Practice & Assessment
Test your understanding of Authentication and Authorization
Multiple Choice Questions
5A JWT's payload contains `{ sub: 'user_42', role: 'admin' }`. Is the payload encrypted?
Why is the refresh token stored in an httpOnly cookie rather than returned in the response body?
What does the `authorize('admin')` middleware return when called by an authenticated user with role 'user'?
Why should the bcrypt cost factor (salt rounds) be tuned so hashing takes ~300ms rather than using a fixed value like 10?
You delete a refresh token from the database in your /auth/refresh endpoint before issuing a new one. What security mechanism does this implement?
Coding Challenges
1Implement JWT login and protected routes
Build an Express auth system: 1) POST /auth/register — accept { name, email, password }, hash the password with bcrypt (cost 12), store user in a Map, return 201 with { id, email }. 2) POST /auth/login — verify credentials, return a JWT (HS256, 15m expiry) with { sub: userId, role } in the payload. 3) GET /me — protected route, requires valid Bearer token, returns the decoded user payload. 4) GET /admin — requires role 'admin', returns 403 for non-admins. Seed one admin user. Test all four endpoints. Time estimate: 30 minutes.
Mini Project
Secure Notes API with Auth and RBAC
Build a notes API with full authentication. Endpoints: POST /auth/register, POST /auth/login (returns access token), POST /auth/refresh (uses httpOnly cookie), POST /auth/logout (clears cookie, deletes refresh token). Protected: GET /notes (returns only the calling user's notes), POST /notes, PATCH /notes/:id (only owner or admin), DELETE /notes/:id (only owner or admin). GET /admin/users (admin only — lists all users). Notes have: id, title, content, userId, createdAt. Use bcrypt for passwords, two separate JWT secrets for access and refresh tokens, an in-memory store for users/notes/refresh tokens. All error responses must use the consistent { error: { code, message } } envelope.