Authentication

Authentication on the backend is handled using Passport.js in combination with Express sessions.

When a user successfully authenticates, Passport serializes the user’s ID into the session. The session is managed by Express and stored as an encrypted, cookie on the client. The encryption is done with a secret known only to the BE.

Session data (the serialized user reference and any related metadata) is persisted in the backend database through the configured session store.

On subsequent requests, Express automatically decrypts the cookie, looks up the session in the database, and Passport deserializes the stored user data—restoring the authenticated user context.

This means users stay logged in until their session expires or they explicitly log out.