Bird
Raised Fist0
Expressframework~5 mins

Refresh token concept in Express - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a refresh token in web authentication?
A refresh token is a special token used to get a new access token without asking the user to log in again. It helps keep users logged in smoothly.
Click to reveal answer
beginner
Why do we use refresh tokens instead of long-lived access tokens?
Refresh tokens improve security by keeping access tokens short-lived. If an access token is stolen, it expires quickly, reducing risk.
Click to reveal answer
intermediate
How does the refresh token flow work in Express apps?
When the access token expires, the client sends the refresh token to the server. The server verifies it and issues a new access token.
Click to reveal answer
intermediate
Where should refresh tokens be stored on the client side?
Refresh tokens should be stored securely, often in HTTP-only cookies, to prevent access by JavaScript and reduce risk of theft.
Click to reveal answer
advanced
What happens if a refresh token is compromised?
If a refresh token is stolen, an attacker can get new access tokens. To reduce risk, refresh tokens should be revocable and have expiration.
Click to reveal answer
What is the main purpose of a refresh token?
ATo encrypt the access token
BTo replace the password
CTo store user data
DTo get a new access token without re-login
Where is it safest to store a refresh token on the client?
AHTTP-only cookie
BLocal storage
CSession storage
DIn a JavaScript variable
What should happen when a refresh token is used to get a new access token?
AThe server logs out the user
BThe server verifies the refresh token and issues a new access token
CThe client deletes the refresh token
DThe client sends the password again
Why are access tokens usually short-lived?
ATo save storage space
BTo reduce server load
CTo improve security by limiting token lifetime
DTo speed up login
What is a risk if refresh tokens are not revoked after logout?
AAttackers can use stolen refresh tokens to get new access tokens
BPasswords will be exposed
CThe server will crash
DUsers will stay logged in forever
Explain how refresh tokens help maintain user sessions securely in an Express app.
Think about how users stay logged in without re-entering passwords.
You got /4 concepts.
    Describe best practices for storing and handling refresh tokens on the client and server.
    Focus on security and preventing token theft.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a refresh token in an Express app using authentication?
      easy
      A. To encrypt the access token
      B. To store user passwords securely
      C. To log out the user automatically after a timeout
      D. To get a new access token without asking the user to log in again

      Solution

      1. Step 1: Understand the role of refresh tokens

        Refresh tokens allow the app to request new access tokens without user interaction.

      2. Step 2: Compare options with refresh token purpose

        Only To get a new access token without asking the user to log in again correctly describes this purpose; others describe unrelated functions.

      3. Final Answer:

        To get a new access token without asking the user to log in again -> Option D

      4. Quick Check:

        Refresh token purpose = get new access token without login [OK]
      Hint: Refresh tokens renew access tokens silently [OK]
      Common Mistakes:
      • Confusing refresh token with access token
      • Thinking refresh token stores passwords
      • Assuming refresh token logs out users
      2. Which of the following is the correct way to send a refresh token in an Express response header?
      easy
      A. res.setHeader('refresh-token', token);
      B. res.sendRefreshToken(token);
      C. res.refreshToken = token;
      D. res.header('Authorization', token);

      Solution

      1. Step 1: Recall Express method to set headers

        Express uses res.setHeader(name, value) to set response headers.

      2. Step 2: Match correct syntax for refresh token header

        res.setHeader('refresh-token', token); uses correct method and header name; others are invalid or use wrong header.

      3. Final Answer:

        res.setHeader('refresh-token', token); -> Option A

      4. Quick Check:

        Set header with res.setHeader(name, value) [OK]
      Hint: Use res.setHeader to send custom headers [OK]
      Common Mistakes:
      • Using non-existent res.sendRefreshToken method
      • Assigning token directly to res property
      • Using wrong header like 'Authorization' for refresh token
      3. Given this Express route snippet, what will be the output if the refresh token is valid? 
      app.post('/token', (req, res) => {
  const refreshToken = req.body.token;
  if (!refreshToken) return res.status(401).send('No token');
  if (refreshToken !== 'validtoken') return res.status(403).send('Invalid token');
  res.json({ accessToken: 'newAccessToken123' });
});
      medium
      A. Status 401 with message 'No token'
      B. Status 403 with message 'Invalid token'
      C. JSON response with new access token
      D. Empty response with status 200

      Solution

      1. Step 1: Check token presence and validity

        If refreshToken is missing, returns 401; if invalid, returns 403.

      2. Step 2: For valid token, send new access token JSON

        When token equals 'validtoken', response sends JSON with new access token.

      3. Final Answer:

        JSON response with new access token -> Option C

      4. Quick Check:

        Valid token returns new access token JSON [OK]
      Hint: Valid token returns JSON with new access token [OK]
      Common Mistakes:
      • Confusing status codes for missing vs invalid token
      • Expecting empty response instead of JSON
      • Ignoring token validation logic
      4. Identify the bug in this Express refresh token handler: 
      app.post('/refresh', (req, res) => {
  const token = req.body.refreshToken;
  if (!token) res.status(401).send('Missing token');
  if (token !== 'secret') res.status(403).send('Forbidden');
  res.json({ accessToken: 'newToken' });
});
      medium
      A. Missing return statements after res.status calls causing multiple responses
      B. Incorrect property name for token in request body
      C. Using res.json instead of res.send
      D. No bug, code works fine

      Solution

      1. Step 1: Check response flow after status calls

        Without return, code continues after sending response, causing errors.

      2. Step 2: Confirm need for return to stop execution

        Adding return after res.status(...).send(...) prevents multiple responses.

      3. Final Answer:

        Missing return statements after res.status calls causing multiple responses -> Option A

      4. Quick Check:

        Return after res.status to stop code [OK]
      Hint: Always return after sending response to avoid errors [OK]
      Common Mistakes:
      • Not returning after res.status sends response
      • Assuming res.json is wrong here
      • Thinking property name is incorrect
      5. You want to implement refresh token rotation in Express to improve security. Which approach correctly applies this concept?
      hard
      A. Keep the same refresh token forever to avoid user re-login
      B. Issue a new refresh token on each use and invalidate the old one
      C. Send refresh token only once during login and never again
      D. Store refresh tokens in localStorage on the client side

      Solution

      1. Step 1: Understand refresh token rotation

        Rotation means issuing a new refresh token each time the old one is used and invalidating the old token.

      2. Step 2: Evaluate options for security best practice

        Issue a new refresh token on each use and invalidate the old one matches rotation concept; others either reduce security or misuse storage.

      3. Final Answer:

        Issue a new refresh token on each use and invalidate the old one -> Option B

      4. Quick Check:

        Refresh token rotation = new token each use [OK]
      Hint: Rotate refresh tokens by replacing old with new each use [OK]
      Common Mistakes:
      • Reusing same refresh token indefinitely
      • Not invalidating old refresh tokens
      • Storing tokens insecurely on client side