I’m using passport.js with a local strategy for authentication, and I’m using sessions/cookies for keeping state and keeping the user logged in.
I’m not very knowledgeable in security (that’s why I’m asking here), but will using JWT (with the token stored in the cookie) to keep the user logged in instead of sessions/cookies make my application more secure when the passport middleware executes req.isAuthenticated? I thiiink somewhere in that call it checks cookies or jwt, depending on implementation.
Also, I do not plan on opening the API to other sites, so OAuth is unnecessary. Is my understanding correct?
You're correct in stating that implementing an OAuth provider is unnecessary.
I suggest reading the OWASP security guides. Start with Session Management Cheat Sheet , and after that Cross-Site Request Forgery (CSRF) .
Don't fear the cookies, all their gotchas are well documented and understood. There's lots of valid use-cases for stuff like JWT and OAuth, but I wouldn't bother with it at all until you're more comfortable with digging into the AuthN/AuthZ minefield. I'd consider understanding session management with cookies a precursor to trying to do anything fancier.