Authentication strategy for REST API and mobile app

Now you can use Passport.js with JWT (JSON Web Tokens) with Passport-JWT. It's pretty easy to use.

Once a user is logged in, you send a token to the user. The token contains data about the user, like an id (encoded, of course). On the subsequent requests (at least where authentication is required) you make sure, that the client sends the token. On the server, you can see who sent the request (and e.g. check the user's authorization), just by looking at the token. For more info on how JWT work check this out.

There are different ways to send the token. Just have a look at the docs and it'll be clear. If not, this also helped me.

There is an example of RESTful service with oauth2 authentication: https://github.com/vedi/restifizer-example. I hope it will help.

I feel you need to setup a Token Based Authentication process in your server, so you can make requests from different types of clients (Android, iOS, Web, etc.). Unfortunately, Passport documentation (and Passport-based tutorials) seems to be aimed for "web applications" only, so I do not think you should be using it for those purposes.

I did something similar following this great tutorial: http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543

The client part in this tutorial is based on AngularJS, but can easily apply the same principles in a mobile client (it is just a matter of making HTTP requests including a token retrieved when you post in "/signin" or "/authenticate").

Good luck!