1) serializeUser is called when creating a session for the user (when authentication was successful). This is used to store any identifying information (for example, a unique user identifier) โโabout the user in an Express session.
deserializeUser is called for each request and takes this piece of identifying information from the session to somehow convert it back to a full user record using a database query, perhaps, but it really depends on you: instead of just storing the user ID, you can also save all user record in a session, but it depends on the type of user account and session you are using, if it is possible (for example, the use of express.cookieSession limited to the amount of data you can save in the session).
This is what might look like a record of the entire user record:
passport.serializeUser(function(user, done) { // Here, 'user' is the result of the function called by 'new LocalStrategy()'; when // you call done() below, that result will be stored in the session. done(null, user); }); passport.deserializeUser(function(user, done) { // Here, 'user' is what stored in the session by serializeUser() done(null, user); });
2) The passport fills out req.user , which you can use in routes or middleware.
3) You can create middleware to implement such checks. This could be a good starting point.