Challenge - 5 Problems

🎖️

WebSocket Authentication Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

❓ component_behavior

intermediate

2:00remaining

How does token authentication affect WebSocket connection establishment?

Consider a WebSocket server using Express and a token-based authentication system. What happens if the client tries to connect without sending a valid token in the connection request?

AThe server accepts the connection and allows all messages without checking the token.

BThe server upgrades the connection but disconnects the client after the first message.

CThe server immediately closes the connection without upgrading the HTTP request to WebSocket.

DThe server delays the connection upgrade until the token is verified asynchronously.

Attempts:

2 left

📝 Syntax

intermediate

2:00remaining

Which code snippet correctly extracts a token from WebSocket connection headers in Express?

Given an Express WebSocket server, which code correctly retrieves a Bearer token from the Authorization header during the upgrade event?

Aconst token = req.headers.authorization.replace('Bearer ', '');

Bconst token = req.headers.authorization.split('Bearer')[1];

Cconst token = req.headers['Authorization'].split(' ')[0];

Dconst token = req.headers['authorization'].split(' ')[1];

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Why does this WebSocket server accept connections without token validation?

Review the following Express WebSocket upgrade handler code snippet:

server.on('upgrade', (req, socket, head) => {
  const token = req.headers['authorization']?.split(' ')[1];
  if (!token) {
    socket.destroy();
    return;
  }
  wss.handleUpgrade(req, socket, head, (ws) => {
    wss.emit('connection', ws, req);
  });
});

Clients without tokens still connect successfully. Why?

Express

server.on('upgrade', (req, socket, head) => {
  const token = req.headers['authorization']?.split(' ')[1];
  if (!token) {
    socket.destroy();
    return;
  }
  wss.handleUpgrade(req, socket, head, (ws) => {
    wss.emit('connection', ws, req);
  });
});

AThe optional chaining operator returns undefined, so the if condition never triggers for missing headers.

BThe server does not verify the token value; it only checks if it exists, so any token passes.

CThe token variable is undefined but the socket.destroy() call is asynchronous and delayed.

DThe handleUpgrade method upgrades the connection before the token check, allowing all clients.

Attempts:

2 left

❓ state_output

advanced

2:00remaining

What is the value of ws.isAuthenticated after connection if token is valid?

In an Express WebSocket server, the following code runs on connection:

wss.on('connection', (ws, req) => {
  const token = req.headers['authorization']?.split(' ')[1];
  ws.isAuthenticated = verifyToken(token);
});

If verifyToken returns true for a valid token, what is the value of ws.isAuthenticated for a client with a valid token?

Express

wss.on('connection', (ws, req) => {
  const token = req.headers['authorization']?.split(' ')[1];
  ws.isAuthenticated = verifyToken(token);
});

Atrue

Bnull

Cundefined

Dfalse

Attempts:

2 left

🧠 Conceptual

expert

3:00remaining

Why is authenticating during the WebSocket upgrade request preferred over authenticating after connection?

In Express WebSocket servers, why should authentication be done during the HTTP upgrade request instead of after the WebSocket connection is established?

ABecause the HTTP upgrade request allows rejecting unauthorized clients before allocating WebSocket resources.

BBecause WebSocket connections do not support sending headers after connection is established.

CBecause authenticating after connection requires sending a special authentication message which is less secure.

DBecause Express automatically blocks unauthorized WebSocket connections if authentication is done after connection.

Attempts:

2 left