auth.js

npm package.
also called NextAuth, anteriormente llamado auth-next.js

might not be fully supportes for user:pass authentication and implement on Express server. Investigate more on this tho.

As per their FAQs “Auth.js is designed for use with Next.js and Serverless.” 2023 reddit response.

Considering your requirement of building the API using express, skipping the NextJS API implementation, then it would seem that passport is a better fit.

works best for Nextjs fullstack project.

https://authjs.dev/
https://authjs.dev/guides/basics/role-based-access-control
https://www.freecodecamp.org/news/secure-next-js-applications-with-role-based-authentication-using-nextauth/

session strategies

you can implement different session strategies with this lib.

JWT

is the default
when user sign in, a HttpOnly(making it impossible for client js to access it) cookie is stored on his browser.

Database Sessions

Authjs can create sessions in a database.
SessionID is saved on a HttpOnly cookie.
When user signs out, session is deleted from the DB.