Is Your Web App Secure? Discover the Secret Sauce for Validating Inputs in Express.js

Effortless User Input Validation: Express-Validator to the Rescue

Aug 18, 2024

Is Your Web App Secure? Discover the Secret Sauce for Validating Inputs in Express.js

Building a web application is like trying to herd cats—there are a lot of moving parts, and things can get chaotic pretty fast. One thing you definitely don’t want to skimp on is user input validation. Ensuring that the inputs you receive are clean, valid, and safe is crucial for keeping your app secure and functional.

Express.js is a go-to framework for Node.js lovers, making server-side logic smooth and efficient. But when it comes to validating user input, Express.js can use a little help. That’s where express-validator comes in, offering a sleek and efficient way to handle validation without the messy code.

When you’re juggling multiple tasks in your web app, the last thing you need is to be bogged down writing custom validation logic for every single input. Believe me, those if-statements pile up quicker than dirty dishes after a big meal. express-validator swoops in like a superhero, giving you a declarative, clean way to specify exactly what kind of data you expect.

Getting express-validator up and running is a breeze, especially if you’ve already got an Express.js application in place. First off, you install it with your app. Here’s a snippet to give you a quick start:

const express = require('express');
const bodyParser = require('body-parser');
const { check, validationResult } = require('express-validator');

const app = express();
app.use(bodyParser.json());

Easy, right? Once it’s set up, you can integrate validation rules directly into your route handlers. This way, your code stays tidy, and you can visibly see the validation logic in context.

Imagine you have a user registration route where you want to verify the email and password fields. Here’s how you could do it:

app.post('/api/create-user', [
  check('email').isEmail(),
  check('password').isLength({ min: 6 }),
], async (req, res, next) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }

  const user = await User.create({ ...req.body });
  res.json(user);
});

In this example, check('email').isEmail() makes sure the email field contains a valid email address. As for check('password').isLength({ min: 6 }), it ensures the password is at least six characters long. Any validation errors? They get snagged by validationResult(req) and sent back with a 400 status code.

But wait, there’s more! Custom error messages really shine when you want to give clear, specific feedback to users on what went wrong. Imagine getting “Invalid email” instead of just “Error.” Feels better, doesn’t it? Here’s how you can do it:

app.post('/api/create-user', [
  check('email').isEmail().withMessage('Please enter a valid email address'),
  check('password').isLength({ min: 6 }).withMessage('Password must be at least 6 characters long'),
], async (req, res, next) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }

  const user = await User.create({ ...req.body });
  res.json(user);
});

Just like in real life, sometimes conditions change. Conditional validation is sometimes needed. Say, if someone wants to change their password, you’d naturally want to ensure they also provide a confirmation password.

app.post('/update-settings', [
  check('email').isEmail(),
  check('password').optional().isLength({ min: 6 }),
], async (req, res, next) => {
  if (req.body.password) {
    await check('passwordConfirmation')
      .equals(req.body.password)
      .withMessage('Passwords do not match')
      .run(req);
  }

  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }

  const user = await User.updateSettings({ ...req.body });
  res.json(user);
});

Keeping your code DRY (Don’t Repeat Yourself) is always a good idea. Extracting common validation logic into separate middleware functions can save you a lot of time and headache. You can then easily reuse the same rules across different routes. Here’s an example:

const validateUser = [
  check('email').isEmail(),
  check('password').isLength({ min: 6 }),
];

app.post('/api/create-user', validateUser, async (req, res, next) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }

  const user = await User.create({ ...req.body });
  res.json(user);
});

app.put('/api/update-user', validateUser, async (req, res, next) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }

  const user = await User.update({ ...req.body });
  res.json(user);
});

Sometimes, you need more control over the validation process, maybe in more complex scenarios. express-validator doesn’t box you in; you can also run validations imperatively using the run method. Check this out:

const validate = validations => {
  return async (req, res, next) => {
    await Promise.all(validations.map(validation => validation.run(req)));
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }
    next();
  };
};

app.post('/api/create-user', validate([
  check('email').isEmail(),
  check('password').isLength({ min: 6 }),
]), async (req, res, next) => {
  const user = await User.create({ ...req.body });
  res.json(user);
});

Sanitizing inputs is just as important as validating them. After all, who wants unwieldy spaces or weird characters messing things up? express-validator can sanitize inputs effortlessly:

app.post('/api/create-user', [
  check('email').isEmail().normalizeEmail(),
  check('password').isLength({ min: 6 }).trim(),
], async (req, res, next) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }

  const user = await User.create({ ...req.body });
  res.json(user);
});

Wrapping it all up, express-validator is a lifesaver for keeping your Express.js app’s input clean and secure. The declarative approach not only makes the code easier to read but also maintains it in the long run. Extract those common validation rules into middleware to make your life even simpler. With robust validations and sanitizations in place, not only does the app perform better, but users also get a smoother, error-free experience. It’s a win-win!

Share: Facebook Twitter Reddit