0
0
Expressframework~20 mins

Admin vs user route protection in Express - Practice Questions

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Express Route Protection Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a non-admin user accesses an admin-only route?

Consider an Express app with middleware that checks if a user is an admin before allowing access to admin routes.

What will be the response if a logged-in user without admin rights tries to access /admin/dashboard?

Express
app.use('/admin', (req, res, next) => {
  if (!req.user || !req.user.isAdmin) {
    return res.status(403).send('Access denied');
  }
  next();
});

app.get('/admin/dashboard', (req, res) => {
  res.send('Welcome to admin dashboard');
});
AThe user receives a 403 status with 'Access denied' message.
BThe user is redirected to the login page.
CThe user sees 'Welcome to admin dashboard'.
DThe server crashes with an error.
Attempts:
2 left
💡 Hint

Think about what the middleware does when the user is not an admin.

📝 Syntax
intermediate
2:00remaining
Which middleware correctly protects user routes but allows admins?

Choose the middleware that allows access to /user/profile only if the user is logged in, but admins can access all routes.

Aapp.use('/user', (req, res, next) => { if (!req.user && !req.user.isAdmin) return res.status(401).send('Login required'); next(); });
Bapp.use('/user', (req, res, next) => { if (!req.user) return res.redirect('/login'); next(); });
Capp.use('/user', (req, res, next) => { if (!req.user || req.user.isAdmin) return res.status(401).send('Login required'); next(); });
Dapp.use('/user', (req, res, next) => { if (!req.user) return res.status(401).send('Login required'); next(); });
Attempts:
2 left
💡 Hint

Admins are also users, so check if the user is logged in regardless of admin status.

🔧 Debug
advanced
2:00remaining
Why does the admin route allow all users despite the middleware?

Given this middleware, why does the /admin/settings route allow non-admin users?

Express
app.use('/admin', (req, res, next) => {
  if (!req.user.isAdmin) {
    res.status(403).send('Forbidden');
    return;
  }
  next();
});

app.get('/admin/settings', (req, res) => {
  res.send('Admin settings');
});
ABecause the middleware is not attached to the <code>/admin</code> route.
BBecause <code>req.user.isAdmin</code> is always true by default.
CBecause the middleware calls <code>next()</code> even after sending a response, allowing the route handler to run.
DBecause the route handler overrides the middleware response.
Attempts:
2 left
💡 Hint

Think about what happens after res.status(403).send() is called.

state_output
advanced
2:00remaining
What is the value of req.user in the admin middleware after login?

Assuming a login middleware sets req.user = { id: 1, isAdmin: true }, what will req.user be inside this admin middleware?

Express
app.use((req, res, next) => {
  req.user = { id: 1, isAdmin: true };
  next();
});

app.use('/admin', (req, res, next) => {
  // What is req.user here?
  next();
});
A{ id: 1, isAdmin: true }
Bundefined
Cnull
D{}
Attempts:
2 left
💡 Hint

Middleware runs in order. What does the first middleware do?

🧠 Conceptual
expert
3:00remaining
Which approach best separates admin and user route protection in Express?

You want to protect admin routes and user routes separately in an Express app. Which design is best?

AUse a single middleware that checks if user is logged in and admin for all routes, then allow or deny accordingly.
BUse two separate middleware functions: one that checks if user is logged in for user routes, and another that checks if user is admin for admin routes.
CCheck user role inside each route handler instead of middleware.
DAllow all users to access all routes and rely on frontend to hide admin features.
Attempts:
2 left
💡 Hint

Think about code clarity and security best practices.