La stratégie locale de passeport effectuée le rappel ne transmet pas le message d'erreur json

J'essaie de transmettre un message JSON lorsque l'authentification échoue, en utilisant le rappel terminé dans la LocalStrategy, mais tout ce que j'obtiens est 401 et la chaîne "non autorisée" dans la réponse.

var express = require('express');
var bodyParser = require('body-parser');
var passport = require('passport');
var LocalStrategy = require('passport-local').Strategy;

var app = express();
app.use(bodyParser.json());
app.use(passport.initialize());

passport.serializeUser(function(user, done) {
    done(null, user.email);
});

var strategy = new LocalStrategy({ usernameField: 'email' },
    function (email, password, done) {
        if (email === '[email protected]' && password === 'pass') {
            return done(null, { email: '[email protected]' });
        } else {
            // never get this json object on the client side when posting invalid credentials
            return done(null, false, { message: 'invalid email or password' });
        }
    }
);

passport.use(strategy);

app.post('/login', passport.authenticate('local'), function(req, res) {
    console.log(req.user);
    res.json(req.user);
});


app.get('/', function(req, res) {
    res.json({ message: 'hello!' });
});

var server = app.listen(3000, function() {
    console.log('api is listening on ', server.address().port);
});

package.json

{
  "name": "passport_example",
  "version": "1.0.0",
  "description": "",
  "main": "app.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "body-parser": "^1.13.3",
    "express": "^4.13.3",
    "passport": "^0.2.2",
    "passport-local": "^1.0.0"
  }
}

Qu'est-ce que je fais mal?