Challenge - 5 Problems

🎖️

Refresh Token Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

2:00remaining

What is the main purpose of a refresh token in an Express authentication flow?

Choose the best explanation for why refresh tokens are used alongside access tokens.

ATo allow the client to get a new access token without asking the user to log in again.

BTo store the user's password securely on the client side.

CTo replace the access token permanently after it expires.

DTo encrypt all API requests between client and server.

Attempts:

2 left

❓ component_behavior

intermediate

2:00remaining

What happens when an expired access token is used with a valid refresh token in Express?

Given a client sends an expired access token and a valid refresh token to the server, what is the expected server behavior?

AThe server rejects the request and asks the user to log in again.

BThe server deletes both tokens and logs the user out immediately.

CThe server ignores the refresh token and processes the request with the expired token.

DThe server issues a new access token and allows the request to proceed.

Attempts:

2 left

📝 Syntax

advanced

3:00remaining

Which Express middleware snippet correctly verifies a refresh token from cookies?

Select the code snippet that properly extracts and verifies a refresh token stored in cookies using jsonwebtoken.

Express

const jwt = require('jsonwebtoken');

function verifyRefreshToken(req, res, next) {
  // Your code here
}

const token = req.cookies.refreshToken;
jwt.verify(token, process.env.REFRESH_SECRET, (err, user) =&gt; {
  if (err) return res.sendStatus(403);
  req.user = user;
  next();
});

const token = req.headers['refresh-token'];
jwt.verify(token, process.env.ACCESS_SECRET, (err, user) =&gt; {
  if (err) return res.sendStatus(401);
  req.user = user;
  next();
});

const token = req.body.refreshToken;
jwt.decode(token, process.env.REFRESH_SECRET);
next();

const token = req.query.token;
jwt.verify(token, process.env.REFRESH_SECRET);
res.sendStatus(200);

Attempts:

2 left

❓ state_output

advanced

2:00remaining

What is the output of this Express route when the refresh token is missing?

Consider this Express route snippet handling token refresh. What response does the client get if no refresh token cookie is sent?

Express

app.post('/refresh', (req, res) => {
  const refreshToken = req.cookies.refreshToken;
  if (!refreshToken) {
    return res.status(401).json({ message: 'No refresh token provided' });
  }
  // further logic omitted
});

AStatus 200 with JSON {"accessToken": "newtoken"}

BStatus 403 with JSON {"message": "Invalid token"}

CStatus 401 with JSON {"message": "No refresh token provided"}

DStatus 500 with JSON {"error": "Server error"}

Attempts:

2 left

🔧 Debug

expert

3:00remaining

Why does this Express refresh token route cause a runtime error?

Identify the cause of the runtime error in this refresh token route code snippet.

Express

app.post('/token', (req, res) => {
  const refreshToken = req.cookies.refreshToken;
  jwt.verify(refreshToken, process.env.REFRESH_SECRET, (err, user) => {
    if (err) return res.sendStatus(403);
    const accessToken = jwt.sign({ name: user.name }, process.env.ACCESS_SECRET, { expiresIn: '15m' });
  });
  res.json({ accessToken });
});

AThe refreshToken is not read from the request body, causing undefined token error.

BThe accessToken variable is used outside the jwt.verify callback, causing a ReferenceError.

CThe jwt.sign method is missing the payload argument, causing a TypeError.

DThe route does not handle missing refreshToken, causing a crash.

Attempts:

2 left