Skip to content

✅ Easy property validation for JavaScript, Node and Express.

Notifications You must be signed in to change notification settings

nettofarah/property-validator

Repository files navigation

property-validator

Build Status

✅ Easy property validation for JavaScript, Node and Express

Built on top of validator.js, property-validator makes validating request parameters easy and fun. No chaining, no prototype violations, no magic. Just some simple, stateless, javascript functions.

All you have to do is import some base validation functions and declare the validation rules for your request.

Table of contents

Installation

npm install --save property-validator

Usage

property-validator provides a suite of validate and assert functions to make request validation simple and easy to write.

assert functions halt the programs's execution if one of the validation rules breaks.

import { assert, presence, email } from 'property-validator';

let user = {
  username: 'nettofarah',
  email_address: 'invalid@email'
}

assert(user, [
  presence('username'),
  email('email_address')
]);

// will throw a ValidationError

// /Users/netto/projects/property-validator/lib/request_assertions.js:8
//    throw new ValidationError(validation);

validate functions on the other hand, will return an object containing the result of all validations.

import { validate, presence, email } from 'property-validator';

let user = {
  username: 'nettofarah',
  email_address: 'invalid@email'
}

validate(user, [
  presence('username'),
  email('email_address')
]);

// returns
{
  valid: false,
  errors :[
    {
      field: "email_address",
      message: "\"email_address\" should look like an email address"
    }
  ],
  messages: [
    "\"email_address\" should look like an email address"
  ]
}

property-validator really shines when you combine it with web servers.

Usage in NodeJS

You can run validations and assertions against the request body, query, params and headers, or against all of them at once using assertAll or validateAll.

Using assertAll:

import express from 'express';
import { assertAll, presence, email, assertMiddleware } from 'property-validator';

const app = express();

app.get('/hello', function(req, res){
  assertAll(req, [
    presence('username'),
    email('email_address')
  ]);

  res.status(200).json({ name: req.query.username });
});

app.use(assertMiddleware);

Request Validation

property-validator offers out of the box support for request params, query string, body and header validations.

All you have to do is to import the correct function and annotate your request handler.

Request Parameters

You can run validations against incoming request params.

import { validateParams, presence } from 'property-validator';

app.get('/hello/:username', function(req, res){
  const validation = validateParams(req, [
    presence('username')
  ]);

  if (validation.valid) {
    res.status(200).json({ name: req.query.username });
  } else {
    res.status(422).json({ errors: validation.errors });
  }
});

or use the assertParams counterpart:

import { assertParams, presence } from 'property-validator';

app.get('/hello/:username', function(req, res){
  assertParams(req, [
    presence('username')
  ]);

  // No need to check the validation result
  res.status(200).json({ name: req.query.username });
});

Query String

import { validateQuery, email } from 'property-validator';

app.get('/hi', function(req, res){
  const validation = validateQuery(req, [
    email('primary_email_address')
  ]);

  if (validation.valid) {
    res.status(200).send('We promise not to send spam!');
  } else {
    res.status(422).json({ errors: validation.errors });
  }
});

or use the assertQuery counterpart:

import { assertQuery, email } from 'property-validator';

app.get('/hi', function(req, res){
  assertQuery(req, [
    email('primary_email_address')
  ]);

  // No need to check the validation result
  res.status(200).send('We promise not to send spam!');
});

Body

import { validateBody, presence, email } from 'property-validator';

app.post('/sign-up', function(req, res){
  const validation = validateBody(req, [
    email('user.email'),
    presence('user.password'),
    presence('user.password_confirmation')
  ]);

  if (validation.valid) {
    res.status(200).send('Welcome!');
  } else {
    res.status(422).send({ errors: validation.errors });
  }
});

or use the assertBody counterpart:

import { assertBody, presence, email } from 'property-validator';

app.post('/sign-up', function(req, res){
  assertBody(req, [
    email('user.email'),
    presence('user.password'),
    presence('user.password_confirmation')
  ]);

  // No need to check the validation result
  res.status(200).send('Welcome!');
});

Headers

import { validateHeaders, presence, format } from 'property-validator';

app.get('/secret-stuff', function(req, res){
  const validation = validateHeaders(req, [
    presence('Authorization'),
    format('Authorization', /Token token="\w+"/)
  ]);

  if (validation.valid) {
    res.status(200).send('Here is all your secret stuff!');
  } else {
    res.status(401).send('You shall not pass!');
  }
});

or use the assertHeaders counterpart:

import { assertHeaders, presence, format } from 'property-validator';

app.get('/secret-stuff', function(req, res){
  assertHeaders(req, [
    presence('Authorization'),
    format('Authorization', /Token token="\w+"/)
  ]);

  // No need to check the validation result
  res.status(200).send('Here is all your secret stuff!');
});

Everything

You can use validateAll or assertAll to run validation rules against all properties at once (body, params, query). Important: validateAll and assertAll will not run validations agains headers since they're pretty different use cases.

Assert Middleware

property-validator ships with a standard middleware that automatically handles assert errors. All you have to do is to import assertMiddleware and mount it after all request handlers in your express app.

import express from 'express';
import { assertAll, presence, email, assertMiddleware } from 'property-validator';

const app = express();

app.get('/hello', function(req, res){
  assertAll(req, [
    presence('username'),
    email('email_address')
  ]);

  res.status(200).json({ name: req.query.username });
});

app.post('/bla', ...);
...

app.get('/test', ...);

app.use(assertMiddleware);

You can also roll your own middleware in case you need any sort of customization.

import { ValidationError } from 'property-validator';

app.use(function(err, req, res, next) {
  // Do not swallow all kinds of errors
  const isValidationError = (err instanceof ValidationError);
  if (!isValidationError) {
    return next(err);
  }

  const messages = err.messages;
  res.status(422);

  res.json({
    notice: "Your request is invalid",
    errors: messages
  })
});

Advanced usage

property-validator is extensible. You can set optional property validation, customize your custom messages and write your own validation functions.

Optional Validation

optional is a special validation helper that can be used when fields are not strictly required, but need to be validated in case they are present.

You can pass in any other validation helper, and propery-validator will only run the helper function against the input params if the optional field is present.

Pagination is usually a good use case for optional params:

var validation = validate(params, [
  optional(isNumeric('limit')),
  optional(isNumeric('offset'))
]);

Custom Error Messages

Validation helpers allow custom messages to be set. You can set the validation message to any string you want.

All you need to do is to pass in a custom error message as the last param when calling any validation helper.

var validation = validate(params, [
  presence('name', 'Oops, you forgot to tell us your name'),
  isCurrency('rent_in_brl', { symbol: 'R$' }, 'Reais should be prefixed with R$'),
  isCurrency('rent', 'This does not look like money')
]);

It is also possible to use some of the parameters of your validator in the error message.

var validation = validate(params, [
  presence('name', 'Oops, you forgot to tell us your :paramName'),
  isLength('value', { min: 10, max: 99 }, 'The :paramName should be between :min and :max')
]);

//Oops, you forgot to tell us your name
//The value should be between 10 and 99

Custom localization

It is possible to override the default locals. The locals is a simple object with keys refering to a validation function and there value the message.

import { assert, presence, isLength, email, setLocals } from 'property-validator';
setLocals({
  required: 'Oops, you forgot to tell us your :paramName'
});

var validation = validate(params, [
  presence('name'),
  isLength('value', { min: 10, max: 99 }, 'The :paramName should be between :min and :max'),
  email('email')
]);

//Oops, you forgot to tell us your name
//The value should be between 10 and 99
//"email" should look like an email address

As you can see all kind of combinations are possible. You can override the default locals and still set a custom message. And if you neither supply a translation through the setLocals nor set a custom message, it will fall back to the default locals.

If you would like to restore the locals to the default locals simply call restoreDefaultLocals like so:

import { restoreDefaultLocals } from 'property-validator';

restoreDefaultLocals();

Custom Validation Functions

Writing your own validation functions is easy.

// Your function will receive a property name as its argument
function isTheUltimateAnswer(propertyName) {
  // and then return a function that takes the
  // actual object you want to validate
  return function(subject) {
    var value = subject[propertyName]
    var isAnswer = value === 42

    // Make sure your function returns `result`, `message`
    // and `field`
    return {
      result: isAnswer,
      message: value + " is not the Answer to the Ultimate Question of Life, The Universe, and Everything",
      field: propertyName
    }
  }
}

You can now use your custom function as you would with any other validation helper:

var subject = {
  'guess': 43
}

var validation = validate(subject, [
  isTheUltimateAnswer('guess')
]);

Validation Helpers

Validation helpers are functions you can use to validate incoming request properties.

property-validator relies on the super battle tested validator.js library.

Supported Helpers

Here's a list of currently supported helpers:

Helper Description
presence(paramName) check if the current param is present.
optional(validationHelper(paramName, ...)) takes in another validation helper and only runs the validation if the optional field is present.
oneOf(paramName, optionList) checks if the input param is one of the values within a list of valid options.
contains(paramName, seed) check if the string contains the seed.
equals(paramName, comparison) check if the string matches the comparison.
isAlpha(paramName) check if the string contains only letters (a-zA-Z).
isAlphanumeric(paramName) check if the string contains only letters and numbers.
isArray(paramName) check if the current param is an array.
isCreditCard(paramName) check if the string is a credit card.
isCurrency(paramName, options) check if the string is a valid currency amount. options is an object which defaults to {symbol: '$', require_symbol: false, allow_space_after_symbol: false, symbol_after_digits: false, allow_negatives: true, parens_for_negatives: false, negative_sign_before_digits: false, negative_sign_after_digits: false, allow_negative_sign_placeholder: false, thousands_separator: ',', decimal_separator: '.', allow_space_after_digits: false }.
isDate(paramName) check if the string is a date.
isDecimal(paramName) check if the string represents a decimal number, such as 0.1, .3, 1.1, 1.00003, 4.0, etc.
isEmail(paramName [, options]) check if the string is an email. options is an object which defaults to { allow_display_name: false, allow_utf8_local_part: true, require_tld: true }. If allow_display_name is set to true, the validator will also match Display Name <email-address>. If allow_utf8_local_part is set to false, the validator will not allow any non-English UTF8 character in email address' local part. If require_tld is set to false, e-mail addresses without having TLD in their domain will also be matched.
isIn(paramName, values) check if the string is in a array of allowed values.
isInt(paramName [, options]) check if the string is an integer. options is an object which can contain the keys min and/or max to check the integer is within boundaries (e.g. { min: 10, max: 99 }).
isJSON(paramName) check if the string is valid JSON (note: uses JSON.parse).
isNull(paramName) check if the string is null.
isNumeric(paramName) check if the string contains only numbers.
isURL(paramName [, options]) check if the string is an URL. options is an object which defaults to { protocols: ['http','https','ftp'], require_tld: true, require_protocol: false, require_valid_protocol: true, allow_underscores: false, host_whitelist: false, host_blacklist: false, allow_trailing_dot: false, allow_protocol_relative_urls: false }.
isUUID(paramName [, version]) check if the string is a UUID (version 3, 4 or 5).
matches(paramName, pattern [, modifiers]) check if string matches the pattern. Either matches('foo', /foo/i) or matches('foo', 'foo', 'i').
isPlainObject(paramName) check if the current param is a plain object.
isLength(paramName, options) check if the string's length falls in a range. Note: this function takes into account surrogate pairs. options is an object which can contain the keys min and/or max to check the integer is within boundaries (e.g. { min: 10, max: 99 }).

Not currently supported

These are a few other helpers avaliable in validator.js that could be used in property-validator. Feel free to submit a PR if you need any of these functions.

Helper Description
isAfter(paramName [, date]) check if the string is a date that's after the specified date (defaults to now).
isAscii(paramName) check if the string contains ASCII chars only.
isBase64(paramName) check if a string is base64 encoded.
isBefore(paramName [, date]) check if the string is a date that's before the specified date.
isBoolean(paramName) check if a string is a boolean.
isByteLength(paramName, min [, max]) check if the string's length (in bytes) falls in a range.
isDivisibleBy(paramName, number) check if the string is a number that's divisible by another.
isFQDN(paramName [, options]) check if the string is a fully qualified domain name (e.g. domain.com). options is an object which defaults to { require_tld: true, allow_underscores: false, allow_trailing_dot: false }.
isFloat(paramName [, options]) check if the string is a float. options is an object which can contain the keys min and/or max to validate the float is within boundaries (e.g. { min: 7.22, max: 9.55 }).
isFullWidth(paramName) check if the string contains any full-width chars.
isHalfWidth(paramName) check if the string contains any half-width chars.
isHexColor(paramName) check if the string is a hexadecimal color.
isHexadecimal(paramName) check if the string is a hexadecimal number.
isIP(paramName [, version]) check if the string is an IP (version 4 or 6).
isISBN(paramName [, version]) check if the string is an ISBN (version 10 or 13).
isISIN(paramName) check if the string is an [ISIN][ISIN] (stock/security identifier).
isISO8601(paramName) check if the string is a valid ISO 8601 date.
isLowercase(paramName) check if the string is lowercase.
isMACAddress(paramName) check if the string is a MAC address.
isMobilePhone(paramName, locale) check if the string is a mobile phone number, (locale is one of ['zh-CN', 'zh-TW', 'en-ZA', 'en-AU', 'en-HK', 'pt-PT', 'fr-FR', 'el-GR', 'en-GB', 'en-US', 'en-ZM', 'ru-RU', 'nb-NO', 'nn-NO', 'vi-VN', 'en-NZ', 'en-IN']).
isMongoId(paramName) check if the string is a valid hex-encoded representation of a [MongoDB ObjectId][mongoid].
isMultibyte(paramName) check if the string contains one or more multibyte chars.
isSurrogatePair(paramName) check if the string contains any surrogate pairs chars.
isUppercase(paramName) check if the string is uppercase.
isVariableWidth(paramName) check if the string contains a mixture of full and half-width chars.
isWhitelisted(paramName, chars) checks characters if they appear in the whitelist.

Usage with TypeScript

There is no need to install additional type definitions for property-validator since it ships with TypeScript definition files.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/nettofarah/property-validator. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Code of Conduct.

To run the specs check out the repo and follow these steps:

$ npm install
$ npm run test

License

The module is available as open source under the terms of the MIT License.