Script Valley
HTTP & The Web: How It Actually Works
REST APIs and Web Communication Patterns/Assessment

Practice & Assessment

Test your understanding of REST APIs and Web Communication Patterns

Multiple Choice Questions

6
1

A CORS preflight returns Access-Control-Allow-Origin: * but the browser still blocks the request. What is the most likely cause?

2

A JWT's payload contains the claim: role: 'admin'. A malicious user edits the base64-decoded payload to role: 'superadmin'. Can they use this modified token?

3

Which real-time pattern is most appropriate for a collaborative document editor where multiple users type simultaneously?

4

An API returns cursor-based pagination: GET /events returns a next_cursor value. What should you do when next_cursor is null in the response?

5

An API returns the response header X-RateLimit-Remaining: 0 and X-RateLimit-Reset: 1710001200. Your application must make 50 more requests. What should it do?

6

A REST API has the endpoint POST /users/42/deactivate. What is wrong with this design?

Coding Challenges

1
1

Paginated API Fetcher with Rate Limit Handling

Write a function fetchAllPages(baseUrl, token) that fetches all pages of a cursor-paginated REST API. The API returns {data: [...], next_cursor: string|null} and rate-limit headers (X-RateLimit-Remaining, X-RateLimit-Reset). The function must: collect all records across pages by following next_cursor until null, pause and wait when X-RateLimit-Remaining hits 0, use the X-RateLimit-Reset timestamp to compute exact wait time, and return the combined array of all records. Inputs: API base URL, bearer token. Estimated time: 25–30 minutes.

Medium

Mini Project

1

REST API with JWT Auth and WebSocket Feed

Build a small server (Node.js Express or Python FastAPI) that combines REST and WebSocket patterns. REST endpoints: POST /auth/login (accepts {username, password}, returns signed JWT with 15min expiry), GET /events (JWT-protected, returns paginated events with cursor), POST /events (JWT-protected, creates a new event). WebSocket endpoint: ws://localhost:3000/feed — after sending a valid JWT in the first message, the client is subscribed and receives a real-time push whenever a new event is created via POST /events. CORS must be configured to allow localhost:5173 as the origin. Rate limit GET /events to 10 requests per 10 seconds per token, returning X-RateLimit headers. Use in-memory storage (no database required).

Hard