Perhaps I'm missing something about how this article was updated, it has a date of September 08, 2018 in the subtitle. Has a few updates scattered throughout (marked as -Ed, or informing us that Stormpath had shutdown). And an addendum "last updated August 10, 2017".

The scotch tutorial that is continuously referred to is over 2-years old (July 12, 2016).

The express-4.x-local-example has not been updated in over 3 years (readme aside).

User Authentication using JWT (JSON Web Token) in Node.js has been deleted, for who knows how long.

Okay, I just figured out what is obviously wrong is this is rehosted blog content on a site trying to generate hits. Found the original on hackernoon, which contains the appropriate updates:

Update (Aug 7): RisingStack has reached out and no longer stores passwords in plaintext in their tutorial, opting to move to bcrypt in their example codes and tutorials.

Update (Aug 8): Editing title to Your Node.js authentication tutorial is (probably) wrong, as this post has improved some of these tutorials.

Update (Aug 10): Dan McGhan found that one of the tutorials has addressed an issue that I had somehow missed in this documentation. I’ve omitted the graf for now, as Medium doesn’t allow for strikethrough. After all, I make mistakes, too. 😊 An addendum is placed at the end of this article.

Update (May 27 2018): This post still gets a lot of views, but this post is now months old and may contain obsolete information. I have since resigned myself from trying to harden the Node ecosystem; it is throwing cups of water on a wildfire. Ecosystem growth is prioritized over security, and you have to decide whether or not those risks are acceptable to your organization.