To me it’s unnecessary.
It’s not saving me any work. I have to write the configuration, the callback, and the user schema. To me, it’s just easier for me to just write a middleware for that.
And I don’t see there is any security enforcement I am getting cuz I am writing my own verify callback anyway.
So, I don’t see any reason that I should use it.