well, I don't know how express.js works, but from what I'm seeing there are two things:

— first: you should add a middleware to return a session with a cookie.

— second: I don't see any cookies being sent or saved in the api/login.