Bird
Raised Fist0
Expressframework~5 mins

Resource ownership checks in Express - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is the purpose of resource ownership checks in Express applications?
Resource ownership checks ensure that a user can only access or modify resources they own, protecting data privacy and security.
Click to reveal answer
beginner
How can you implement a resource ownership check in an Express route?
By comparing the resource's owner ID with the authenticated user's ID before allowing access or modification.
Click to reveal answer
intermediate
Why should resource ownership checks be done on the server side in Express?
Because client-side checks can be bypassed, server-side checks ensure security by validating ownership before processing requests.
Click to reveal answer
intermediate
What Express feature can help reuse resource ownership checks across multiple routes?
Middleware functions can be created to perform ownership checks and reused in different routes.
Click to reveal answer
beginner
What is a common pattern to handle unauthorized access after a failed ownership check in Express?
Respond with a 403 Forbidden status and a clear message indicating the user is not allowed to access the resource.
Click to reveal answer
In Express, what should you compare to verify resource ownership?
AUser's IP address and resource IP address
BResource owner ID and authenticated user ID
CResource creation date and current date
DResource size and user quota
Where should resource ownership checks be performed in an Express app?
AServer-side routes or middleware
BClient-side JavaScript
CIn the database only
DIn the browser console
Which HTTP status code is commonly used when a user tries to access a resource they don't own?
A200 OK
B401 Unauthorized
C403 Forbidden
D404 Not Found
What Express feature helps you apply ownership checks to many routes without repeating code?
ATemplate engines
BRoute parameters
CStatic files
DMiddleware functions
If a resource ownership check fails, what is the best practice for the server response?
ASend 403 Forbidden with a message
BIgnore and continue processing
CSend 500 Internal Server Error
DRedirect to homepage
Explain how to implement resource ownership checks in an Express route.
Think about verifying user identity before allowing resource access.
You got /3 concepts.
    Why are server-side resource ownership checks important in Express applications?
    Consider what happens if checks are only done on the client.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of resource ownership checks in an Express app?
      easy
      A. To allow any user to edit any resource
      B. To ensure only the owner can access or modify their resource
      C. To speed up database queries
      D. To log user activity for analytics

      Solution

      1. Step 1: Understand resource ownership

        Resource ownership means a resource belongs to a specific user.

      2. Step 2: Purpose of ownership checks

        Ownership checks prevent unauthorized users from accessing or changing resources they don't own.

      3. Final Answer:

        To ensure only the owner can access or modify their resource -> Option B

      4. Quick Check:

        Ownership check = restrict access to owner [OK]
      Hint: Ownership checks block non-owners from resource access [OK]
      Common Mistakes:
      • Thinking ownership checks speed up queries
      • Allowing all users to edit resources
      • Confusing ownership with logging
      2. Which Express middleware pattern correctly checks if the logged-in user owns a resource with ID in req.params.id and owner ID in resource.ownerId?
      easy
      A. if (req.user.id == resource.owner) { next(); } else { res.status(401).send('Unauthorized'); }
      B. if (req.user === resource.ownerId) { next(); } else { res.status(404).send('Not Found'); }
      C. if (req.user.id === resource.ownerId) { next(); } else { res.status(403).send('Forbidden'); }
      D. if (req.user.id !== resource.ownerId) { next(); } else { res.status(403).send('Forbidden'); }

      Solution

      1. Step 1: Check user ID equality

        We compare req.user.id with resource.ownerId using strict equality to confirm ownership.

      2. Step 2: Respond with 403 if not owner

        If IDs don't match, respond with 403 Forbidden to block access.

      3. Final Answer:

        if (req.user.id === resource.ownerId) { next(); } else { res.status(403).send('Forbidden'); } -> Option C

      4. Quick Check:

        Strict equality + 403 Forbidden = correct ownership check [OK]
      Hint: Use strict equality and 403 status for ownership checks [OK]
      Common Mistakes:
      • Using == instead of ===
      • Sending wrong status codes like 404 or 401
      • Comparing whole user object instead of user ID
      3. Given this Express route snippet, what will happen if req.user.id is '123' and resource.ownerId is '456'? 
      app.delete('/items/:id', (req, res) => {
  const resource = {ownerId: '456'};
  if (req.user.id === resource.ownerId) {
    res.send('Deleted');
  } else {
    res.status(403).send('Forbidden');
  }
});
      medium
      A. The item will be deleted and 'Deleted' sent
      B. The server will crash due to undefined resource
      C. Response will be 404 Not Found
      D. Response will be 403 Forbidden

      Solution

      1. Step 1: Compare user ID and owner ID

        Since req.user.id ('123') does not equal resource.ownerId ('456'), ownership check fails.

      2. Step 2: Return 403 Forbidden

        The else block sends a 403 Forbidden response blocking deletion.

      3. Final Answer:

        Response will be 403 Forbidden -> Option D

      4. Quick Check:

        Non-matching IDs = 403 Forbidden [OK]
      Hint: Non-owner gets 403 Forbidden response [OK]
      Common Mistakes:
      • Assuming deletion happens anyway
      • Confusing 403 with 404
      • Ignoring ownership check logic
      4. Identify the bug in this ownership check middleware: 
      function checkOwnership(req, res, next) {
  const resource = {ownerId: '456'}; /* example */
  if (req.user.id = resource.ownerId) {
    next();
  } else {
    res.status(403).send('Forbidden');
  }
}
      medium
      A. Using assignment (=) instead of comparison (===) in the if condition
      B. Missing call to next() in else block
      C. Incorrect status code; should be 404 instead of 403
      D. resource.ownerId is undefined

      Solution

      1. Step 1: Check the if condition syntax

        The condition uses single equals (=), which assigns instead of compares, causing a bug.

      2. Step 2: Correct comparison operator

        It should use strict equality (===) to compare req.user.id and resource.ownerId.

      3. Final Answer:

        Using assignment (=) instead of comparison (===) in the if condition -> Option A

      4. Quick Check:

        Assignment in if condition = bug [OK]
      Hint: Use === for comparison, not = assignment [OK]
      Common Mistakes:
      • Confusing = with === in conditions
      • Thinking next() needed in else block
      • Wrong status code for forbidden access
      5. You want to protect a route so only the owner of a blog post can edit it. The post's owner ID is stored in post.ownerId. Which Express middleware correctly implements this ownership check and returns 403 if the user is not the owner?
      hard
      A. app.put('/posts/:id', (req, res, next) => { if (req.user.id === post.ownerId) next(); else res.status(403).send('Forbidden'); }, (req, res) => { res.send('Post updated'); });
      B. app.put('/posts/:id', (req, res) => { if (req.user.id !== post.ownerId) res.status(403).send('Forbidden'); else res.send('Post updated'); });
      C. app.put('/posts/:id', (req, res, next) => { if (req.user.id == post.ownerId) next(); else res.status(404).send('Not Found'); }, (req, res) => { res.send('Post updated'); });
      D. app.put('/posts/:id', (req, res) => { if (req.user.id === post.ownerId) res.send('Post updated'); else res.status(401).send('Unauthorized'); });

      Solution

      1. Step 1: Use middleware to check ownership before update

        Middleware checks if req.user.id matches post.ownerId and calls next() if true.

      2. Step 2: Return 403 Forbidden if not owner

        If IDs don't match, respond with 403 to block unauthorized edits.

      3. Final Answer:

        app.put('/posts/:id', (req, res, next) => { if (req.user.id === post.ownerId) next(); else res.status(403).send('Forbidden'); }, (req, res) => { res.send('Post updated'); }); -> Option A

      4. Quick Check:

        Middleware + strict equality + 403 Forbidden = correct pattern [OK]
      Hint: Use middleware with strict check and 403 response [OK]
      Common Mistakes:
      • Using == instead of ===
      • Sending wrong status codes like 404 or 401
      • Not using middleware pattern for ownership check