gistfile1.txt

var express = require('express'),
    passport = require('passport'),
    LocalStrategy = require('passport-local').Strategy;

var users = [
    { id: 1, username: 'bob', password: 'secret', email: 'bob@example.com' }
];

function findById(id, fn) {
    var idx = id - 1;
    if (users[idx]) {
        fn(null, users[idx]);
    } else {
        fn(new Error('User ' + id + ' does not exist'));
    }
}

function findByUsername(username, fn) {
    for (var i = 0, len = users.length; i < len; i++) {
        var user = users[i];
        if (user.username === username) {
            return fn(null, user);
	}
    }
    return fn(null, null);
}

passport.serializeUser(function(user, done) {
    done(null, user.id);
});

passport.deserializeUser(function(id, done) {
    findById(id, function (err, user) {
        done(err, user);
    });
});

passport.use(new LocalStrategy(
    function(username, password, done) {
        findByUsername(username, function(err, user) {
            if (!user) {
                return done(null, false, { message: 'Unknown user ' + username });
            }
            if (user.password != password) {
                return done(null, false, { message: 'Invalid password' });
            }
            return done(null, user);
        });
    }
));


var app = express();
app.configure(function() {
  app.use(express.bodyParser());
  app.use(express.methodOverride());
  app.use(express.cookieParser());
  app.use(express.session({ secret: 'keyboard cat' }));
  
  app.use(passport.initialize());
  app.use(passport.session());

  app.use(app.router);
});


// using GET just for easy testing...
app.get('/session', passport.authenticate('local'), function(req, res) {
    res.json({_id: req.user._id, _rev: req.user._rev});
});

app.listen(3000, function() {
    console.log('Express server listening on port 3000');
});

Visiting http://127.0.0.1:3000/session?username=bob&password=secret2 simply results in Unauthorized rather than the expected { message: 'Invalid password' }

You need to add flash support and set the relevant options if you want to display flash messages. Look at this example for inspiration: https://github.com/jaredhanson/passport-local/tree/master/examples/express3

@jaredhanson Ah - good point. Whoops!

As far as I can tell, this doesn't work without a redirect? So the POST itself doesn't return anything

app.get('/login', function(req, res){
    res.json(req.flash('error'));
});

app.post('/session', passport.authenticate('local', { failureRedirect: '/login', failureFlash: true }), function(req, res) {
    res.json({_id: req.user._id, _rev: req.user._rev});
});

Anyway, this seems by design so I won't waste any more of your time. Thanks so much for your help!