Checkpoint: Build a REST API

Why must express.json() run before any route that reads req.body?

• Because routes are slower than middleware
• Because express.json() also handles authentication
• Because middleware runs top to bottom, and express.json() is what parses the body into req.body
• It does not matter where express.json() is placed

Answer: Because middleware runs top to bottom, and express.json() is what parses the body into req.body. Middleware runs in order. If a route runs before express.json(), req.body is still undefined and validation breaks.

What status code should a failed input validation return in this API?

• 400 Bad Request
• 200 OK
• 401 Unauthorized
• 500 Internal Server Error

Answer: 400 Bad Request. 400 Bad Request signals the client sent malformed or invalid data — here a missing title or a non-numeric year.

A request arrives with no token. Which status code does the auth middleware return?

• 400 Bad Request
• 403 Forbidden
• 404 Not Found
• 401 Unauthorized

Answer: 401 Unauthorized. 401 Unauthorized means the client is not authenticated — no token, or an invalid/expired one — so it must log in first.

Where does the auth middleware go for a protected route like GET /books?

• Before express.json() at the top of the app
• Between the path and the handler: app.get('/books', auth, handler)
• Inside the route handler as the last line
• It must be the very first app.use() call

Answer: Between the path and the handler: app.get('/books', auth, handler). Placed between the path and the handler, Express runs auth first and it can send a 401 and skip the handler when the token is bad.

How does the auth middleware extract the token from the request?

• It reads the Authorization header, strips the 'Bearer ' prefix, and verifies the rest
• It reads req.body.token
• It reads a cookie named jwt
• It reads req.query.token

Answer: It reads the Authorization header, strips the 'Bearer ' prefix, and verifies the rest. The middleware splits the Authorization header on a space, checks for the Bearer scheme, then passes the token to jwt.verify(token, SECRET).

The books are stored in an in-memory array. What is the main downside?

• Arrays are slower than databases for any size
• Arrays cannot store objects
• The data is lost on every restart and is not shared across instances
• Express cannot return arrays as JSON

Answer: The data is lost on every restart and is not shared across instances. In-memory data vanishes on restart and is not shared between processes; a Mongoose model persists it in MongoDB instead.

After a successful POST /books, which status code does the handler send?

• 200 OK
• 201 Created
• 204 No Content
• 202 Accepted

Answer: 201 Created. 201 Created indicates a new resource was created and is returned in the response body, which is exactly what the route does.

Which logger records every incoming HTTP request automatically as middleware?

• pino
• winston-file
• console.trace
• morgan

Answer: morgan. morgan plugs in as middleware and logs every HTTP request; pino is better suited to your own structured application events.

What does POST /login return to the client in this checkpoint?

• A redirect to /books
• A signed JWT, e.g. { token }
• The full user record with a password
• A session cookie only

Answer: A signed JWT, e.g. { token }. The login route signs a JWT with jwt.sign({ sub: 1, name: 'reader' }, SECRET) and returns it as { token }.

How would you make the in-memory books persistent with a real database?

• Write the array to a global variable
• Store the books in process.env
• Replace the array with a Mongoose model: await Book.create(...) and await Book.find()
• Increase the array size limit

Answer: Replace the array with a Mongoose model: await Book.create(...) and await Book.find(). Swapping books.push for await Book.create and the array read for await Book.find persists data in MongoDB while validation, JWT, and logging stay the same.