Validating input in Express using express-validator
Learn how to validate any data coming in as input in your Express endpoints
Say you have a POST endpoint that accepts the name, email and age parameters:
const express = require('express')
const app = express()
app.use(express.json())
app.post('/form', (req, res) => {
const name = req.body.name
const email = req.body.email
const age = req.body.age
})
How do you perform server-side validation on those results to make sure:
- name is a string of at least 3 characters?
- email is a real email?
- age is a number, between 0 and 110?
The best way to handle validation on any kind of input coming from outside in Express is by using the express-validator
package:
npm install express-validator
You require the check
and validationResult
objects from the package:
const { check, validationResult } = require('express-validator');
We pass an array of check()
calls as the second argument of the post()
call. Every check()
call accepts the parameter name as argument. Then we call validationResult()
to verify there were no validation errors. If there are any, we tell them to the client:
app.post('/form', [
check('name').isLength({ min: 3 }),
check('email').isEmail(),
check('age').isNumeric()
], (req, res) => {
const errors = validationResult(req)
if (!errors.isEmpty()) {
return res.status(422).json({ errors: errors.array() })
}
const name = req.body.name
const email = req.body.email
const age = req.body.age
})
Notice I used
isLength()
isEmail()
isNumeric()
There are many more of these methods, all coming from validator.js, including:
contains()
, check if value contains the specified valueequals()
, check if value equals the specified valueisAlpha()
isAlphanumeric()
isAscii()
isBase64()
isBoolean()
isCurrency()
isDecimal()
isEmpty()
isFQDN()
, is a fully qualified domain name?isFloat()
isHash()
isHexColor()
isIP()
isIn()
, check if the value is in an array of allowed valuesisInt()
isJSON()
isLatLong()
isLength()
isLowercase()
isMobilePhone()
isNumeric()
isPostalCode()
isURL()
isUppercase()
isWhitelisted()
, checks the input against a whitelist of allowed characters
You can validate the input against a regular expression using matches()
.
Dates can be checked using
isAfter()
, check if the entered date is after the one you passisBefore()
, check if the entered date is before the one you passisISO8601()
isRFC3339()
For exact details on how to use those validators, refer to https://github.com/chriso/validator.js#validators.
All those checks can be combined by piping them:
check('name')
.isAlpha()
.isLength({ min: 10 })
If there is any error, the server automatically sends a response to communicate the error. For example if the email is not valid, this is what will be returned:
{
"errors": [{
"location": "body",
"msg": "Invalid value",
"param": "email"
}]
}
This default error can be overridden for each check you perform, using withMessage()
:
check('name')
.isAlpha()
.withMessage('Must be only alphabetical chars')
.isLength({ min: 10 })
.withMessage('Must be at least 10 chars long')
What if you want to write your own special, custom validator? You can use the custom
validator.
In the callback function you can reject the validation either by throwing an exception, or by returning a rejected promise:
app.post('/form', [
check('name').isLength({ min: 3 }),
check('email').custom(email => {
if (alreadyHaveEmail(email)) {
throw new Error('Email already registered')
}
}),
check('age').isNumeric()
], (req, res) => {
const name = req.body.name
const email = req.body.email
const age = req.body.age
})
The custom validator:
check('email').custom(email => {
if (alreadyHaveEmail(email)) {
throw new Error('Email already registered')
}
})
can be rewritten as
check('email').custom(email => {
if (alreadyHaveEmail(email)) {
return Promise.reject('Email already registered')
}
})
→ I wrote 17 books to help you become a better developer, download them all at $0 cost by joining my newsletter
→ JOIN MY CODING BOOTCAMP, an amazing cohort course that will be a huge step up in your coding career - covering React, Next.js - next edition February 2025