So you got a really cool idea for an app or a service. You get all fired up, talk to your friends about, write down some bullet points and run that exciting git init command in an empty folder. One of the first things you are most likely to in the very near future is begin working on some kind of user login and registration process.


Of course, passport.js is great when you can leverage external authentication, but otherwise you are stuck rolling your own system… After a while you find yourself doing it over and over again. How boring! Wouldn’t it be nice if somebody finally just wrote a module that you could plugin into your express app that would take care of all this user registration stuff?

Well, look no further than lockit (GitHub: zeMirco/lockit, License: MIT), which is a collection of modules written by Mirco Zeiss that helps you with initial user registraion and password management flow.

npm install lockit


  1. Supports multiple database adapters (MongoDB, CouchDB, SQL).
  2. Sends confirmation emails.
  3. Manages email address verification with verification link expiration.
  4. Brings own Bootstrap based views which are easy to customize.
  5. Account locking after too many failed login attempts.
  6. Events for loginlogoutsignup and delete.
  7. Implementation of lots of best pratices.
  9. Authentication for SPAs and CSRF support.


var Lockit = require('lockit');
var app = express();

// express middleware
// ...
// sessions are required
app.use(express.cookieParser('your secret here'));

var config = {
  db: 'mongodb://',
  dbCollection: 'users'

// use middleware before router so your own routes have access to
// req.session.email and req.session.username
var lockit = new Lockit(app, config);

// you now have all the routes like /login, /signup, etc.
// and you can listen on events. For example 'signup'
lockit.on('signup', function(user, res) {
  console.log('a new user signed up');

  // set signup.handleResponse to 'false' for this to work

// continue with express middleware
// ...


By default of course emails aren’t being sent. That means that you won’t receive any signup and password reset tokens. To send emails you need an email server and you have pass the right settings:

With mailgun you can send up to 10,000 emails per month for free. emailSettings – see nodemailer for more information.

config = {
  emailType: 'SMTP',
  emailSettings: {
    service: 'Mailgun',
    auth: {
      user: 'postmaster@username.mailgun.org',
      pass: 'secret-password'

Custom views

Lockit comes with built-in views which are based on Bootstrap. If you want to use your own custom views you can. It is dead simple. Put them into your views folder, for example views/lockit/myLogin.jade.

config = {
  login: {
    route: '/login',
    logoutRoute: '/logout',
    views: {
      login: 'lockit/myLogin.jade',
      loggedOut: 'lockit/myLogoutSuccess.jade'

Routes included

From lockit-signup

  • GET /signup
  • POST /signup
  • GET /signup/:token
  • GET /signup/resend-verification
  • POST /signup/resend-verification

From lockit-login

  • GET /login
  • POST /login
  • GET /logout

From lockit-forgot-password

  • GET /forgot-password
  • POST /forgot-password
  • GET /forgot-password/:token
  • POST /forgot-password/:token

From lockit-delete-account

  • GET /delete-account
  • POST /delete-account

Closing thoughts

I love how customizable lockit is and yet comes with very reasonable defaults. It’s has pretty much everything you need to get started with basic user registration and password management flow. Checkout lockit github page for full set of options as well as its associated modules.