けんき says to YSITD // that the password is correct and then invoke cb with a user object, which // will be set at req.user in route handlers after authentication.