Extend PassportStrategy(Strategy, 'local') and implement validate(username, password). Call the strategy from a login route using @UseGuards(AuthGuard('local')). The validate() method receives credentials extracted by Passport, verifies them via AuthService, and returns the user object that becomes request.user.
Pass { usernameField: 'email' } to super() when the login field is named email instead of username.
validate() throws UnauthorizedException to reject — returning null also triggers a 401 via handleRequest().
Never compare passwords with === — always use bcrypt.compare() for timing-safe hash comparison.
validate() return value is attached to request.user before the controller handler runs.
AuthGuard('local') must be on the login route — do not put it on the register or other routes.