auth.restrict = function(req, res, next){ if (!req.session.userid) { req.session. . session on any route except auth routes - for me they are /login and /auth/:provider ): returnTo if user goes to another page after login redirect (thats doesn't require .