express passport local strategy auth user

I am trying to validate a username + password for a login.(sessions/cookies not included here)

My app.js

var express = require('express');
var bodyParser = require('body-parser')
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;


var indexRouter = require('./routes/index');
var usersRouter = require('./routes/users');

var app = express();

//Use mongo connection
//Set up mongoose connection
var mongoose = require('mongoose');
var mongoDB = 'mongodb://username:pass@ds145293.mlab.com:45293/employees';
mongoose.connect(mongoDB,{ useNewUrlParser: true });
mongoose.Promise = global.Promise;
var db = mongoose.connection;
db.on('error', console.error.bind(console, 'MongoDB connection error:'))
db.once('open', function() {
  console.log('connected')
});

//passport localstrategy
passport.use(new LocalStrategy(
  function(username, password, cb) {
    User.findOne({ username: username }, function(err, user) {
      if (err) { return cb(err); }
      if (!user) { return cb(null, false); }
      if (user.password != password) { return cb(null, false); }
      return cb(null, user);
    });
}));

// view engine setup
//using express.json,url_encoded,bodyparser,urlencoded

app.use(passport.initialize());

//using routes
// catch 404 and forward to error handler  
// error handler

module.exports = app;

my router file looks like this:

var express = require('express');
var router = express.Router();
var User = require('../models/user_model');
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;

/* GET home page. */

router.get('/login' , (req , res) => {
  res.render('login')
})

router.post('/login',
  passport.authenticate('local', { failureRedirect: '/login' , successRedirect: '/profile',}),
  )

router.get('/profile' , (req , res) => {
  res.send("Secret page")
})

Both my form + model have only 2 fields username & password.Model is User. If I enter wrong details i get redirected to login,but it doesnt auth correct details.