Bird
Raised Fist0
Expressframework~20 mins

User login flow in Express - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Express Login Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output of this Express login route?
Consider this Express route handling a POST login request. What will the server respond with if the user provides correct credentials?
Express
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if (username === 'admin' && password === '1234') {
    res.status(200).send('Login successful');
  } else {
    res.status(401).send('Unauthorized');
  }
});
AResponds with status 500 and message 'Server error' if username is 'admin'
BResponds with status 401 and message 'Unauthorized' for all inputs
CResponds with status 200 and message 'Welcome user' for any username
DResponds with status 200 and message 'Login successful' if username is 'admin' and password is '1234'
Attempts:
2 left
💡 Hint
Check the condition inside the if statement comparing username and password.
state_output
intermediate
2:00remaining
What is the value of 'isLoggedIn' after this middleware runs?
Given this Express middleware that sets a flag on the request object, what will be the value of 'req.isLoggedIn' after it runs if the user is authenticated?
Express
function authMiddleware(req, res, next) {
  if (req.headers.authorization === 'Bearer validtoken') {
    req.isLoggedIn = true;
  } else {
    req.isLoggedIn = false;
  }
  next();
}
AAlways true regardless of headers
Btrue if 'authorization' header equals 'Bearer validtoken', otherwise false
CAlways false regardless of headers
DUndefined because 'isLoggedIn' is not set
Attempts:
2 left
💡 Hint
Look at how 'req.isLoggedIn' is assigned based on the authorization header.
🔧 Debug
advanced
3:00remaining
Why does this login route always return 200 'Login successful'?
Examine the following Express login route. Why does it always respond with 200 'Login successful' even when incorrect credentials are sent?
Express
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if (username === 'admin' && password === '1234') {
    res.status(200).send('Login successful');
  } else {
    res.status(401).send('Unauthorized');
  }
});
ABecause '=' is used instead of '===' causing assignment instead of comparison
BBecause 'req.body' is undefined by default in Express
CBecause the route method should be GET, not POST
DBecause the response is sent twice causing an error
Attempts:
2 left
💡 Hint
Check the operators used in the if condition.
📝 Syntax
advanced
3:00remaining
Which option correctly parses JSON body in Express login route?
You want to access 'req.body' in your Express login route. Which code snippet correctly enables JSON body parsing?
A
app.use(express.json());
app.post('/login', (req, res) => { /* access req.body */ });
B
app.use(bodyParser.urlencoded());
app.post('/login', (req, res) => { /* access req.body */ });
Capp.post('/login', express.json(), (req, res) => { /* access req.body */ });
D
app.use(express.urlencoded());
app.post('/login', (req, res) => { /* access req.body */ });
Attempts:
2 left
💡 Hint
Look for middleware that parses JSON bodies globally.
🧠 Conceptual
expert
3:00remaining
What is the main security risk if you do not hash passwords in a login flow?
In a user login flow, passwords are stored in plain text in the database. What is the biggest risk of this practice?
AThe server will crash due to large password sizes
BUsers will be unable to log in because passwords are not encrypted
CIf the database is compromised, attackers get all user passwords in readable form
DPasswords will expire automatically after a short time
Attempts:
2 left
💡 Hint
Think about what happens if someone steals the database data.

Practice

(1/5)
1. What is the main purpose of a user login flow in an Express app?
easy
A. To verify the user's identity before granting access
B. To display the homepage content
C. To log server errors
D. To serve static files like images

Solution

  1. Step 1: Understand the login flow goal

    The login flow is designed to check who the user is by verifying credentials.

  2. Step 2: Identify the correct purpose

    Granting access only after verification matches the login flow's main purpose.

  3. Final Answer:

    To verify the user's identity before granting access -> Option A

  4. Quick Check:

    Login flow = Verify user identity [OK]
Hint: Login flow means checking user identity first [OK]
Common Mistakes:
  • Confusing login flow with serving static files
  • Thinking login flow logs errors
  • Assuming login flow shows homepage content
2. Which Express route method is best suited to securely receive login form data?
easy
A. app.put('/login', ...)
B. app.get('/login', ...)
C. app.post('/login', ...)
D. app.delete('/login', ...)

Solution

  1. Step 1: Recall HTTP methods for form data

    POST is used to send data securely from forms, unlike GET which appends data in URL.

  2. Step 2: Match method to login data handling

    Login forms should use POST to keep credentials hidden and secure.

  3. Final Answer:

    app.post('/login', ...) -> Option C

  4. Quick Check:

    Use POST for login data [OK]
Hint: Use POST to send login data securely [OK]
Common Mistakes:
  • Using GET exposes credentials in URL
  • PUT and DELETE are not for login forms
  • Confusing route methods for form submission
3. What will be the output if the following Express code is used for login and the user provides correct credentials?
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if(username === 'user' && password === 'pass') {
    req.session.user = username;
    res.send('Login successful');
  } else {
    res.status(401).send('Invalid credentials');
  }
});
medium
A. "Login successful" message sent and session user set
B. Server crashes due to missing session setup
C. "Invalid credentials" message sent always
D. Redirects to homepage without message

Solution

  1. Step 1: Analyze the login condition

    The code checks if username is 'user' and password is 'pass'. If true, it sets session user and sends success message.

  2. Step 2: Understand the output for correct credentials

    When correct, it sends 'Login successful' and stores username in session.

  3. Final Answer:

    "Login successful" message sent and session user set -> Option A

  4. Quick Check:

    Correct credentials = success message + session set [OK]
Hint: Correct login sends success and sets session [OK]
Common Mistakes:
  • Assuming server crashes without session middleware
  • Thinking invalid message shows on correct login
  • Confusing redirect with send response
4. Identify the error in this Express login route code:
app.post('/login', (req, res) => {
  const { username, password } = req.body;
  if(username == 'admin' && password == '1234') {
    res.session.user = username;
    res.send('Welcome admin');
  } else {
    res.send('Access denied');
  }
});
medium
A. Using '==' instead of '===' for comparison
B. No error, code works fine
C. Missing res.status(401) for failed login
D. Assigning session to 'res.session' instead of 'req.session'

Solution

  1. Step 1: Check session assignment

    Session data should be stored on req.session, not res.session.

  2. Step 2: Confirm correct session usage

    Using res.session will cause undefined error; req.session is correct.

  3. Final Answer:

    Assigning session to 'res.session' instead of 'req.session' -> Option D

  4. Quick Check:

    Session stored on req, not res [OK]
Hint: Session is on req, not res object [OK]
Common Mistakes:
  • Confusing req and res objects
  • Ignoring missing status code on failure
  • Thinking '==' causes error here
5. You want to keep users logged in across pages after login in Express. Which approach correctly implements this using sessions?
1. Use express-session middleware
2. On successful login, save username in req.session
3. On other routes, check if req.session.user exists
4. If exists, allow access; else redirect to login
hard
A. Sessions should not be used; use cookies only
B. This approach is correct and follows best practices
C. Store user info in res.locals instead of session
D. Use GET method to store session data

Solution

  1. Step 1: Understand session usage in Express

    express-session middleware manages sessions; storing user info in req.session keeps login state.

  2. Step 2: Verify access control logic

    Checking req.session.user on other routes to allow or redirect is standard practice.

  3. Final Answer:

    This approach is correct and follows best practices -> Option B

  4. Quick Check:

    Sessions + req.session.user check = persistent login [OK]
Hint: Use express-session and req.session.user for login persistence [OK]
Common Mistakes:
  • Thinking cookies alone handle login state securely
  • Using res.locals which resets each request
  • Trying to store session data via GET method