What’s the appropriate HTTP status code to return if a user tries logging in with an incorrect username / password, but correct format?

If you are strictly using the HTTP authentication framework provided by RFC 7235 for your REST API, the correct HTTP code would actually be 401. From the RFC: The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. The server generating a … Read more

passport.js passport.initialize() middleware not in use

Follow the example to avoid the out-of-order middleware hell that express makes it so easy to enter. Straight from the docs. Note how yours does not match this exactly. var app = express(); app.use(require(‘serve-static’)(__dirname + ‘/../../public’)); app.use(require(‘cookie-parser’)()); app.use(require(‘body-parser’).urlencoded({ extended: true })); app.use(require(‘express-session’)({ secret: ‘keyboard cat’, resave: true, saveUninitialized: true })); app.use(passport.initialize()); app.use(passport.session()); Docs cookieParser session … Read more