Bird
Raised Fist0
Expressframework~20 mins

Admin vs user route protection in Express - Practice Questions

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Express Route Protection Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a non-admin user accesses an admin-only route?

Consider an Express app with middleware that checks if a user is an admin before allowing access to admin routes.

What will be the response if a logged-in user without admin rights tries to access /admin/dashboard?

Express
app.use('/admin', (req, res, next) => {
  if (!req.user || !req.user.isAdmin) {
    return res.status(403).send('Access denied');
  }
  next();
});

app.get('/admin/dashboard', (req, res) => {
  res.send('Welcome to admin dashboard');
});
AThe user receives a 403 status with 'Access denied' message.
BThe user is redirected to the login page.
CThe user sees 'Welcome to admin dashboard'.
DThe server crashes with an error.
Attempts:
2 left
💡 Hint

Think about what the middleware does when the user is not an admin.

📝 Syntax
intermediate
2:00remaining
Which middleware correctly protects user routes but allows admins?

Choose the middleware that allows access to /user/profile only if the user is logged in, but admins can access all routes.

Aapp.use('/user', (req, res, next) => { if (!req.user && !req.user.isAdmin) return res.status(401).send('Login required'); next(); });
Bapp.use('/user', (req, res, next) => { if (!req.user) return res.redirect('/login'); next(); });
Capp.use('/user', (req, res, next) => { if (!req.user || req.user.isAdmin) return res.status(401).send('Login required'); next(); });
Dapp.use('/user', (req, res, next) => { if (!req.user) return res.status(401).send('Login required'); next(); });
Attempts:
2 left
💡 Hint

Admins are also users, so check if the user is logged in regardless of admin status.

🔧 Debug
advanced
2:00remaining
Why does the admin route allow all users despite the middleware?

Given this middleware, why does the /admin/settings route allow non-admin users?

Express
app.use('/admin', (req, res, next) => {
  if (!req.user.isAdmin) {
    res.status(403).send('Forbidden');
    return;
  }
  next();
});

app.get('/admin/settings', (req, res) => {
  res.send('Admin settings');
});
ABecause the middleware is not attached to the <code>/admin</code> route.
BBecause <code>req.user.isAdmin</code> is always true by default.
CBecause the middleware calls <code>next()</code> even after sending a response, allowing the route handler to run.
DBecause the route handler overrides the middleware response.
Attempts:
2 left
💡 Hint

Think about what happens after res.status(403).send() is called.

state_output
advanced
2:00remaining
What is the value of req.user in the admin middleware after login?

Assuming a login middleware sets req.user = { id: 1, isAdmin: true }, what will req.user be inside this admin middleware?

Express
app.use((req, res, next) => {
  req.user = { id: 1, isAdmin: true };
  next();
});

app.use('/admin', (req, res, next) => {
  // What is req.user here?
  next();
});
A{ id: 1, isAdmin: true }
Bundefined
Cnull
D{}
Attempts:
2 left
💡 Hint

Middleware runs in order. What does the first middleware do?

🧠 Conceptual
expert
3:00remaining
Which approach best separates admin and user route protection in Express?

You want to protect admin routes and user routes separately in an Express app. Which design is best?

AUse a single middleware that checks if user is logged in and admin for all routes, then allow or deny accordingly.
BUse two separate middleware functions: one that checks if user is logged in for user routes, and another that checks if user is admin for admin routes.
CCheck user role inside each route handler instead of middleware.
DAllow all users to access all routes and rely on frontend to hide admin features.
Attempts:
2 left
💡 Hint

Think about code clarity and security best practices.

Practice

(1/5)
1. What is the main purpose of using middleware for admin vs user route protection in Express?
easy
A. To check user roles and allow or deny access accordingly
B. To speed up the server response time
C. To log every request made to the server
D. To change the URL of the route dynamically

Solution

  1. Step 1: Understand middleware role

    Middleware runs before route handlers and can check conditions like user roles.

  2. Step 2: Role-based access control

    Middleware can allow access only if the user has the right role, such as admin or user.

  3. Final Answer:

    To check user roles and allow or deny access accordingly -> Option A

  4. Quick Check:

    Middleware controls access = D [OK]
Hint: Middleware checks roles to protect routes [OK]
Common Mistakes:
  • Thinking middleware speeds up server
  • Confusing middleware with logging only
  • Believing middleware changes URLs
2. Which of the following is the correct way to apply middleware for admin route protection in Express?
easy
A. app.get('/admin', (req, res) => adminMiddleware, res.send('Admin page'));
B. app.get('/admin', adminMiddleware, (req, res) => { res.send('Admin page'); });
C. app.use('/admin', (req, res) => { adminMiddleware(); res.send('Admin page'); });
D. app.get('/admin', (req, res) => { res.send('Admin page'); adminMiddleware(); });

Solution

  1. Step 1: Understand middleware placement

    Middleware should be passed as a second argument before the route handler function.

  2. Step 2: Check syntax correctness

    app.get('/admin', adminMiddleware, (req, res) => { res.send('Admin page'); }); correctly places adminMiddleware between route path and handler.

  3. Final Answer:

    app.get('/admin', adminMiddleware, (req, res) => { res.send('Admin page'); }); -> Option B

  4. Quick Check:

    Middleware before handler = A [OK]
Hint: Middleware goes between path and handler in route [OK]
Common Mistakes:
  • Calling middleware inside handler instead of passing it
  • Using middleware after sending response
  • Passing middleware as a function call instead of reference
3. Given this middleware and route code, what will be the response if a user with role 'user' tries to access '/admin'? 
function adminMiddleware(req, res, next) {
  if (req.user.role === 'admin') next();
  else res.status(403).send('Access denied');
}
app.get('/admin', adminMiddleware, (req, res) => {
  res.send('Welcome Admin');
});
medium
A. 'Access denied' with status 403
B. 'Welcome Admin'
C. Server error due to missing next()
D. Empty response with status 200

Solution

  1. Step 1: Analyze middleware condition

    The middleware checks if req.user.role is 'admin'. If not, it sends 403 with 'Access denied'.

  2. Step 2: User role is 'user'

    Since role is 'user', the else branch runs, sending 403 and 'Access denied'.

  3. Final Answer:

    'Access denied' with status 403 -> Option A

  4. Quick Check:

    Non-admin blocked with 403 = A [OK]
Hint: Check role condition in middleware to predict response [OK]
Common Mistakes:
  • Assuming next() always runs
  • Ignoring status code sent by middleware
  • Thinking response is 'Welcome Admin' for all roles
4. Identify the error in this Express route protection code: 
function adminMiddleware(req, res, next) {
  if (req.user.role === 'admin') next();
  else res.send('Access denied');
}
app.get('/admin', adminMiddleware, (req, res) => {
  res.send('Admin area');
});
medium
A. Route handler should be before middleware
B. Middleware should not call next()
C. Missing status code when sending 'Access denied'
D. req.user.role check is incorrect syntax

Solution

  1. Step 1: Check middleware response

    When denying access, middleware sends a message but does not set HTTP status code.

  2. Step 2: Importance of status code

    Without status 403, client gets status 200 which is misleading for access denial.

  3. Final Answer:

    Missing status code when sending 'Access denied' -> Option C

  4. Quick Check:

    Send 403 on denial = C [OK]
Hint: Always send status code with error messages [OK]
Common Mistakes:
  • Not setting status code on error
  • Calling next() after sending response
  • Placing middleware after route handler
5. You want to protect two routes: '/admin' for admins only and '/profile' for logged-in users. Which Express setup correctly applies middleware for this scenario? 
function authMiddleware(req, res, next) {
  if (req.user) next();
  else res.status(401).send('Login required');
}
function adminMiddleware(req, res, next) {
  if (req.user?.role === 'admin') next();
  else res.status(403).send('Admin only');
}
// Which setup is correct?
hard
A. app.get('/admin', adminMiddleware, authMiddleware, (req, res) => res.send('Admin')); app.get('/profile', adminMiddleware, (req, res) => res.send('Profile'));
B. app.get('/admin', (req, res) => res.send('Admin')); app.get('/profile', authMiddleware, (req, res) => res.send('Profile'));
C. app.get('/admin', authMiddleware, (req, res) => res.send('Admin')); app.get('/profile', adminMiddleware, (req, res) => res.send('Profile'));
D. app.get('/admin', authMiddleware, adminMiddleware, (req, res) => res.send('Admin')); app.get('/profile', authMiddleware, (req, res) => res.send('Profile'));

Solution

  1. Step 1: Understand middleware order

    For '/admin', user must be logged in (authMiddleware) and have admin role (adminMiddleware).

  2. Step 2: Apply correct middleware per route

    '/profile' only needs authMiddleware to check login. app.get('/admin', authMiddleware, adminMiddleware, (req, res) => res.send('Admin')); app.get('/profile', authMiddleware, (req, res) => res.send('Profile')); applies both correctly in order.

  3. Final Answer:

    app.get('/admin', authMiddleware, adminMiddleware, (req, res) => res.send('Admin')); app.get('/profile', authMiddleware, (req, res) => res.send('Profile')); -> Option D

  4. Quick Check:

    Auth then admin for admin route = B [OK]
Hint: Check middleware order: auth before admin [OK]
Common Mistakes:
  • Reversing middleware order
  • Using adminMiddleware alone for profile
  • Not protecting admin route with authMiddleware