN: Auth for node.js: passport or everyauth? - argonaut

A cursory look at the code of both hasn&#x27;t really helped me with making a decision. I&#x27;ll be using primarily for a RESTful API. Any thoughts?
======
declandewet
I've found that Passport is much easier to work with, as it is _just_ Express
middleware, plus there are way more strategies should you ever want to support
any other form of authentication. There's a plethora of points made on
Passport over EveryAuth (that might be biased - but worth a look) by the
author of Passport over here:
[http://stackoverflow.com/questions/11974947/everyauth-vs-
pas...](http://stackoverflow.com/questions/11974947/everyauth-vs-passport-js)

He also mentions that if you just want API authentication then Passport has
two sibling projects for that purpose - OAuthorize and OAuth2orize.

You would most likely be using bearer tokens issued by OAuth2 to implement
this, and Passport supports this pretty well, with the bonus that it's
actively maintained: [https://github.com/jaredhanson/passport-http-
bearer](https://github.com/jaredhanson/passport-http-bearer)

~~~
argonaut
Thanks! Any thoughts on using passport for a restful user account
login/registration API? I guess I've been spoiled by how Rails/Django have
everything built-in.

~~~
declandewet
It would be much more straight-forward than it would be in Rails. Passport is
very easy to use compared to libraries like Devise, and it gives you the
option to write your own middleware to use along with it. Middleware in
Express is literally just a function you call in between the route parameter
and the callback, like so:

app.get('/dashboard', ensureAuthenticated(), function(req, res) { });

Your ensureAuthenticated function would look like this:

function ensureAuthenticated(req, res, next) { if (req.isAuthenticated()) {
next(); } else { res.send('You are not authorized to access this page.'); } }

Passport provides a few of these utility middlewares out of the box. It seems
intimidating at first and I could spend a long time explaining it, but it
would be much better just to dive in and give it a try. You can even head over
to their IRC, which is #passportjs if I remember correctly, and ask which
strategy would be best for your application and get started from there.

