Email / Password Recipe
The local strategy provides classic email and password authentication with bcrypt hashing and a full password reset flow.
Password strength
node-auth does not enforce password complexity by default. Validate password strength in your onRegister callback before creating the user.
Register → Login → Refresh → Logout flow
Password Reset flow
Step 1: Enable LocalStrategy
The local strategy is active by default — no extra configuration needed. Just create your AuthConfigurator:
import { AuthConfigurator } from '@nik2208/node-auth';
const auth = new AuthConfigurator(config, userStore);
Step 2: Implement IUserStore
Ensure your IUserStore implements the methods required for local auth:
export class MyUserStore implements IUserStore {
async findByEmail(email: string) { /* … */ }
async findById(id: string) { /* … */ }
async create(data: Partial<BaseUser>) { /* … */ }
async updateRefreshToken(userId, token, expiry) { /* … */ }
async updatePassword(userId, hashedPassword) { /* … */ }
async updateResetToken(userId, token, expiry) { /* … */ }
async findByResetToken(token) { /* … */ }
}
Step 3: Mount the router
- Express
- NestJS
- Next.js
app.use('/auth', auth.router({
onRegister: async (data, config) => {
// Validate, then persist
return userStore.create(data);
},
}));
// In AuthController constructor — see NestJS guide
this.router = auth.router({
onRegister: async (data) => userStore.create(data),
});
// pages/api/auth/[...auth].ts
export default function handler(req, res) {
const router = getAuth().router({
onRegister: async (data) => userStore.create(data),
});
req.url = req.url!.replace(/^\/api\/auth/, '') || '/';
router(req as any, res as any, () => res.status(404).end());
}
Step 4: Test the endpoints
# Register
curl -X POST http://localhost:3000/auth/register \
-H 'Content-Type: application/json' \
-d '{"email":"user@example.com","password":"secret123","name":"Jane"}'
# Login
curl -X POST http://localhost:3000/auth/login \
-H 'Content-Type: application/json' \
-d '{"email":"user@example.com","password":"secret123"}'
Endpoint Reference
| Method | Path | Auth | Description |
|---|---|---|---|
POST | /auth/login | — | Login with email + password |
POST | /auth/register | — | Register new user (requires onRegister) |
POST | /auth/logout | ✅ | Invalidate refresh token + clear cookies |
POST | /auth/refresh | — | Exchange refresh token for new access token |
GET | /auth/me | ✅ | Get current user profile |
POST | /auth/forgot-password | — | Send password reset email |
POST | /auth/reset-password | — | Reset password with token |
POST | /auth/change-password | ✅ | Change password for authenticated user |