What a great article, I am currently working on a project that needs authentication... I find this useful.

Hi, I'm a newbee to web dev. I am not sure how website keeps user login. The method I can implement is storing user's username & plain password in the localStorage, then whenever the user opens my website, I use javascript to send their user name & password to login in them automtiaclly. I heard user's plain password should not be stored anywhere, so this is a bad idea, however, I have not figured out how the token/session id works, i.e., how to create the token, how to verify it, where to store it, how to revoke it, how to prevert user from modifying it etc. I want to learn how to implement these before trying others' existing frameworks.

generateAccessToken returns a different token for the same payload each time, right? and It is done by converting { expiresIn: '1800s' } to the actual timestamp or purely hash function "magic"?

Can external javascript read localStroage and cookie? e.g., I store user's plain password in localStroage and I includes a external foo (say jquery) library, can the code in the foo library read the password?