Advanced Node: Authentication Strategies with Passport

I’m trying to understand how the passport authentication strategy works and when the username and password are actually getting sent to passport.

First, in the Authentication Strategies challenge, we create a local strategy like this:

passport.use(new LocalStrategy(
  function(username, password, done) {
    db.collection('users').findOne({ username: username }, function (err, user) {
      console.log('User '+ username +' attempted to log in.');
      if (err) { return done(err); }
      if (!user) { return done(null, false); }
      if (password !== user.password) { return done(null, false); }
      return done(null, user);

Then in the How to Use Passport Strategies challenge, it’s used as follows:

        .post(passport.authenticate('local', { failureRedirect: '/' }), (req, res) => {

What I’m wondering is how is the local strategy getting the username and password? I was expecting to extract it with something like req.body.username but apparently it isn’t needed?