API Validation & Sanitization

Validation is the process of ensuring that the data sent to your API meets your requirements. Sanitization is the process of cleaning that data to prevent security risks like Script Injection.

1. Why Validate?

Without validation, your application is vulnerable to:

Database Corruption: Saving "None" or "Undefined" in required fields.
Crashes: Your code trying to perform math on a string.
Security Flaws: Hackers sending malicious code in a username field.

2. Validation vs. Sanitization

Process	Goal	Example
Validation	Check if data is correct.	Is this a valid email address?
Sanitization	Clean the data.	Remove `<script>` tags from a comment.

3. Using Joi for Node.js Validation

At the Hub, we recommend Joi. It allows you to create a "Schema" (a blueprint) for your data.

Installation

npm install joi

Creating a Schema

Example Joi Schema for User Registration
const Joi = require('joi');

const signupSchema = Joi.object({
    username: Joi.string().alphanum().min(3).max(30).required(),
    email: Joi.string().email().required(),
    password: Joi.string().pattern(new RegExp('^[a-zA-Z0-9]{3,30}$')),
});

Implementing in a Route

Example Express Route with Joi Validation
const express = require('express');
const app = express();
app.use(express.json());

app.post('/api/register', async (req, res) => {
    const { error, value } = signupSchema.validate(req.body);

    if (error) {
        return res.status(400).json({ 
            message: "Validation Error", 
            details: error.details[0].message 
        });
    }

    // If no error, continue to save to Database
    res.status(201).json({ message: "User validated and created!" });
});

4. Common Validation Rules

As a "Master" developer, always check for these common constraints:

Required Fields: Don't let a user sign up without an email.
Data Types: Ensure age is a Number and isAdmin is a Boolean.
String Lengths: Set a minimum for passwords (security) and a maximum for bios (database space).
Enum Values: If a course can only be "Beginner", "Intermediate", or "Advanced", don't allow "Expert".

5. Sanitizing for Security

Even if a string is the right length, it might be dangerous.

Trim Whitespace: Use .trim() to remove accidental spaces at the end of an email.
Escape HTML: Prevent XSS (Cross-Site Scripting) by turning < into <.

Example of Sanitization with Joi
const commentSchema = Joi.string().max(500).escapeHTML();
const schema = Joi.string().trim().lowercase();

Practice: The Validation Challenge

Imagine you are building the Course Creation API for CodeHarborHub.

Create a Joi schema for a course that requires:

title: String, between 10 and 100 characters.
price: Number, minimum value of 0.
tags: An array of strings.

Test your schema with an invalid object (e.g., a title that is only 3 characters long).

Middleware

Don't repeat your validation logic in every controller! Create a Validation Middleware that you can drop into any route to automatically check the req.body before your logic even runs.

1. Why Validate?​

2. Validation vs. Sanitization​

3. Using Joi for Node.js Validation​

Installation​

Creating a Schema​

Implementing in a Route​

4. Common Validation Rules​

5. Sanitizing for Security​

Practice: The Validation Challenge​