Bird
Raised Fist0
Expressframework~5 mins

Protecting routes with auth middleware in Express - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of auth middleware in Express?
Auth middleware checks if a user is logged in before allowing access to certain routes. It protects routes from unauthorized users.
Click to reveal answer
beginner
How do you apply auth middleware to a specific route in Express?
You add the middleware function as a second argument in the route definition, like: app.get('/dashboard', authMiddleware, (req, res) => {...}).
Click to reveal answer
beginner
What should auth middleware do if the user is not authenticated?
It should stop the request and respond with a status like 401 Unauthorized or redirect the user to a login page.
Click to reveal answer
intermediate
Why is middleware a good way to protect routes?
Middleware lets you reuse the same auth check on many routes without repeating code. It keeps your code clean and organized.
Click to reveal answer
beginner
Show a simple example of auth middleware in Express.
A simple auth middleware checks if <code>req.user</code> exists. If yes, it calls <code>next()</code> to continue. If no, it sends a 401 response.<br><br><code>function authMiddleware(req, res, next) {<br>  if (req.user) {<br>    next();<br>  } else {<br>    res.status(401).send('Unauthorized');<br>  }<br>}</code>
Click to reveal answer
What does auth middleware typically check before allowing access to a route?
AIf the user is logged in
BIf the server is running
CIf the database is connected
DIf the route exists
How do you add middleware to protect a route in Express?
ACall it inside the route handler
BAdd it as a second argument in the route definition
CAdd it after the route handler
DMiddleware cannot protect routes
What should auth middleware do if the user is not authenticated?
ALog the user in automatically
BCall next() to continue
CIgnore the request
DSend a 401 Unauthorized response
Why is using middleware good for protecting many routes?
AIt repeats code for each route
BIt slows down the server
CIt keeps code clean and reusable
DIt only works for one route
Which Express method is used to continue to the next middleware or route handler?
Anext()
Bres.send()
Capp.use()
Dreq.next()
Explain how auth middleware protects routes in Express and why it is useful.
Think about how middleware acts like a gatekeeper before route handlers.
You got /4 concepts.
    Write a simple auth middleware function for Express and describe what it does.
    Focus on the basic structure and the decision to allow or block access.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of auth middleware in an Express app?
      easy
      A. To check if a user is allowed to access a route
      B. To format the response data before sending
      C. To log every request made to the server
      D. To serve static files like images and CSS

      Solution

      1. Step 1: Understand middleware role

        Middleware runs before route handlers to process requests.

      2. Step 2: Identify auth middleware function

        Auth middleware specifically checks user permissions to allow or deny access.

      3. Final Answer:

        To check if a user is allowed to access a route -> Option A

      4. Quick Check:

        Auth middleware = Access control [OK]
      Hint: Auth middleware controls access to routes [OK]
      Common Mistakes:
      • Confusing auth middleware with logging middleware
      • Thinking middleware serves static files
      • Assuming middleware formats response data
      2. Which of the following is the correct way to use auth middleware for a route in Express?
      easy
      A. app.get('/profile', authMiddleware, (req, res) => { res.send('Profile'); });
      B. app.get(authMiddleware, '/profile', (req, res) => { res.send('Profile'); });
      C. app.get('/profile', (req, res) => { authMiddleware(); res.send('Profile'); });
      D. app.get('/profile', (req, res) => { res.send('Profile'); }, authMiddleware);

      Solution

      1. Step 1: Recall Express route syntax

        Middleware functions come before the final route handler in the argument list.

      2. Step 2: Check each option's order

        Only app.get('/profile', authMiddleware, (req, res) => { res.send('Profile'); }); places authMiddleware correctly before the handler function.

      3. Final Answer:

        app.get('/profile', authMiddleware, (req, res) => { res.send('Profile'); }); -> Option A

      4. Quick Check:

        Middleware before handler = app.get('/profile', authMiddleware, (req, res) => { res.send('Profile'); }); [OK]
      Hint: Middleware goes before the route handler function [OK]
      Common Mistakes:
      • Placing middleware after the handler
      • Passing middleware as the first argument instead of path
      • Calling middleware inside the handler instead of passing it
      3. Given this auth middleware, what will happen when a request without a valid token hits the protected route? 
      function authMiddleware(req, res, next) {
  if (req.headers.authorization === 'valid-token') {
    next();
  } else {
    res.status(401).send('Unauthorized');
  }
}

app.get('/dashboard', authMiddleware, (req, res) => {
  res.send('Welcome to dashboard');
});
      medium
      A. The user sees 'Welcome to dashboard' regardless of token
      B. The server crashes due to missing next() call
      C. The user gets a 401 Unauthorized response if token is missing or invalid
      D. The user gets a 404 Not Found error

      Solution

      1. Step 1: Analyze authMiddleware logic

        If the authorization header equals 'valid-token', next() is called to continue.

      2. Step 2: Check behavior when token is missing or invalid

        Else block sends 401 Unauthorized response and does not call next(), blocking access.

      3. Final Answer:

        The user gets a 401 Unauthorized response if token is missing or invalid -> Option C

      4. Quick Check:

        Invalid token = 401 Unauthorized [OK]
      Hint: Middleware sends 401 if token invalid, else calls next() [OK]
      Common Mistakes:
      • Assuming next() is always called
      • Thinking user always sees dashboard
      • Confusing 401 with 404 errors
      4. Identify the error in this auth middleware code: 
      function authMiddleware(req, res, next) {
  if (!req.user) {
    res.status(403).send('Forbidden');
  }
  next();
}
      medium
      A. Missing call to next() inside the if block
      B. next() is called even after sending a response, causing an error
      C. Status code 403 is incorrect for unauthorized access
      D. req.user should be checked with req.auth instead

      Solution

      1. Step 1: Understand middleware flow

        If !req.user is true, response is sent with status 403.

      2. Step 2: Check what happens after sending response

        next() is called unconditionally after the if block, so it runs even after response sent, causing errors.

      3. Final Answer:

        next() is called even after sending a response, causing an error -> Option B

      4. Quick Check:

        Call next() only if no response sent [OK]
      Hint: Do not call next() after sending a response [OK]
      Common Mistakes:
      • Calling next() after res.send()
      • Not stopping middleware after response
      • Using wrong status codes for auth errors
      5. You want to protect multiple routes with the same auth middleware and also log the user ID if authenticated. Which is the best way to do this? 
      function authMiddleware(req, res, next) {
  if (!req.headers.authorization) {
    return res.status(401).send('Unauthorized');
  }
  req.userId = req.headers.authorization;
  next();
}

// How to apply this middleware and log userId for routes '/profile' and '/settings'?
      hard
      A. Apply authMiddleware after route handlers to log userId
      B. Add authMiddleware only to '/profile' route and log userId in '/settings' without middleware
      C. Call authMiddleware inside each route handler manually before logging userId
      D. Use app.use(authMiddleware) before defining both routes, then log req.userId inside each route handler

      Solution

      1. Step 1: Understand middleware application

        app.use(authMiddleware) applies middleware to all routes defined after it, protecting multiple routes easily.

      2. Step 2: Logging userId in route handlers

        Since authMiddleware sets req.userId, route handlers can access and log it safely after middleware runs.

      3. Final Answer:

        Use app.use(authMiddleware) before defining both routes, then log req.userId inside each route handler -> Option D

      4. Quick Check:

        Use app.use for shared middleware [OK]
      Hint: Use app.use(authMiddleware) to protect many routes [OK]
      Common Mistakes:
      • Applying middleware only to some routes inconsistently
      • Calling middleware inside handlers manually
      • Applying middleware after route handlers