Practice & Assessment
Test your understanding of REST APIs and Web Communication Patterns
Multiple Choice Questions
6A CORS preflight returns Access-Control-Allow-Origin: * but the browser still blocks the request. What is the most likely cause?
A JWT's payload contains the claim: role: 'admin'. A malicious user edits the base64-decoded payload to role: 'superadmin'. Can they use this modified token?
Which real-time pattern is most appropriate for a collaborative document editor where multiple users type simultaneously?
An API returns cursor-based pagination: GET /events returns a next_cursor value. What should you do when next_cursor is null in the response?
An API returns the response header X-RateLimit-Remaining: 0 and X-RateLimit-Reset: 1710001200. Your application must make 50 more requests. What should it do?
A REST API has the endpoint POST /users/42/deactivate. What is wrong with this design?
Coding Challenges
1Paginated API Fetcher with Rate Limit Handling
Write a function fetchAllPages(baseUrl, token) that fetches all pages of a cursor-paginated REST API. The API returns {data: [...], next_cursor: string|null} and rate-limit headers (X-RateLimit-Remaining, X-RateLimit-Reset). The function must: collect all records across pages by following next_cursor until null, pause and wait when X-RateLimit-Remaining hits 0, use the X-RateLimit-Reset timestamp to compute exact wait time, and return the combined array of all records. Inputs: API base URL, bearer token. Estimated time: 25โ30 minutes.
Mini Project
REST API with JWT Auth and WebSocket Feed
Build a small server (Node.js Express or Python FastAPI) that combines REST and WebSocket patterns. REST endpoints: POST /auth/login (accepts {username, password}, returns signed JWT with 15min expiry), GET /events (JWT-protected, returns paginated events with cursor), POST /events (JWT-protected, creates a new event). WebSocket endpoint: ws://localhost:3000/feed โ after sending a valid JWT in the first message, the client is subscribed and receives a real-time push whenever a new event is created via POST /events. CORS must be configured to allow localhost:5173 as the origin. Rate limit GET /events to 10 requests per 10 seconds per token, returning X-RateLimit headers. Use in-memory storage (no database required).