Episode 3 — NodeJS MongoDB Backend Architecture / 3.14 — Authentication and Authorization
3.14 — Exercise Questions: Authentication & Authorization
Practice for Section 3.14 -- authentication, authorization, bcrypt, JWT, middleware, RBAC, and Passport.js.
How to use this material (instructions)
- Read
README.md->3.14.athrough3.14.f. - Answer closed-book -- then compare to lessons.
- Interview prep --
3.14-Interview-Questions.md. - Cheat sheet --
3.14-Quick-Revision.md.
Authentication vs Authorization (Q1--Q10)
Q1. Define authentication in one sentence.
Q2. Define authorization in one sentence.
Q3. A user logs in with correct credentials but receives a 403 Forbidden when accessing /admin. Which layer rejected the request -- authentication or authorization?
Q4. What HTTP status code means "you have not proven your identity" (not authenticated)?
Q5. What HTTP status code means "you are authenticated but lack permission" (not authorized)?
Q6. In the airport analogy, what does the passport represent and what does the boarding pass represent?
Q7. Why must authentication always happen before authorization in middleware?
Q8. Name three different authentication methods beyond username/password.
Q9. What is the difference between RBAC and permission-based access control?
Q10. A developer hides the "Admin Panel" button in the React frontend for non-admin users. Is the admin panel secure? Why or why not?
Password Security / Bcrypt (Q11--Q22)
Q11. Why should you never store passwords in plain text?
Q12. What is the fundamental difference between hashing and encryption?
Q13. Can you reverse a bcrypt hash to get the original password?
Q14. What is a salt in the context of password hashing?
Q15. Two users set their password to "hello123". With bcrypt, are their stored hashes identical? Why?
Q16. What are salt rounds (cost factor)? What happens if you increase them?
Q17. What is the recommended number of salt rounds for a production application?
Q18. Write the code to hash a password with bcrypt (12 rounds).
Q19. Write the code to compare a plain-text password against a stored bcrypt hash.
Q20. In a Mongoose pre-save hook for password hashing, why is if (!this.isModified('password')) return next(); critical?
Q21. What is a rainbow table attack, and how does bcrypt's salt prevent it?
Q22. Compare bcrypt and argon2: which is newer, and which is the current OWASP recommendation for new projects?
Session vs Token Authentication (Q23--Q32)
Q23. In session-based auth, where is the session data stored?
Q24. In token-based auth (JWT), where is the user information stored?
Q25. Why is the default in-memory session store not suitable for production?
Q26. Name two session stores suitable for production and explain why.
Q27. You have 5 servers behind a load balancer. With session-based auth, why does request routing become a problem? How do you solve it?
Q28. With JWT-based auth, do you need shared storage across servers? Why or why not?
Q29. How do you invalidate a session? How do you invalidate a JWT?
Q30. What is the difference between sameSite: 'strict' and sameSite: 'lax' on a cookie?
Q31. Why is storing a JWT in localStorage considered less secure than an httpOnly cookie?
Q32. Describe the hybrid approach of storing a JWT inside an httpOnly cookie. What are the benefits?
JWT Deep Dive (Q33--Q44)
Q33. What do the three parts of a JWT represent? (Header.Payload.Signature)
Q34. Is the payload of a JWT encrypted? Can anyone read it?
Q35. What standard claim controls when a JWT expires?
Q36. What is the difference between jwt.verify() and jwt.decode()? Which should you use for authentication?
Q37. Write the code to create a JWT that expires in 15 minutes.
Q38. Write the code to verify a JWT and handle TokenExpiredError.
Q39. Explain the access token + refresh token pattern. Why not use just one long-lived token?
Q40. Where should you store the access token and where should you store the refresh token in a web app?
Q41. Why should JWT secrets come from environment variables and never be hardcoded?
Q42. A JWT payload contains { userId: "123", role: "admin" }. The user's role is later changed to "user" in the database. Does the JWT reflect this change automatically?
Q43. What is token rotation for refresh tokens, and why is it important?
Q44. What is the difference between a JWT (self-contained token) and an opaque token (random string)?
Auth Middleware & RBAC (Q45--Q52)
Q45. List the steps an authentication middleware performs, in order.
Q46. Why does auth middleware set req.user instead of returning user data directly?
Q47. Write an authorize('admin', 'moderator') middleware factory function.
Q48. What is the difference between applying authenticate to specific routes vs applying it with app.use('/api', authenticate)?
Q49. A route should allow users to edit only their own profile, but admins can edit anyone's. Write middleware for this.
Q50. In RBAC, you define roles as user, moderator, admin. Where should the role-permission mapping live in your codebase?
Q51. Why is it important to return 401 (not 403) when no token is provided, and 403 (not 401) when the user lacks permission?
Q52. A middleware checks req.user.role but req.user is undefined. What went wrong?
Passport.js (Q53--Q60)
Q53. What design pattern does Passport.js use for different authentication methods?
Q54. In the passport-local strategy, what does the verify callback receive and what should it return via done()?
Q55. What do passport.serializeUser and passport.deserializeUser do? When is each called?
Q56. For Google OAuth 2.0, list the 4 pieces of configuration needed for the strategy.
Q57. A user registered with email/password. They later click "Login with Google" (same email). What should happen?
Q58. What is the difference between session-based Passport and JWT-based Passport (passport-jwt)?
Q59. Why does passport-jwt not require serializeUser / deserializeUser?
Q60. Write the Express route that initiates Google OAuth authentication and the callback route that handles the response.
Answer hints
| Q | Hint |
|---|---|
| Q3 | Authorization -- identity was proven (authenticated), but role check failed |
| Q4 | 401 Unauthorized (misleading name; really means unauthenticated) |
| Q5 | 403 Forbidden |
| Q13 | No -- hashing is one-way by design |
| Q15 | No -- different salts produce different hashes |
| Q17 | 10--12 salt rounds |
| Q20 | Without it, saving any field (e.g., name) would re-hash the already-hashed password |
| Q27 | Sessions live on one server; use Redis as shared session store |
| Q28 | No -- any server with the secret can verify the JWT signature |
| Q29 | Session: delete from store; JWT: cannot easily -- use blacklist or wait for expiry |
| Q34 | Not encrypted -- base64-encoded; anyone can decode and read it |
| Q36 | verify checks signature + expiry; decode does not -- always use verify |
| Q42 | No -- JWT payload is fixed at creation time; stale until token expires |
| Q52 | The authenticate middleware did not run (or was skipped) before authorize |
| Q53 | Strategy pattern -- pluggable authentication mechanisms |
| Q59 | JWT is stateless -- no session to serialize into |
<- Back to 3.14 -- README