Exam 2020-08-13
Here you find sample answers and marking guidelines to the questions on the exam 2020-08-13.
Start by reading through all questions.
Max score is 30 points.
- For grade 3, 40% of max score (12 points) is required
- For grade 4, 60% of max score (18 points) is required
- For grade 5, 80% of max score (24 points) is required
You are not allowed to use anything else except:
- The computer you sit at to only answer the questions on this exam
- A dictionary to translate to/from English from/to your native language
Write your answers in either English or Swedish. If you write your answers in Swedish, make sure to not introduce any translation confusement. Write proper sentences (spelling, upper/lower case characters, punctuation, etc.). Answers that do not do this good enough/are vague/are not understandable cannot receive full score on the questions.
Answers that are more or less copies of sample answers given to you or copies of text found somewhere else will be rewarded 0 points. Use your own words to answer the questions.
Good luck!
Question 1 (1p)
Question
Does it make sense to use the body in an HTTP GET request? Justify your answer.
Question 2 (2p)
Question
Alice is assigned the task to design a REST API clients can use to login and then create new blogposts belonging to that account. She decides that when a user logs in, the client obtains an access token containing the user's account id, which can be used to act on the behalf of that user. Then when the user wants to create a new blogpost belonging to her own account, the client sends an HTTP POST request to /blogposts with the headers Authorization: Bearer THE.ACCESS.TOKEN and Content-Type: application/json, and in the body pass {"title": "The actual title", "content": "The blogpost text."}.
Is this a good or bad design? Justify your answer.
Question 3 (1p)
Question
Explain what the HTTP headers Accept and Content-Type are used for respectively. Which of them can be used in requests and responses respectively?
Question 4 (1p)
Question
Match each HTTP status code with its reason phrase.
Status codes:
- 201
- 401
- 501
- 204
- 200
Reason phrases:
- No Content
- OK
- Created
- Not Implemented
- Unauthorized
Question 5 (2p)
Question
Explain what the middlewares from the npm package body-parser do, and describe how one of them works. Try to be as detailed as possible. There is of course no need to mention any code.
Question 6 (1p)
Question
A REST architecture consists of a set of architectural constraints, as described by Roy Thomas Fielding. Explain what an architectural constraint is.
Question 7 (3p)
Question
Name and describe each architectural constraint REST consists of.
Question 8 (1.5p)
Question
Here is a short story:
Alice is going to an amusement park for adults only (only people older than 18 years are allowed). At the entrance she needs to show her driver license to prove that she's older than 18 years, and then she pays for a "ride pass" (a piece of paper you put around your wrist giving you free access to all the fun things inside the amusement park). She receives her ride pass and put it around her wrist. Then she goes to a merry-go-around, show her ride pass to the responsible personnel there, which let her onboard the merry-go-around, and then she have the time of her life.
In this story, we have one identity and places where authentication and authorization takes place. Which are (all of) them? You only need to mention those that are explicitly mentioned in the text.
Question 9 (2p)
Question
Willy is assigned the task to design a REST API clients can use to compute mathematical expressions consisting of one operator (+, -, * or /) and two numbers. He decides that clients should send a POST request to /compute, add the header Content-Type: application/json and then in the body pass {"leftOperand": 123, "operator": "+", "rightOperand": 321} (123, "+" and 321 are sample values). The response would then contain the result of the mathematical expression (i.e. a number).
This design is quite poor. Explain to Willy what he has done wrong and suggest a better design.
Question 10 (2p)
Question
Explain what Cross-Origin Resources Sharing is and describe when it is used and how it works.
Question 11 (3p)
Question
JWT tokens are self-contained. That means that the data the token represents is stored in the token itself. Therefore, when a client obtains an access token that has been implemented as a JWT token, the client can read the data in the token, and even change it, for example modify the data in it to mean that the client has access to resources it shouldn't have access to. But the server has a way to discover if the client has modified the token. Explain how the server does that by describing a detailed example.
Question 12 (1.5p)
Question
When logging in over a REST API, explain why it's most often not is enough to only receive an access token, but you also need to receive an ID token.
Question 13 (4p)
Question
OAuth 2.0 defines four different ways a client can obtain an access token. Explain how each of them works and when you are supposed to use which one.
Question 14 (1p)
Question
Must an ID Token from OpenID Connect be self-contained? Justify your answer.
Question 15 (2p)
Question
How can clients obtain an ID Token from a server that supports OpenID Connect?
Question 16 (1p)
Question
In relational databases, explain why it's better to use a foreign key constraint instead of first sending a query to check if a constraint is fulfilled and then go ahead and execute the actual query you wanted to send if the constraint was fulfilled. Also show an example of this with actual queries.
Question 17 (1p)
Question
The code below is taken from an Express application making use of an SQLite database.
app.get("/humans", function(request, response){
let data = {}
db.all("SELECT * FROM humans", function(error, fetchedHumans){
// For simplicity, let us assume no database error occurred.
data.humans = fetchedHumans
})
response.json(data.humans)
})
The response back to the client never includes any human resources, although the database contains plenty of them. Why? Also, rewrite the code so it works as intended.