Chapter quiz · Data & Auth

Test what you learned.

8 questions on Data & Auth. Pass 70% to clear the chapter.

← Review chapter lessons

Quiz

Data & Auth — Chapter Quiz

Eight questions on the db plugin pattern, Postgres, Prisma, Drizzle, MongoDB, cookies, JWT, sessions, and CSRF.

0/ 9

Question 1
1
What's the idiomatic way to share a database client across routes?
AImport it in every route fileBRegister a plugin that decorates the app with db and wrap it with fastify-pluginCPut it on globalThisDUse a singleton module
A plugin that calls app.decorate('db', client) and is wrapped with fp makes the client available as app.db everywhere, with one place to manage its lifecycle (close on shutdown).
Question 2
2
What does @fastify/postgres provide?
AAn ORM on top of node-postgresBA pool decorator (app.pg.query, app.pg.pool) plus per-request transactionsCA query builderDA migration runner
It wraps node-postgres' Pool and exposes it on the app, with helpers for per-request transactions via request.transact(). ORMs (Prisma, Drizzle) are separate.
Question 3
3
Prisma and Drizzle each have a Fastify plugin pattern, but they're both used by decorating the app with the client.
TTrueFFalse
Whether you use Prisma's PrismaClient or Drizzle's drizzle(...), the idiom is the same — instantiate once, app.decorate('db', ...), and close on onClose.
Question 4
4
To read a cookie from a request after registering @fastify/cookie, you use request.____.sid.
@fastify/cookie decorates the request with a cookies object that maps name → value (with optional signature verification).
Question 5
5
What does @fastify/jwt give you?
Aapp.jwt.sign(...), app.jwt.verify(...), and request.jwtVerify()BA login UICA user databaseDOAuth flows
The plugin handles signing and verification — app.jwt for app-level use, request.jwtVerify() and request.jwtSign() for per-request use. It does not handle storage, login UI, or OAuth.
Question 6
6
Which is generally safer for browser-facing session auth?
AJWT in localStorageBJWT in a non-httpOnly cookieCServer-side sessions with an httpOnly + secure cookieDNo auth at all
Server-side sessions in httpOnly cookies are resistant to XSS (JS can't read them) and let you revoke server-side. JWTs in localStorage are XSS-vulnerable; JWTs in cookies need CSRF protection.
Question 7
7
After this hook, what does request.user contain on a valid JWT request?
```
app.addHook('onRequest', async (request) => {
  await request.jwtVerify();
});
```
AThe decoded JWT payloadBThe raw JWT stringCundefined — you must set it manuallyDA function that returns the payload
request.jwtVerify() checks the signature/expiry and assigns the decoded payload to request.user. Override formatUser in the plugin options to customize this shape.
Question 8
8
Which mitigations help against CSRF on cookie-based auth?
Select all that apply.
ASameSite=Lax or Strict on the session cookieBA CSRF token verified per state-changing requestCOrigin / Referer header checks on POST/PUT/DELETEDStoring the token in localStorage
SameSite cookies, anti-CSRF tokens (via @fastify/csrf-protection), and Origin/Referer checks all help. Moving to localStorage just trades CSRF risk for XSS risk.