Bird
Raised Fist0
Expressframework~5 mins

Middleware composition for auth layers in Express - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is middleware in Express?
Middleware is a function that runs during the request-response cycle. It can modify the request or response, or end the cycle by sending a response. Middleware helps organize code into reusable steps.
Click to reveal answer
beginner
Why compose multiple middleware functions for authentication?
Composing middleware lets you separate concerns like checking tokens, verifying user roles, and logging. This makes code easier to read, test, and reuse.
Click to reveal answer
beginner
How does Express know to move from one middleware to the next?
Express moves to the next middleware when the current middleware calls the next() function. If next() is not called, the request stops there.
Click to reveal answer
intermediate
What happens if an authentication middleware detects an invalid token?
It usually sends a response with an error status (like 401 Unauthorized) and does not call next(), stopping the request from reaching protected routes.
Click to reveal answer
intermediate
Give an example of composing two middleware functions for auth layers.
You can create one middleware to check if a token exists and another to verify user roles. Then use them together like app.use(checkToken, verifyRole) to protect routes.
Click to reveal answer
What does the next() function do in Express middleware?
AEnds the request and sends a response
BMoves to the next middleware in the stack
CRestarts the server
DLogs the request details
Which status code is commonly sent when authentication fails?
A500 Internal Server Error
B200 OK
C404 Not Found
D401 Unauthorized
Why use multiple middleware functions for auth instead of one big function?
ATo make code modular and easier to maintain
BTo slow down the server
CTo confuse developers
DTo avoid using next()
If a middleware does not call next() or send a response, what happens?
AThe server crashes
BExpress automatically calls next()
CThe request hangs and never finishes
DThe browser reloads
How do you apply multiple middleware functions to a route in Express?
Aapp.use(middleware1, middleware2)
Bapp.get(middleware1 + middleware2)
Capp.route(middleware1, middleware2)
Dapp.listen(middleware1, middleware2)
Explain how middleware composition helps in building authentication layers in Express.
Think about breaking down auth steps into small functions.
You got /4 concepts.
    Describe what happens when an Express middleware detects an invalid token during authentication.
    Focus on the flow control and response.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of composing multiple middleware functions for authentication in Express?
      easy
      A. To run several small auth checks in order before allowing access
      B. To combine all auth logic into one big function
      C. To skip authentication for faster response
      D. To handle database queries inside middleware

      Solution

      1. Step 1: Understand middleware composition

        Middleware composition means running multiple middleware functions one after another.

      2. Step 2: Purpose in auth layers

        Using multiple small auth checks in order helps keep code clean and checks each condition separately.

      3. Final Answer:

        To run several small auth checks in order before allowing access -> Option A

      4. Quick Check:

        Middleware composition = multiple small auth checks [OK]
      Hint: Think of middleware as a chain of small checks [OK]
      Common Mistakes:
      • Thinking all auth logic must be in one function
      • Believing middleware skips auth
      • Confusing middleware with database queries
      2. Which of the following is the correct way to apply two middleware functions checkToken and checkRole to an Express route using an array?
      easy
      A. app.get('/admin', checkToken, checkRole, (req, res) => res.send('OK'))
      B. app.get('/admin', checkToken && checkRole, (req, res) => res.send('OK'))
      C. app.get('/admin', [checkToken, checkRole], (req, res) => res.send('OK'))
      D. app.get('/admin', checkToken || checkRole, (req, res) => res.send('OK'))

      Solution

      1. Step 1: Understand Express middleware syntax

        Express accepts multiple middleware as an array or separate arguments before the handler. This question specifies using an array.

      2. Step 2: Check each option

        A uses separate arguments. B and D use logical operators which are invalid here. C correctly uses an array.

      3. Final Answer:

        app.get('/admin', [checkToken, checkRole], (req, res) => res.send('OK')) -> Option C

      4. Quick Check:

        Middleware array syntax = app.get('/admin', [checkToken, checkRole], (req, res) => res.send('OK')) [OK]
      Hint: Use arrays to group middleware in routes [OK]
      Common Mistakes:
      • Using logical operators instead of arrays
      • Passing middleware as a single combined expression
      • Forgetting to include middleware before handler
      3. Given the middleware functions below, what will be the response when a request with req.user = { role: 'user' } hits the route?
      function checkToken(req, res, next) {
  if (!req.user) return res.status(401).send('No token');
  next();
}

function checkAdmin(req, res, next) {
  if (req.user.role !== 'admin') return res.status(403).send('Forbidden');
  next();
}

app.get('/secure', [checkToken, checkAdmin], (req, res) => res.send('Welcome admin'));
      medium
      A. Welcome admin
      B. Forbidden
      C. No token
      D. Internal Server Error

      Solution

      1. Step 1: Analyze checkToken middleware

        It checks if req.user exists. Here req.user is { role: 'user' }, so it passes and calls next().

      2. Step 2: Analyze checkAdmin middleware

        It checks if req.user.role is 'admin'. Here it is 'user', so it returns 403 Forbidden response.

      3. Final Answer:

        Forbidden -> Option B

      4. Quick Check:

        Role check fails = Forbidden [OK]
      Hint: Check middleware order and conditions carefully [OK]
      Common Mistakes:
      • Assuming role 'user' passes admin check
      • Ignoring middleware that sends response early
      • Confusing status codes
      4. Identify the error in this middleware composition code:
      function auth(req, res, next) {
  if (!req.headers.authorization) {
    res.status(401).send('Unauthorized');
  }
  next();
}

app.get('/data', auth, (req, res) => res.send('Data'));
      medium
      A. Missing return after sending 401 response, so next() runs anyway
      B. Middleware should be async function
      C. Route handler missing res.end() call
      D. Authorization header check should be in route handler

      Solution

      1. Step 1: Check middleware flow

        If authorization header is missing, it sends 401 but does not stop execution.

      2. Step 2: Identify missing return

        Without return after res.status(401).send(), next() is called anyway, causing route handler to run incorrectly.

      3. Final Answer:

        Missing return after sending 401 response, so next() runs anyway -> Option A

      4. Quick Check:

        Send response must stop middleware with return [OK]
      Hint: Always return after sending response in middleware [OK]
      Common Mistakes:
      • Calling next() after sending response
      • Thinking async needed for simple middleware
      • Putting auth logic in route handler
      5. You want to create a reusable middleware group for routes that require both token validation and admin role check. Which is the best way to compose and apply these middlewares in Express?
      hard
      A. Use a global app.use() for all routes regardless of auth needs
      B. Create a single middleware combining both checks and use it in routes
      C. Call each middleware manually inside the route handler function
      D. Use an array of separate middlewares and apply the array to routes

      Solution

      1. Step 1: Understand middleware grouping

        Grouping middlewares as an array keeps each check separate and reusable.

      2. Step 2: Compare options

        Use an array of separate middlewares and apply the array to routes uses an array of middlewares applied to routes, which is clean and composable. Create a single middleware combining both checks and use it in routes merges checks into one, losing modularity. Call each middleware manually inside the route handler function is manual and error-prone. Use a global app.use() for all routes regardless of auth needs applies auth globally, which is not selective.

      3. Final Answer:

        Use an array of separate middlewares and apply the array to routes -> Option D

      4. Quick Check:

        Middleware arrays = reusable and clean [OK]
      Hint: Group middlewares in arrays for reuse [OK]
      Common Mistakes:
      • Combining all logic into one middleware
      • Calling middleware inside handlers manually
      • Applying auth globally without route control