Practice & Assessment
Test your understanding of Authentication and Security in REST APIs
Multiple Choice Questions
5What are the three parts of a JSON Web Token?
Why should API keys be stored as hashes rather than plaintext in the database?
What security vulnerability does express-mongo-sanitize protect against?
What is the recommended bcrypt salt factor for production password hashing?
Why is storing JWT tokens in localStorage considered a security risk?
Mini Project
Secure User Authentication and Authorization System
Build a production-grade authentication system including: user registration with email verification, login with JWT access and refresh tokens, password reset via email link, Google OAuth login using Passport.js, three roles (user, moderator, admin) with RBAC middleware, API key generation for programmatic access (store hashed), account lockout after 5 failed login attempts, all security middleware (helmet, CORS whitelist, rate limiting, mongo-sanitize, xss-clean), and comprehensive tests for all authentication flows.