Context: you already have the MVC starter shown in the prompt. For these tasks you will add and use third‑party middleware. Keep changes minimal and focused on third‑party usage.
Install the libraries first.
npm i morgan express-rate-limit
-
Do not modify controllers or schemas.
-
Keep your changes small. Only touch the file the exercise asks for.
-
Use Postman for checks. Steps are included.
Goal: use a third‑party middleware to log requests concisely for anything under /api, while leaving the base route clean.
-
Register
morganwith thedevformat. -
Scope it so it runs only for routes under
/api. -
Do not remove your existing custom logger. This will let you compare outputs.
-
Edit
server.js. -
Place the
morganregistration afterapp.use(cors())and beforeapp.use("/api/students", student).
// 3rd‑party middleware: morgan request logger for API routes
const morgan = require("morgan");
// Log only for /api paths to avoid double noise on the base route
app.use("/api", morgan("dev"));Base route not logged by morgan
-
GET
http://localhost:5000/in Postman. -
Expect normal 200 response. In the server console you should see your custom app‑level log, but not a morgan line for this request.
API route logged by morgan
-
GET
http://localhost:5000/api/students. -
Expect a morgan line like
GET /api/students 200 - X msin the console, in addition to any custom logging you already have.
Goal: apply a third‑party middleware to protect your endpoints. Use one limiter for reads and a stricter one for writes.
-
Create a read limiter for
GETrequests under/api/studentsthat allows 10 requests per minute per IP. -
Create a write limiter for the
POST /api/studentsroute that allows 3 requests per minute per IP. -
When a client exceeds the limit, respond with JSON
{ msg: "Too many requests, please try again later" }and status429.
- Edit
routes/student_route.jsso the limiters attach at the route level. This keeps the exercise focused on third‑party usage without touching controllers.
const rateLimit = require("express-rate-limit");
// 3rd‑party middleware: read limiter for GETs
const readLimiter = rateLimit({
// TODO 1: set a 1 minute window (in ms)
// TODO 2: set the request limit to 10
// TODO 3: provide a custom handler that sends res.status(429).json({ msg: "Too many requests, please try again later" })
});
// 3rd‑party middleware: write limiter for POST
const writeLimiter = rateLimit({
// TODO 1: set a 1 minute window (in ms)
// TODO 2: set the request limit to 3
// TODO 3: provide the same custom JSON handler as above
});
// Attach the read limiter to both GET endpoints
// api.get("/", readLimiter, getAllStudents);
// api.get(":id", readLimiter, getOneStudent);
// Attach the write limiter to POST
// api.post("/", writeLimiter, createStudent);-
Check out the official documentation for this package
-
windowMsexpects milliseconds. -
You can copy the same
handlerfunction for both limiters. -
Keep the existing
api.use(...)logger in this file. You are attaching limiters directly on specific routes.
Read limiter
-
Send 10 quick GET requests to
http://localhost:5000/api/students. -
The first 10 should succeed. A 11th request within one minute should return
429with the JSON message.
Write limiter
-
Send 3 quick POST requests to
http://localhost:5000/api/studentswith a valid JSON body andContent-Type: application/json. -
A 4th POST within one minute should return
429and the JSON message. Your controller should not run.
-
Exercise 1 adds
morganand logs only under/api. -
Exercise 2 adds
express-rate-limitand applies different limits to GET and POST routes. -
Controllers and schemas remain unchanged. Only
server.jsandroutes/student_route.jswere touched where the exercise specified.