write a middleware function such as:
function needUser(req, res, next) {
if (!req.session.user) {
res.redirect('/login');
return;
}
next();
}
Any routes that are publicly available to not-logged-in users can just ignore this and be set up as normal. Any routes that require a logged-in user can include this as a middleware.
app.get('/inbox', needUser, inboxRoute);