Challenge - 5 Problems

🎖️

JWT vs Session Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

2:00remaining

Understanding JWT vs Session Storage

Which of the following best describes a key difference between JWT and session-based authentication strategies in Next.js?

ASessions are stateless and do not require server memory, JWTs always require server memory.

BJWT requires server-side storage for each user session, sessions do not.

CJWTs cannot be used for authentication in Next.js applications.

DJWT stores user data on the client side, while sessions store data on the server side.

Attempts:

2 left

❓ component_behavior

intermediate

2:00remaining

Next.js API Route with JWT Authentication

Given a Next.js API route that verifies a JWT token from the Authorization header, what will happen if the token is missing or invalid?

NextJS

export default async function handler(req, res) {
  const authHeader = req.headers.authorization;
  if (!authHeader) {
    return res.status(401).json({ error: 'No token provided' });
  }
  const token = authHeader.split(' ')[1];
  try {
    const user = verifyToken(token); // throws if invalid
    res.status(200).json({ user });
  } catch {
    res.status(403).json({ error: 'Invalid token' });
  }
}

AResponds with 403 status and 'Invalid token' error if token is missing.

BResponds with 200 status and empty user object if token is missing.

CResponds with 401 status and 'No token provided' error if token is missing.

DThrows a server error and crashes the API route.

Attempts:

2 left

❓ state_output

advanced

2:00remaining

Session Storage Behavior in Next.js

In a Next.js app using session-based authentication, what will be the value of req.session.user after a user logs out?

NextJS

export default async function handler(req, res) {
  if (req.method === 'POST' && req.url === '/logout') {
    req.session.destroy();
    res.status(200).json({ message: 'Logged out' });
  } else {
    res.status(200).json({ user: req.session.user || null });
  }
}

Anull, because the session is destroyed and user data is removed.

BAn empty object {}, because the session remains but user data is cleared.

CThe previous user object, because session destruction is asynchronous and not immediate.

DUndefined, because req.session is deleted entirely.

Attempts:

2 left

📝 Syntax

advanced

2:00remaining

Correct JWT Verification Syntax in Next.js

Which option correctly verifies a JWT token using the jsonwebtoken library in a Next.js API route?

NextJS

import jwt from 'jsonwebtoken';

export default function handler(req, res) {
  const token = req.headers.authorization?.split(' ')[1];
  try {
    // Verify token here
  } catch (err) {
    res.status(401).json({ error: 'Unauthorized' });
  }
}

Aconst user = jwt.verify(token, process.env.JWT_SECRET);

Bconst user = jwt.decode(token, process.env.JWT_SECRET);

Cconst user = jwt.verify(token);

Dconst user = jwt.decode(token);

Attempts:

2 left

🔧 Debug

expert

2:00remaining

Debugging Token Expiry Handling in Next.js

A Next.js API route uses JWT for authentication. The code catches errors during verification but does not distinguish token expiry errors. What is the likely user experience when a token expires?

NextJS

try {
  const user = jwt.verify(token, process.env.JWT_SECRET);
  res.status(200).json({ user });
} catch (err) {
  res.status(401).json({ error: 'Unauthorized' });
}

AUser is redirected to login automatically without error message.

BUser always sees 'Unauthorized' error without knowing the token expired.

CUser receives a specific 'Token expired' error message.

DThe API route crashes due to unhandled token expiry error.

Attempts:

2 left