It depends heavily on your requirements and on the app type you are going to build (web application or just console daemon, azure function, etc.). Does it require user context or not?
Here are the options available:
- Create Azure AD application, give required permissions to SharePoint and use node-adal library for OAuth (authorization code flow, client creds flow). Works only with Azure AD apps, you may have user context (authorization code flow) or application only permissions with client creds flow. Works for SharePoint online only.
- Create SharePoint addin. Now you have options depending on your requirements.
a. For SharePoint online you can try to use passport-sharepoint express middleware for authenticating inside SharePoint. You will get user context. It works only with low-trust addins.
b. If user context is not necessary and it's ok to use addin only permissions everywhere in your app, you can use sp-request. It allows you to create access token with client creds flow for both Online and on-premise
For mapping consider PnP-JS-Core, but it doesn't work well with nodejs, because the primary purpose of this library is browser. Hopefully I've created a sample on how you can setup it up for nodejs here - node-pnpjs-sample
UPD
You know, there is no "silver bullet" (especially when we are talking about SharePoint and nodejs). For SharePoint Online I would recommend Azure AD app and node-adal. But you need to think carefully if Azure AD app is acceptable for your requirements. A good starting point in descision will be following article deciding between the SharePoint app model and the Office 365 APIs. If you selected Azure AD for SharePoint online, go ahead with node-adal. If you selected SharePoint addin instead of Azure AD app, then you can use either sp-request or passport-sharepoint (again depending if user context is required or not).
For on-premise (high-trust) I don't know about module similar to passport-sharepoint, so in case if you need user context here, you need to search or implement on your own. If user context isn't required, you can go ahead with sp-request for on-premise.
Since you are not able to decide right now, may be that's worthwhile to spend some trying different options in order to make decision.
Try to answer on the following questions:
- Is that a nodejs web application or console or desktop or daemon service?
- Is authentication for users required?
- Do you need in your app to use user context (run search queries with user identity, separate access to the different parts of the app (or SharePoint) based on the user permissions, list security trimming, etc)?
UDP2
So the problem: nodejs backend service, which requires user context, need to talk with SharePoint as connector between mobile app and SharePoint.
In that case, as your service needs user context and you are not able to interact with user directly (because of service), I think the mobile app need to send you authentication data about the user. This depends on the app implementation. That might be an OAuth access token, a cookie, or any other authentication header the mobile app might use. Of course all communication should be performed via secure https channel.
Your service will attach that authentication data to http request to SharePoint.
