Script Valley
REST API Development: Beginner to Production
Testing, Documentation, and Production Deployment/Assessment

Practice & Assessment

Test your understanding of Testing, Documentation, and Production Deployment

Multiple Choice Questions

6
1

Why must you export `app` from app.js WITHOUT calling app.listen() when writing Supertest integration tests?

2

What does `app.set('trust proxy', 1)` do and when is it required?

3

Why should you validate environment variables at application startup using a tool like envalid?

4

Which single npm package applies 11 security-related HTTP response headers simultaneously?

5

A Node.js API is deployed to Railway behind a load balancer. Rate limiting is configured but every user hits the limit immediately. What is the likely cause?

6

You add a GET /health endpoint that returns `{ status: 'ok' }`. What is the primary purpose of this endpoint in production?

Coding Challenges

1
1

Write integration tests for a users API

Given an Express app with GET /users, GET /users/:id, POST /users, and DELETE /users/:id using in-memory storage: write a complete Jest + Supertest test suite covering: 1) GET /users returns 200 and an array. 2) POST /users with valid body returns 201 and the created object. 3) POST /users with missing name field returns 422 with an errors array. 4) GET /users/:id returns 404 for a non-existent ID. 5) DELETE /users/:id returns 204. 6) Attempting to GET the deleted user returns 404. Reset in-memory state in beforeEach. All tests must pass independently in any order. Time estimate: 25 minutes.

Medium

Mini Project

1

Production-Ready REST API — Final Capstone

Bring together every module concept in a single deployable API. Build a task management API with: PostgreSQL via Prisma (User, Task, Tag models). JWT auth with refresh tokens (httpOnly cookie). Full CRUD for /tasks with filtering, sorting, and cursor pagination. Zod validation on all mutations. Consistent error envelope. Role-based access (admin can delete any task; users can only delete their own). Rate limiting on /auth endpoints (10 req/15min) and global (100 req/min). Helmet and CORS. OpenAPI docs at /api-docs. Health check at /health. Jest + Supertest tests covering at least 8 scenarios. .env.example documenting all required variables. A README with local setup instructions and deployment notes. Deploy to Railway or Render with a live URL.

Hard