AuthController.js

// api/controllers/AuthController.js

var passport = require('passport');

var AuthController = {

	login: function (req,res)
	{
		res.view();
	},

	process: function(req, res)
	{
		passport.authenticate('local', function(err, user, info)
		{
			if ((err) || (!user))
			{
				res.redirect('/login');
				return;
			}

			req.logIn(user, function(err)
			{
				if (err)
				{
					res.view();
					return;
				}
				
				res.redirect('/');
				return;
			});
		})(req, res);
	},

	logout: function (req,res)
	{
		req.logout();
		res.redirect('/');
	}

};

module.exports = AuthController;

authenticated.js

// api/policies/authenticated.js

// We use passport to determine if we're authenticated
module.exports = function(req, res, next)
{
	if (req.isAuthenticated())
		return next();
	
	res.redirect('/auth/login');
}

bootstrap.js

// config/bootstrap.js

module.exports.bootstrap = function (cb) {
	
	var passport = require('passport')
	  , LocalStrategy = require('passport-local').Strategy;	
	
	// Passport session setup.
	// To support persistent login sessions, Passport needs to be able to
	// serialize users into and deserialize users out of the session. Typically,
	// this will be as simple as storing the user ID when serializing, and finding
	// the user by ID when deserializing.
	passport.serializeUser(function(user, done) {
		done(null, user.id);
	});
	
	passport.deserializeUser(function(id, done) {
		User.findOne(id).done(function (err, user) {
			done(err, user);
		});
	});
	
	
	// Use the LocalStrategy within Passport.
	// Strategies in passport require a `verify` function, which accept
	// credentials (in this case, a username and password), and invoke a callback
	// with a user object. In the real world, this would query a database;
	// however, in this example we are using a baked-in set of users.
	passport.use(new LocalStrategy(
		function(username, password, done) {
		
			// Find the user by username. If there is no user with the given
			// username, or the password is not correct, set the user to `false` to
			// indicate failure and set a flash message. Otherwise, return the
			// authenticated `user`.
			findByUsername(username, function(err, user) {
				if (err) { return done(err); }
				if (!user) { return done(null, false, { message: 'Unknown user ' + username }); }
				if (user.password != password) { return done(null, false, { message: 'Invalid password' }); }
				return done(null, user);
			});
		}
	));

	// It's very important to trigger this callack method when you are finished
	// with the bootstrap!  (otherwise your server will never lift, since it's waiting on the bootstrap)
	cb();
};

express.js

// config/express.js

var passport = require('passport');

module.exports.express = {
    customMiddleware: function (app) {
		app.use(passport.initialize());
		app.use(passport.session());
	}
};

login.ejs

// views/auth/login.ejs

<form action="/login" method="post">
  <div>
    <label>Username:</label>
    <input type="text" name="username"/>
  </div>
  <div>
    <label>Password:</label>
    <input type="password" name="password"/>
  </div>
  <div>
    <input type="submit" value="Submit"/>
  </div>
</form>

policies.js

// config/policies.js

/**
* Policy defines middleware that is run before each controller/controller.
* Any policy dropped into the /middleware directory is made globally available through sails.middleware
* Below, use the string name of the middleware
*/
module.exports.policies = {
  // default require authentication
  // see api/policies/authenticated.js
	'*': 'authenticated',

  // whitelist the auth controller
	'auth':
	{
		'*': true
	}
};

signup.ejs

// views/auth/signup.ejs

<form action="/user/create" method="post">
	<p>
		<label for="username">Username:</label>
		<input id="username" type="text" name="username"/>
	</p>
	<p>
		<label for="password">Password:</label>
		<input id="password" type="password" name="password"/>
	</p>
	<p>
		<input type="submit" value="Sign Up"/>
	</p>
</form>