Bird
Raised Fist0
Expressframework~5 mins

JWT token verification middleware in Express - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the main purpose of JWT token verification middleware in an Express app?
It checks if the incoming request has a valid JWT token to allow access to protected routes.
Click to reveal answer
beginner
Which HTTP header usually carries the JWT token in requests?
The 'Authorization' header, often with the format 'Bearer <token>'.
Click to reveal answer
beginner
What happens if the JWT token is missing or invalid in the verification middleware?
The middleware sends a 401 Unauthorized response and stops the request from reaching protected routes.
Click to reveal answer
intermediate
How does the middleware verify the JWT token?
It uses a secret key or public key to decode and check the token's signature and expiration.
Click to reveal answer
intermediate
Why is it important to place JWT verification middleware before protected route handlers?
So that only requests with valid tokens can access those routes, protecting sensitive data or actions.
Click to reveal answer
Which Express middleware function is best for verifying JWT tokens?
AA function that reads the Authorization header and checks the token
BA function that logs request times
CA function that serves static files
DA function that parses JSON bodies
What status code should the middleware return if the JWT token is invalid?
A200 OK
B404 Not Found
C401 Unauthorized
D500 Internal Server Error
Where is the JWT token usually stored on the client side for sending with requests?
AIn the server memory
BIn the URL path
CIn the request body
DIn a cookie or local storage
Which library is commonly used in Express apps to verify JWT tokens?
Ajsonwebtoken
Bexpress-session
Ccors
Dbody-parser
What does the 'Bearer' keyword in the Authorization header mean?
AIt is a cookie name
BIt indicates the token type is a bearer token
CIt is a password
DIt is a username
Explain how JWT token verification middleware works in an Express app.
Think about the steps from receiving a request to deciding if it can access protected routes.
You got /5 concepts.
    Describe why JWT token verification middleware is important for securing Express routes.
    Consider what could happen if you skip token checks on protected routes.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of JWT token verification middleware in an Express app?
      easy
      A. To check if the incoming request has a valid JWT token before allowing access
      B. To store user sessions on the server
      C. To encrypt the user's password before saving
      D. To serve static files like images and CSS

      Solution

      1. Step 1: Understand JWT middleware role

        JWT middleware checks the token sent by the client to confirm identity.

      2. Step 2: Compare options with JWT purpose

        Only "To check if the incoming request has a valid JWT token before allowing access" describes verifying a token before access, which is the middleware's job.

      3. Final Answer:

        To check if the incoming request has a valid JWT token before allowing access -> Option A

      4. Quick Check:

        JWT middleware verifies token [OK]
      Hint: JWT middleware always verifies token validity before access [OK]
      Common Mistakes:
      • Confusing JWT with session storage
      • Thinking JWT middleware encrypts passwords
      • Assuming middleware serves static files
      2. Which of the following is the correct way to extract the JWT token from the Authorization header in Express middleware?
      easy
      A. const token = req.headers.authorization.split(' ')[1];
      B. const token = req.body.token;
      C. const token = req.query.token;
      D. const token = req.cookies.token;

      Solution

      1. Step 1: Identify standard JWT token location

        JWT tokens are usually sent in the Authorization header as 'Bearer token'.

      2. Step 2: Extract token correctly

        Splitting the header string by space and taking the second part gets the token.

      3. Final Answer:

        const token = req.headers.authorization.split(' ')[1]; -> Option A

      4. Quick Check:

        Authorization header split [OK]
      Hint: JWT token is after 'Bearer ' in Authorization header [OK]
      Common Mistakes:
      • Trying to get token from body or query instead of header
      • Not splitting the header string
      • Assuming token is in cookies by default
      3. Given this Express JWT middleware snippet, what happens if the token is invalid? 
      const jwt = require('jsonwebtoken');
function verifyToken(req, res, next) {
  const token = req.headers.authorization?.split(' ')[1];
  if (!token) return res.status(401).send('Access denied');
  try {
    const verified = jwt.verify(token, 'secretkey');
    req.user = verified;
    next();
  } catch (err) {
    res.status(400).send('Invalid token');
  }
}
      medium
      A. The middleware calls next() and allows access
      B. The middleware crashes with an unhandled exception
      C. The middleware sends a 401 status with 'Access denied' message
      D. The middleware sends a 400 status with 'Invalid token' message

      Solution

      1. Step 1: Check token verification flow

        If token is invalid, jwt.verify throws an error caught by catch block.

      2. Step 2: Observe catch block response

        Catch block sends status 400 with message 'Invalid token'.

      3. Final Answer:

        The middleware sends a 400 status with 'Invalid token' message -> Option D

      4. Quick Check:

        Invalid token triggers 400 response [OK]
      Hint: Invalid token triggers catch block sending 400 error [OK]
      Common Mistakes:
      • Confusing 401 and 400 status codes
      • Assuming next() is called on invalid token
      • Thinking middleware crashes on invalid token
      4. Identify the error in this JWT verification middleware code: 
      const jwt = require('jsonwebtoken');
function verifyToken(req, res, next) {
  const token = req.headers.authorization.split(' ')[1];
  if (!token) res.status(401).send('Access denied');
  try {
    const verified = jwt.verify(token, 'secretkey');
    req.user = verified;
    next();
  } catch (err) {
    res.status(400).send('Invalid token');
  }
}
      medium
      A. jwt.verify is called with wrong secret key
      B. Missing return after sending 401 response causes jwt.verify to run anyway
      C. Token is extracted incorrectly from headers
      D. next() is called inside catch block instead of try block

      Solution

      1. Step 1: Check handling when token is missing

        If token is missing, res.status(401).send() is called but no return statement stops execution.

      2. Step 2: Understand consequence of missing return

        Without return, code continues and jwt.verify runs with undefined token, causing errors or unexpected behavior.

      3. Final Answer:

        Missing return after sending 401 response causes jwt.verify to run anyway -> Option B

      4. Quick Check:

        Return needed after 401 response [OK]
      Hint: Always return after sending response to stop middleware [OK]
      Common Mistakes:
      • Forgetting to return after res.send()
      • Assuming jwt.verify secret is wrong here
      • Misreading token extraction line
      5. You want to protect multiple routes with JWT verification but also allow public access to some routes. Which is the best way to apply JWT middleware in Express?
      hard
      A. Apply JWT middleware after route handlers to catch errors
      B. Apply JWT middleware globally to all routes and skip it conditionally inside middleware
      C. Apply JWT middleware only to protected routes using router.use or route-specific middleware
      D. Apply JWT middleware only once in app.listen callback

      Solution

      1. Step 1: Understand middleware scope

        Applying middleware globally affects all routes, including public ones, which is not ideal.

      2. Step 2: Use route-specific middleware for protection

        Applying JWT middleware only on protected routes keeps public routes accessible without token.

      3. Final Answer:

        Apply JWT middleware only to protected routes using router.use or route-specific middleware -> Option C

      4. Quick Check:

        Protect routes selectively with middleware [OK]
      Hint: Use middleware only on routes needing protection [OK]
      Common Mistakes:
      • Applying middleware globally and skipping inside code
      • Applying middleware after route handlers
      • Trying to apply middleware in app.listen