Bird
Raised Fist0
Expressframework~20 mins

Why authorization differs from authentication in Express - Challenge Your Understanding

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Authorization vs Authentication Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Understanding Authentication in Express
What is the primary purpose of authentication in an Express application?
ATo log user activity for auditing purposes
BTo verify the identity of a user trying to access the system
CTo encrypt user data before sending it to the client
DTo determine what resources a user can access
Attempts:
2 left
💡 Hint

Think about the step where the system checks who you are.

🧠 Conceptual
intermediate
1:30remaining
Understanding Authorization in Express
What does authorization control in an Express application?
AIt controls which resources or actions a verified user is allowed to access or perform
BIt verifies the user's identity using tokens
CIt manages session expiration times
DIt encrypts passwords before storing them
Attempts:
2 left
💡 Hint

Think about what happens after the system knows who you are.

component_behavior
advanced
2:00remaining
Behavior of Authentication Middleware in Express
Given the following Express middleware, what happens if the user is not authenticated?
Express
function authMiddleware(req, res, next) {
  if (!req.user) {
    return res.status(401).send('Unauthorized');
  }
  next();
}
AThe middleware sends a 401 Unauthorized response and stops further processing
BThe middleware allows the request to continue to the next handler
CThe middleware throws a runtime error
DThe middleware redirects the user to the home page
Attempts:
2 left
💡 Hint

Look at the condition checking req.user and the response sent.

component_behavior
advanced
2:00remaining
Authorization Check in Express Route
In this Express route, what will happen if the authenticated user does not have the 'admin' role?
Express
app.get('/admin', (req, res) => {
  if (!req.user?.roles.includes('admin')) {
    return res.status(403).send('Forbidden');
  }
  res.send('Welcome Admin');
});
AThe server responds with 401 Unauthorized
BThe server sends 'Welcome Admin' regardless of user role
CThe server crashes with a TypeError
DThe server responds with 403 Forbidden and does not send 'Welcome Admin'
Attempts:
2 left
💡 Hint

Check the condition that tests the user's roles.

📝 Syntax
expert
2:30remaining
Identify the Error in Authentication Middleware
What error will this Express authentication middleware produce when a request is made?
Express
function auth(req, res, next) {
  if (req.headers.authorization === undefined) {
    return res.status(401).send('No token');
  }
  next();
}
AThe middleware causes a syntax error due to missing braces
BThe middleware throws a ReferenceError because next is undefined
CThe middleware calls next() even after sending a response, causing headers to be sent twice
DThe middleware correctly stops processing after sending 401
Attempts:
2 left
💡 Hint

Consider what happens after res.status(401).send() is called.

Practice

(1/5)
1. In Express apps, what is the main difference between authentication and authorization?
easy
A. Authentication checks what the user can access; authorization verifies who they are.
B. Authentication verifies who the user is; authorization checks what they can access.
C. Authentication and authorization both check user identity only.
D. Authorization is done before authentication in Express.

Solution

  1. Step 1: Understand authentication purpose

    Authentication confirms the user's identity, like logging in.

  2. Step 2: Understand authorization purpose

    Authorization decides what resources or actions the authenticated user can access.

  3. Final Answer:

    Authentication verifies who the user is; authorization checks what they can access. -> Option B

  4. Quick Check:

    Authentication = identity, Authorization = permissions [OK]
Hint: Authentication = who, Authorization = what they can do [OK]
Common Mistakes:
  • Confusing authentication with authorization
  • Thinking both check the same thing
  • Assuming authorization happens before authentication
2. Which Express middleware is typically used for authentication?
easy
A. passport.authenticate()
B. cors()
C. express.json()
D. express.static()

Solution

  1. Step 1: Identify authentication middleware

    Passport.js is a popular Express middleware for handling authentication.

  2. Step 2: Check other options

    express.static serves files, express.json parses JSON, cors handles cross-origin requests, none handle authentication.

  3. Final Answer:

    passport.authenticate() -> Option A

  4. Quick Check:

    passport.authenticate() = authentication middleware [OK]
Hint: Passport is for authentication in Express [OK]
Common Mistakes:
  • Choosing express.static for authentication
  • Confusing cors with authentication
  • Not knowing passport middleware
3. Consider this Express route snippet:
app.get('/dashboard', (req, res) => {
  if (!req.user) {
    return res.status(401).send('Not authenticated');
  }
  if (!req.user.isAdmin) {
    return res.status(403).send('Not authorized');
  }
  res.send('Welcome Admin');
});

What status code will be sent if a logged-in user is not an admin?
medium
A. 200
B. 401
C. 403
D. 500

Solution

  1. Step 1: Check authentication condition

    The code checks if req.user exists; if not, sends 401 (unauthenticated).

  2. Step 2: Check authorization condition

    If user exists but isAdmin is false, sends 403 (forbidden, unauthorized).

  3. Final Answer:

    403 -> Option C

  4. Quick Check:

    Authenticated but not authorized = 403 [OK]
Hint: 401 = no login, 403 = no permission [OK]
Common Mistakes:
  • Mixing 401 and 403 status codes
  • Assuming 200 is sent without admin rights
  • Ignoring the authorization check
4. This Express middleware aims to protect routes:
function checkAdmin(req, res, next) {
  if (!req.user.isAdmin) {
    res.status(401).send('Unauthorized');
  }
  next();
}

What is the bug here?
medium
A. req.user might be undefined causing an error
B. Should send status 403 instead of 401 for authorization failure
C. Missing call to next() inside the if block
D. Middleware should be async

Solution

  1. Step 1: Analyze req.user usage

    The code accesses req.user.isAdmin without checking if req.user exists, risking a runtime error.

  2. Step 2: Check other issues

    While 403 is better for authorization failure, the main bug is possible crash from undefined req.user.

  3. Final Answer:

    req.user might be undefined causing an error -> Option A

  4. Quick Check:

    Always check req.user exists before properties [OK]
Hint: Check req.user exists before isAdmin [OK]
Common Mistakes:
  • Ignoring possible undefined req.user
  • Confusing 401 and 403 status codes
  • Not returning after sending response
5. You want to protect an Express route so only authenticated users with role 'editor' or 'admin' can access it. Which middleware logic correctly implements this authorization check?
hard
A. if (req.user && req.user.role === 'admin') { next(); } else { res.status(403).send('Forbidden'); }
B. if (!req.user && (req.user.role === 'editor' || req.user.role === 'admin')) { next(); } else { res.status(401).send('Unauthorized'); }
C. if (req.user.role === 'editor' || req.user.role === 'admin') { next(); } else { res.status(401).send('Unauthorized'); }
D. if (!req.user || (req.user.role !== 'editor' && req.user.role !== 'admin')) { res.status(403).send('Forbidden'); } else { next(); }

Solution

  1. Step 1: Check authentication and authorization together

    The middleware must first confirm req.user exists (authenticated), then check if role is 'editor' or 'admin'.

  2. Step 2: Analyze each option

    if (!req.user || (req.user.role !== 'editor' && req.user.role !== 'admin')) { res.status(403).send('Forbidden'); } else { next(); } correctly denies access if no user or role not allowed, sending 403 Forbidden. Others have logic errors or wrong status codes.

  3. Final Answer:

    if (!req.user || (req.user.role !== 'editor' && req.user.role !== 'admin')) { res.status(403).send('Forbidden'); } else { next(); } -> Option D

  4. Quick Check:

    Check user exists AND role allowed for authorization [OK]
Hint: Check user exists AND role matches before next() [OK]
Common Mistakes:
  • Not checking if user is authenticated first
  • Using wrong status codes (401 vs 403)
  • Incorrect logical operators in role check