Is verifying whether a user is an admin based on req.user secure?
I am not terribly familiar with passport but if it is similar to how express-session works, the req.session object is stored in a (potentially encrypted) cookie and so if you build an authentication system off of this, you can store user information in req.session.user and be confident that is is secure.