Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
sails (v0.8.82) + passport + passport-local Rough Example. For the love of all that is holy, don't use this in production.
// config/application.js
var passport = require('passport')
, LocalStrategy = require('passport-local').Strategy;
// some static users
var users = [
{ id: 1, username: 'bob', password: 'secret', email: '' }
, { id: 2, username: 'joe', password: 'birthday', email: '' }
// helper functions
function findById(id, fn) {
var idx = id - 1;
if (users[idx]) {
fn(null, users[idx]);
} else {
fn(new Error('User ' + id + ' does not exist'));
function findByUsername(username, fn) {
for (var i = 0, len = users.length; i < len; i++) {
var user = users[i];
if (user.username === username) {
return fn(null, user);
return fn(null, null);
// Passport session setup.
// To support persistent login sessions, Passport needs to be able to
// serialize users into and deserialize users out of the session. Typically,
// this will be as simple as storing the user ID when serializing, and finding
// the user by ID when deserializing.
passport.serializeUser(function(user, done) {
passport.deserializeUser(function(id, done) {
findById(id, function (err, user) {
done(err, user);
// Use the LocalStrategy within Passport.
// Strategies in passport require a `verify` function, which accept
// credentials (in this case, a username and password), and invoke a callback
// with a user object. In the real world, this would query a database;
// however, in this example we are using a baked-in set of users.
passport.use(new LocalStrategy(
function(username, password, done) {
// asynchronous verification, for effect...
process.nextTick(function () {
// Find the user by username. If there is no user with the given
// username, or the password is not correct, set the user to `false` to
// indicate failure and set a flash message. Otherwise, return the
// authenticated `user`.
findByUsername(username, function(err, user) {
if (err) { return done(err); }
if (!user) { return done(null, false, { message: 'Unknown user ' + username }); }
if (user.password != password) { return done(null, false, { message: 'Invalid password' }); }
return done(null, user);
// export
module.exports = {
// Name of the application (used as default <title>)
appName: "Sails Application",
// Port this Sails application will live on
port: 1337,
// The environment the app is deployed in
// (`development` or `production`)
// In `production` mode, all css and js are bundled up and minified
// And your views and templates are cached in-memory. Gzip is also used.
// The downside? Harder to debug, and the server takes longer to start.
environment: 'development',
// Custom express middleware - we use this to register the passport middleware
express: {
customMiddleware: function(app)
// api/controllers/AuthController.js
var passport = require('passport');
var AuthController = {
login: function (req,res)
process: function(req, res)
passport.authenticate('local', function(err, user, info)
if ((err) || (!user))
req.logIn(user, function(err)
if (err)
})(req, res);
logout: function (req,res)
module.exports = AuthController;
// api/policies/authenticated.js
// We use passport to determine if we're authenticated
module.exports = function(req, res, next)
if (req.isAuthenticated())
return next();
// views/auth/login.ejs
<form action="/login" method="post">
<input type="text" name="username"/><br/>
<input type="password" name="password"/>
<input type="submit" value="Submit"/>
<p><small>Hint - bob:secret</small></p>
// config/policies.js
* Policy defines middleware that is run before each controller/controller.
* Any policy dropped into the /middleware directory is made globally available through sails.middleware
* Below, use the string name of the middleware
module.exports.policies = {
// default require authentication
// see api/policies/authenticated.js
'*': 'authenticated',
// whitelist the auth controller
'*': true
vicapow commented Mar 16, 2013

thanks for this!


Thanks for this, i have created a working example application here:


Could the user be accessed via the model rather than having it in application.js ?


Great, Gist.

However, you're missing the route configuration for the /login URL. GET /login needs to show the form and POST /login needs to process it.

I made a fork of your Gist and added the code to config/routes.js if you want to copy it into yours.


// Custom routes for login:
'get /login': {
    controller: 'auth',
    action: 'login'

'post /login': {
    controller: 'auth',
    action: 'process'
bhanuc commented Jul 18, 2013

Can you suggest some changes which I should before I use this in production . Also how can I hash my passwords

mugli commented Jul 21, 2013

authenticated policy (authenticated.js) crashes for websocket requests. Possible workaround:


Another example, adapted for Sails.js 0.9.x. This example uses basic authentication, but other strategies can be easily plugged in:

Mantish commented Aug 28, 2013

Thanks a lot!
I've forked it and made it compatible with sails 0.9:

anhnt commented Jan 7, 2014

Thanks a lot,
I've folked and made some changes to authenticate with database (mysql) as well as compatible with Sails 0.98

AnalogJ commented Feb 20, 2014

I've put together a quick tutorial for getting everything working with Sails 0.99. Creating a Sails Application using Passport Authentication


With sails 0.9.x do not work !!! help me please !!!

nlt2390 commented Apr 29, 2014

I suggest we should not use:
express: {
customMiddleware: function(app)
Setup passport like that makes the function "passport.deserializeUser" run many times( passport deserialize run on every requests: all css, js , images files... ), we can initialize passport in policies instead:

var passport = require('passport');

module.exports.policies = {
'*': [ passport.initialize(), passport.session() ]


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment