Bird
Raised Fist0
Expressframework~20 mins

Refresh token concept in Express - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Refresh Token Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
What is the main purpose of a refresh token in an Express authentication flow?
Choose the best explanation for why refresh tokens are used alongside access tokens.
ATo allow the client to get a new access token without asking the user to log in again.
BTo store the user's password securely on the client side.
CTo replace the access token permanently after it expires.
DTo encrypt all API requests between client and server.
Attempts:
2 left
💡 Hint
Think about how users stay logged in without entering their password repeatedly.
component_behavior
intermediate
2:00remaining
What happens when an expired access token is used with a valid refresh token in Express?
Given a client sends an expired access token and a valid refresh token to the server, what is the expected server behavior?
AThe server rejects the request and asks the user to log in again.
BThe server deletes both tokens and logs the user out immediately.
CThe server ignores the refresh token and processes the request with the expired token.
DThe server issues a new access token and allows the request to proceed.
Attempts:
2 left
💡 Hint
Refresh tokens are meant to help when access tokens expire.
📝 Syntax
advanced
3:00remaining
Which Express middleware snippet correctly verifies a refresh token from cookies?
Select the code snippet that properly extracts and verifies a refresh token stored in cookies using jsonwebtoken.
Express
const jwt = require('jsonwebtoken');

function verifyRefreshToken(req, res, next) {
  // Your code here
}
A
const token = req.cookies.refreshToken;
jwt.verify(token, process.env.REFRESH_SECRET, (err, user) => {
  if (err) return res.sendStatus(403);
  req.user = user;
  next();
});
B
const token = req.headers['refresh-token'];
jwt.verify(token, process.env.ACCESS_SECRET, (err, user) => {
  if (err) return res.sendStatus(401);
  req.user = user;
  next();
});
C
const token = req.body.refreshToken;
jwt.decode(token, process.env.REFRESH_SECRET);
next();
D
const token = req.query.token;
jwt.verify(token, process.env.REFRESH_SECRET);
res.sendStatus(200);
Attempts:
2 left
💡 Hint
Refresh tokens are often stored in cookies and verified with the refresh secret.
state_output
advanced
2:00remaining
What is the output of this Express route when the refresh token is missing?
Consider this Express route snippet handling token refresh. What response does the client get if no refresh token cookie is sent?
Express
app.post('/refresh', (req, res) => {
  const refreshToken = req.cookies.refreshToken;
  if (!refreshToken) {
    return res.status(401).json({ message: 'No refresh token provided' });
  }
  // further logic omitted
});
AStatus 200 with JSON {"accessToken": "newtoken"}
BStatus 403 with JSON {"message": "Invalid token"}
CStatus 401 with JSON {"message": "No refresh token provided"}
DStatus 500 with JSON {"error": "Server error"}
Attempts:
2 left
💡 Hint
Check the condition when refreshToken is falsy.
🔧 Debug
expert
3:00remaining
Why does this Express refresh token route cause a runtime error?
Identify the cause of the runtime error in this refresh token route code snippet.
Express
app.post('/token', (req, res) => {
  const refreshToken = req.cookies.refreshToken;
  jwt.verify(refreshToken, process.env.REFRESH_SECRET, (err, user) => {
    if (err) return res.sendStatus(403);
    const accessToken = jwt.sign({ name: user.name }, process.env.ACCESS_SECRET, { expiresIn: '15m' });
  });
  res.json({ accessToken });
});
AThe refreshToken is not read from the request body, causing undefined token error.
BThe accessToken variable is used outside the jwt.verify callback, causing a ReferenceError.
CThe jwt.sign method is missing the payload argument, causing a TypeError.
DThe route does not handle missing refreshToken, causing a crash.
Attempts:
2 left
💡 Hint
Check where accessToken is declared and used.

Practice

(1/5)
1. What is the main purpose of a refresh token in an Express app using authentication?
easy
A. To encrypt the access token
B. To store user passwords securely
C. To log out the user automatically after a timeout
D. To get a new access token without asking the user to log in again

Solution

  1. Step 1: Understand the role of refresh tokens

    Refresh tokens allow the app to request new access tokens without user interaction.

  2. Step 2: Compare options with refresh token purpose

    Only To get a new access token without asking the user to log in again correctly describes this purpose; others describe unrelated functions.

  3. Final Answer:

    To get a new access token without asking the user to log in again -> Option D

  4. Quick Check:

    Refresh token purpose = get new access token without login [OK]
Hint: Refresh tokens renew access tokens silently [OK]
Common Mistakes:
  • Confusing refresh token with access token
  • Thinking refresh token stores passwords
  • Assuming refresh token logs out users
2. Which of the following is the correct way to send a refresh token in an Express response header?
easy
A. res.setHeader('refresh-token', token);
B. res.sendRefreshToken(token);
C. res.refreshToken = token;
D. res.header('Authorization', token);

Solution

  1. Step 1: Recall Express method to set headers

    Express uses res.setHeader(name, value) to set response headers.

  2. Step 2: Match correct syntax for refresh token header

    res.setHeader('refresh-token', token); uses correct method and header name; others are invalid or use wrong header.

  3. Final Answer:

    res.setHeader('refresh-token', token); -> Option A

  4. Quick Check:

    Set header with res.setHeader(name, value) [OK]
Hint: Use res.setHeader to send custom headers [OK]
Common Mistakes:
  • Using non-existent res.sendRefreshToken method
  • Assigning token directly to res property
  • Using wrong header like 'Authorization' for refresh token
3. Given this Express route snippet, what will be the output if the refresh token is valid? 
app.post('/token', (req, res) => {
  const refreshToken = req.body.token;
  if (!refreshToken) return res.status(401).send('No token');
  if (refreshToken !== 'validtoken') return res.status(403).send('Invalid token');
  res.json({ accessToken: 'newAccessToken123' });
});
medium
A. Status 401 with message 'No token'
B. Status 403 with message 'Invalid token'
C. JSON response with new access token
D. Empty response with status 200

Solution

  1. Step 1: Check token presence and validity

    If refreshToken is missing, returns 401; if invalid, returns 403.

  2. Step 2: For valid token, send new access token JSON

    When token equals 'validtoken', response sends JSON with new access token.

  3. Final Answer:

    JSON response with new access token -> Option C

  4. Quick Check:

    Valid token returns new access token JSON [OK]
Hint: Valid token returns JSON with new access token [OK]
Common Mistakes:
  • Confusing status codes for missing vs invalid token
  • Expecting empty response instead of JSON
  • Ignoring token validation logic
4. Identify the bug in this Express refresh token handler: 
app.post('/refresh', (req, res) => {
  const token = req.body.refreshToken;
  if (!token) res.status(401).send('Missing token');
  if (token !== 'secret') res.status(403).send('Forbidden');
  res.json({ accessToken: 'newToken' });
});
medium
A. Missing return statements after res.status calls causing multiple responses
B. Incorrect property name for token in request body
C. Using res.json instead of res.send
D. No bug, code works fine

Solution

  1. Step 1: Check response flow after status calls

    Without return, code continues after sending response, causing errors.

  2. Step 2: Confirm need for return to stop execution

    Adding return after res.status(...).send(...) prevents multiple responses.

  3. Final Answer:

    Missing return statements after res.status calls causing multiple responses -> Option A

  4. Quick Check:

    Return after res.status to stop code [OK]
Hint: Always return after sending response to avoid errors [OK]
Common Mistakes:
  • Not returning after res.status sends response
  • Assuming res.json is wrong here
  • Thinking property name is incorrect
5. You want to implement refresh token rotation in Express to improve security. Which approach correctly applies this concept?
hard
A. Keep the same refresh token forever to avoid user re-login
B. Issue a new refresh token on each use and invalidate the old one
C. Send refresh token only once during login and never again
D. Store refresh tokens in localStorage on the client side

Solution

  1. Step 1: Understand refresh token rotation

    Rotation means issuing a new refresh token each time the old one is used and invalidating the old token.

  2. Step 2: Evaluate options for security best practice

    Issue a new refresh token on each use and invalidate the old one matches rotation concept; others either reduce security or misuse storage.

  3. Final Answer:

    Issue a new refresh token on each use and invalidate the old one -> Option B

  4. Quick Check:

    Refresh token rotation = new token each use [OK]
Hint: Rotate refresh tokens by replacing old with new each use [OK]
Common Mistakes:
  • Reusing same refresh token indefinitely
  • Not invalidating old refresh tokens
  • Storing tokens insecurely on client side