0
0
NestJSframework~20 mins

Role-based authorization in NestJS - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
Role-based Authorization Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What is the output of this NestJS guard when a user with role 'user' accesses an admin route?

Consider this NestJS guard that checks if the user has the 'admin' role:

import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';

@Injectable()
export class RolesGuard implements CanActivate {
  canActivate(context: ExecutionContext): boolean {
    const request = context.switchToHttp().getRequest();
    const user = request.user;
    return user?.roles?.includes('admin');
  }
}

If a request has user.roles = ['user'], what will the guard return?

Afalse
Btrue
Cthrows an error
Dundefined
Attempts:
2 left
💡 Hint

Check if the roles array includes 'admin'.

📝 Syntax
intermediate
2:00remaining
Which option correctly applies a RolesGuard to a NestJS controller route?

Given a RolesGuard and a Roles decorator, which code snippet correctly protects the getAdminData route to only allow 'admin' role users?

A
@Get('admin')
@UseGuards(RolesGuard)
@Roles('admin')
getAdminData() { return 'secret'; }
B
@Roles('admin')
@UseGuards(RolesGuard)
@Get('admin')
getAdminData() { return 'secret'; }
C
@UseGuards(RolesGuard)
@Roles('admin')
@Get('admin')
getAdminData() { return 'secret'; }
D
@Get('admin')
@Roles('admin')
@UseGuards(RolesGuard)
getAdminData() { return 'secret'; }
Attempts:
2 left
💡 Hint

Order of decorators matters: guards should be applied before roles.

🔧 Debug
advanced
2:00remaining
Why does this RolesGuard always deny access even for 'admin' users?

Look at this RolesGuard code:

canActivate(context: ExecutionContext): boolean {
  const request = context.switchToHttp().getRequest();
  const user = request.user;
  const requiredRoles = this.reflector.get('roles', context.getHandler());
  return requiredRoles.some(role => user.roles.includes(role));
}

Even when the user has the 'admin' role and the route requires 'admin', access is denied. Why?

ArequiredRoles is undefined
Bthis.reflector is undefined or not injected
Cuser.roles is undefined
Dsome() returns false if user.roles is empty
Attempts:
2 left
💡 Hint

Check if this.reflector is properly set up.

state_output
advanced
2:00remaining
What is the value of 'isAuthorized' after this NestJS guard runs?

Given this guard snippet:

canActivate(context: ExecutionContext): boolean {
  const request = context.switchToHttp().getRequest();
  const user = request.user;
  const roles = ['admin', 'editor'];
  const isAuthorized = roles.some(role => user.roles?.includes(role));
  return isAuthorized;
}

If user.roles = ['viewer', 'editor'], what is the value of isAuthorized?

Afalse
Bthrows an error
Cundefined
Dtrue
Attempts:
2 left
💡 Hint

Check if any role in ['admin', 'editor'] is in user.roles.

🧠 Conceptual
expert
2:00remaining
Which statement best describes the role of the Reflector in NestJS role-based authorization?

In NestJS, the Reflector class is often used in guards for role-based authorization. What is its main purpose?

AIt retrieves metadata set by decorators on route handlers or controllers.
BIt manages user session data during authorization.
CIt encrypts role information before checking access.
DIt automatically injects user roles into the request object.
Attempts:
2 left
💡 Hint

Think about how decorators store information in NestJS.