Bird
Raised Fist0
Expressframework~20 mins

Protecting routes with auth middleware in Express - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Auth Middleware Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a user without a valid token accesses a protected route?

Consider this Express middleware that checks for a token in the request headers before allowing access to a route.

function authMiddleware(req, res, next) {
  const token = req.headers['authorization'];
  if (!token) {
    return res.status(401).send('Access denied. No token provided.');
  }
  next();
}

app.get('/dashboard', authMiddleware, (req, res) => {
  res.send('Welcome to your dashboard');
});

What will the server respond if a request to /dashboard has no authorization header?

AThe server crashes with an error because token is undefined
BThe server responds with status 200 and message 'Welcome to your dashboard'
CThe server responds with status 401 and message 'Access denied. No token provided.'
DThe server responds with status 403 and message 'Forbidden'
Attempts:
2 left
💡 Hint

Think about what the middleware does when the token is missing.

📝 Syntax
intermediate
2:00remaining
Identify the syntax error in this auth middleware

Look at this Express middleware code meant to protect routes:

function auth(req, res, next) {
  const token = req.headers.authorization
  if (!token) {
    res.status(401).send('Unauthorized')
  } else {
    next()
  }
}

What is the syntax error that will cause this code to fail?

AMissing semicolon after <code>const token = req.headers.authorization</code>
BMissing <code>return</code> before <code>res.status(401).send(...)</code> causing response to continue
CMissing parentheses in <code>next</code> call
DNo syntax error; code is valid
Attempts:
2 left
💡 Hint

Check if the code syntax matches JavaScript rules.

🔧 Debug
advanced
2:00remaining
Why does this auth middleware allow access without a token?

Review this middleware:

function authMiddleware(req, res, next) {
  const token = req.headers['authorization'];
  if (token) {
    next();
  }
  res.status(401).send('Unauthorized');
}

What is the problem with this code?

AIt always sends 401 after calling next(), causing headers to be sent twice
BIt never calls next(), so requests hang
CIt allows access even without a token because next() is always called
DIt throws a runtime error because res.status is undefined
Attempts:
2 left
💡 Hint

Consider what happens after next() is called.

state_output
advanced
2:00remaining
What is the value of req.user after this auth middleware runs?

Given this middleware that verifies a token and adds user info:

function authMiddleware(req, res, next) {
  const token = req.headers['authorization'];
  if (!token) {
    return res.status(401).send('No token');
  }
  // Simulate token verification
  if (token === 'valid-token') {
    req.user = { id: 123, name: 'Alice' };
    next();
  } else {
    res.status(403).send('Invalid token');
  }
}

What will req.user be inside the route handler if the request header authorization is valid-token?

AThrows an error because req.user is not set
B{ id: 123, name: 'Alice' }
Cnull
Dundefined
Attempts:
2 left
💡 Hint

Look at where req.user is assigned.

🧠 Conceptual
expert
3:00remaining
Which option correctly protects multiple routes with the same auth middleware?

You want to protect these routes so only authenticated users can access them:

app.get('/profile', authMiddleware, (req, res) => { res.send('Profile page'); });
app.get('/settings', authMiddleware, (req, res) => { res.send('Settings page'); });

Which approach is best to avoid repeating authMiddleware on every route?

ADefine a new router, apply <code>authMiddleware</code> to it, then mount the router for those routes
BUse <code>app.use(authMiddleware)</code> before defining the routes to apply it globally
CWrap each route handler in a function that calls <code>authMiddleware</code> manually
DAdd <code>authMiddleware</code> only to the first route; others inherit it automatically
Attempts:
2 left
💡 Hint

Think about grouping routes and applying middleware efficiently.

Practice

(1/5)
1. What is the main purpose of auth middleware in an Express app?
easy
A. To check if a user is allowed to access a route
B. To format the response data before sending
C. To log every request made to the server
D. To serve static files like images and CSS

Solution

  1. Step 1: Understand middleware role

    Middleware runs before route handlers to process requests.

  2. Step 2: Identify auth middleware function

    Auth middleware specifically checks user permissions to allow or deny access.

  3. Final Answer:

    To check if a user is allowed to access a route -> Option A

  4. Quick Check:

    Auth middleware = Access control [OK]
Hint: Auth middleware controls access to routes [OK]
Common Mistakes:
  • Confusing auth middleware with logging middleware
  • Thinking middleware serves static files
  • Assuming middleware formats response data
2. Which of the following is the correct way to use auth middleware for a route in Express?
easy
A. app.get('/profile', authMiddleware, (req, res) => { res.send('Profile'); });
B. app.get(authMiddleware, '/profile', (req, res) => { res.send('Profile'); });
C. app.get('/profile', (req, res) => { authMiddleware(); res.send('Profile'); });
D. app.get('/profile', (req, res) => { res.send('Profile'); }, authMiddleware);

Solution

  1. Step 1: Recall Express route syntax

    Middleware functions come before the final route handler in the argument list.

  2. Step 2: Check each option's order

    Only app.get('/profile', authMiddleware, (req, res) => { res.send('Profile'); }); places authMiddleware correctly before the handler function.

  3. Final Answer:

    app.get('/profile', authMiddleware, (req, res) => { res.send('Profile'); }); -> Option A

  4. Quick Check:

    Middleware before handler = app.get('/profile', authMiddleware, (req, res) => { res.send('Profile'); }); [OK]
Hint: Middleware goes before the route handler function [OK]
Common Mistakes:
  • Placing middleware after the handler
  • Passing middleware as the first argument instead of path
  • Calling middleware inside the handler instead of passing it
3. Given this auth middleware, what will happen when a request without a valid token hits the protected route? 
function authMiddleware(req, res, next) {
  if (req.headers.authorization === 'valid-token') {
    next();
  } else {
    res.status(401).send('Unauthorized');
  }
}

app.get('/dashboard', authMiddleware, (req, res) => {
  res.send('Welcome to dashboard');
});
medium
A. The user sees 'Welcome to dashboard' regardless of token
B. The server crashes due to missing next() call
C. The user gets a 401 Unauthorized response if token is missing or invalid
D. The user gets a 404 Not Found error

Solution

  1. Step 1: Analyze authMiddleware logic

    If the authorization header equals 'valid-token', next() is called to continue.

  2. Step 2: Check behavior when token is missing or invalid

    Else block sends 401 Unauthorized response and does not call next(), blocking access.

  3. Final Answer:

    The user gets a 401 Unauthorized response if token is missing or invalid -> Option C

  4. Quick Check:

    Invalid token = 401 Unauthorized [OK]
Hint: Middleware sends 401 if token invalid, else calls next() [OK]
Common Mistakes:
  • Assuming next() is always called
  • Thinking user always sees dashboard
  • Confusing 401 with 404 errors
4. Identify the error in this auth middleware code: 
function authMiddleware(req, res, next) {
  if (!req.user) {
    res.status(403).send('Forbidden');
  }
  next();
}
medium
A. Missing call to next() inside the if block
B. next() is called even after sending a response, causing an error
C. Status code 403 is incorrect for unauthorized access
D. req.user should be checked with req.auth instead

Solution

  1. Step 1: Understand middleware flow

    If !req.user is true, response is sent with status 403.

  2. Step 2: Check what happens after sending response

    next() is called unconditionally after the if block, so it runs even after response sent, causing errors.

  3. Final Answer:

    next() is called even after sending a response, causing an error -> Option B

  4. Quick Check:

    Call next() only if no response sent [OK]
Hint: Do not call next() after sending a response [OK]
Common Mistakes:
  • Calling next() after res.send()
  • Not stopping middleware after response
  • Using wrong status codes for auth errors
5. You want to protect multiple routes with the same auth middleware and also log the user ID if authenticated. Which is the best way to do this? 
function authMiddleware(req, res, next) {
  if (!req.headers.authorization) {
    return res.status(401).send('Unauthorized');
  }
  req.userId = req.headers.authorization;
  next();
}

// How to apply this middleware and log userId for routes '/profile' and '/settings'?
hard
A. Apply authMiddleware after route handlers to log userId
B. Add authMiddleware only to '/profile' route and log userId in '/settings' without middleware
C. Call authMiddleware inside each route handler manually before logging userId
D. Use app.use(authMiddleware) before defining both routes, then log req.userId inside each route handler

Solution

  1. Step 1: Understand middleware application

    app.use(authMiddleware) applies middleware to all routes defined after it, protecting multiple routes easily.

  2. Step 2: Logging userId in route handlers

    Since authMiddleware sets req.userId, route handlers can access and log it safely after middleware runs.

  3. Final Answer:

    Use app.use(authMiddleware) before defining both routes, then log req.userId inside each route handler -> Option D

  4. Quick Check:

    Use app.use for shared middleware [OK]
Hint: Use app.use(authMiddleware) to protect many routes [OK]
Common Mistakes:
  • Applying middleware only to some routes inconsistently
  • Calling middleware inside handlers manually
  • Applying middleware after route handlers