I find your question a little bit hard to understand. Here is my understanding :
If this is correct, I would suggest you to proceed in the following way :
Have different REST APIs for different purposes. Don't mix up the APIs meant for your normal users with those used by external apps. If some logic should be reused, put it in a module and just require it from different route handlers.
Protect the APIs meant for external apps with Oauth strategy.
Protect the APIs meant for regular users with a different authentication mechanism e.g. passport-local.
Let us know if this solves your problem or you meant something different.