I have custom errors in my LocalStrategy subclass, e.g.:

async comparePassword(entity, password) {
    if (entity.googleId) {
      throw new errors.GSuiteEmail(`Please use 'Sign in with Google' button`)
    }
    return super.comparePassword(entity, password)
}

Because of this, I can't order my strategies as [jwt, local], I have to order them [local, jwt]. But jwt is obviously much more frequently used, and so it seems wasteful that the local has to always be tried first and throw an error right on this line:

if (data.strategy && data.strategy !== this.name) {
      throw new NotAuthenticated(errorMessage);
    }

This has another strange effect, this swallows the error from jwt, even though that's the more appropriate error. (in fact, this point is the same point made above, but reversed).

Proposal: in authentication/core, do not even run those strategies whose name doesn't match data.strategy. Then, check if any strategies were in fact run and only then proceed.

This way:

• only relevant strategies will be executed
• the most appropriate error will be shown
• the ordering of [local, jwt] or [jwt, local] becomes less important