Your task is to implement Role-Based Access Control (RBAC) using Express.js and JWT authentication.
The goal is to protect routes based on user roles (admin, teacher, student) and ensure only authorized users can access them.
All automated tests in rbac.test.js must pass ✅.
Install dependencies
npm installStart server
npm run devYou must implement a working Express server in src/server.js
Your code must satisfy all of the following requirements:
URL: /login
Method: POST
Body:
{
"username": "alice",
"password": "123"
}Expected Behavior:
-
Validate credentials from a hardcoded user list.
-
If valid:
-
Return a JSON Web Token (JWT) signed with a secret key.
-
The token must include the user's username and role.
-
-
If invalid:
- Respond with 401 and { "message": "Invalid credentials" }.
✅ Test expectations:
-
Login works for all three users: admin, teacher, student.
-
JWT token returned contains correct role.
-
Invalid credentials are rejected.
You must create a middleware that:
-
Checks for Authorization: Bearer <token> header.
-
Verifies the token using the same secret key.
-
If valid → attach decoded user info to req.user and call next().
-
If missing → respond with 401 and { "message": "Missing token" }.
-
If invalid → respond with 403 and { "message": "Invalid token" }.
✅ Test expectations:
-
Requests without a token fail with 401.
-
Requests with invalid token fail with 403.
-
Valid token allows access.
Create a middleware authorize(allowedRoles) that:
-
Checks if req.user.role is included in allowedRoles.
-
If not → respond with 403 and { "message": "Access denied" }.
✅ Test expectations:
-
Admin-only routes block teacher/student.
-
Teacher-only routes block students.
-
Student routes allow only students.
Implement the following routes:
| Route | Allowed Role | Expected Response Text |
|---|---|---|
| GET /admin | admin | "Welcome, admin!" |
| --- | --- | --- |
| GET /teacher | teacher | "Welcome, teacher!" |
| --- | --- | --- |
| GET /student | student | "Welcome, student!" |
| --- | --- | --- |
✅ Test expectations:
- Each route is only accessible by the correct role.
Use the secret key exactly as:
const JWT_SECRET = "newtonschoolsecret";✅ The test file expects this key for signing/verification.
All tests are located in test/rbac.test.js.
They use Supertest to check:
-
Login responses
-
Token structure
-
Authorization logic
-
Access control
You should not modify the test file.
Just write code in src/server.js until all tests pass.
npm test🎓 Newton School RBAC Assignment
🔐 /login endpoint
✓ should login admin and return JWT
✓ should login teacher and return JWT
✓ should login student and return JWT
✓ should reject invalid credentials
🛡️ Role-based access
✓ should allow admin to access /admin
✓ should deny teacher from accessing /admin
✓ should allow teacher to access /teacher
✓ should deny student from accessing /teacher
✓ should allow student to access /student
✓ should reject access with missing token
✓ should reject access with invalid token
11 passing 🎉-
Make sure you export the app from your Express file for testing.
-
Do not hardcode tokens - generate them dynamically.
-
Use
express.json()middleware to parse JSON requests. -
Don't forget to listen on a port when running locally (app.listen), but export the app for tests.