validate() is called by Passport after it extracts credentials from the request. If it returns a value, Passport attaches it to request.user and canActivate() returns true. If it throws or returns null/false, the guard rejects the request with a 401. The return value is exactly what the handler receives via @Request() or a @CurrentUser() decorator.
validate() is the only method you implement — Passport handles credential extraction and req.user assignment.
Returning a truthy value from validate() causes Passport to call req.logIn() and attach it to req.user.
Returning null or false causes Passport to call UnauthorizedException via handleRequest().
Throwing an exception from validate() propagates to the exception filter as usual.
The value returned by validate() is typed as request.user — use @CurrentUser() for clean injection.