Practice & Assessment
Test your understanding of Authentication Fundamentals
Multiple Choice Questions
5A user logs in successfully but receives a 403 response when accessing /admin. What does this indicate?
Which cookie attribute prevents JavaScript from reading an auth cookie, protecting against XSS attacks?
What is the primary advantage of stateless authentication over stateful sessions?
Why is bcrypt preferred over SHA-256 for password hashing?
Where is the safest place to store a JWT access token in a browser-based SPA to mitigate XSS risk?
Coding Challenges
1Implement a bcrypt Registration and Login Endpoint
Build two Express endpoints: POST /register accepts { email, password }, hashes the password with bcrypt (cost 12), and stores the user in an in-memory array. POST /login accepts the same shape, finds the user by email, compares the password using bcrypt.compare, and returns { success: true } or a 401 error. Do not use a database โ an in-memory array is fine. Input: valid email + password string. Output: JSON response with success flag or error message. Estimated time: 15-20 minutes.
Mini Project
Auth Concepts Cheat Sheet API
Build a small Express API with three routes: GET /concepts returns a JSON array of auth terms (authentication, authorization, stateful, stateless, Bearer token, HttpOnly cookie) each with a one-sentence definition you write. POST /quiz accepts { term, definition } and returns { correct: true/false } by comparing against your stored definitions (case-insensitive). POST /register and POST /login endpoints using bcrypt hashing and an in-memory user store. The login endpoint should return a dummy token string on success. This project uses bcrypt, proper HTTP status codes (200, 401, 404), and demonstrates the auth vs authz distinction through route design.