Validation & Sanitization
Validation checks if an input meets a set of criteria (such as the value of a property is a string).
Sanitization modifies the input to ensure that it is valid (such as coercing a type).
Foal offers several utils and hooks to handle both validation and sanitization. They are particularly useful for checking and transforming parts of HTTP requests (such as the body).
#
With a JSON Schema (AJV)#
Ajv, the JSON Schema ValidatorFoalTS default validation and sanitization system is based on Ajv, a fast JSON Schema Validator. You'll find more details on how to define a shema on its website.
#
OptionsHere is the list of AJV options that can be overridden with FoalTS configuration system.
Ajv option | Configuration key | FoalTS default |
---|---|---|
coerceTypes | settings.ajv.coerceType | true |
removeAdditional | settings.ajv.removeAdditional | true |
useDefaults | settings.ajv.useDefaults | true |
nullable | settings.ajv.nullable | / |
allErrors | settings.ajv.allErrors | / |
Example: config/default.json
validate
util#
The The validate
util throws a ValidationError
if the given data does not fit the shema.
Example
#
Validation & Sanitization of HTTP RequestsFoalTS provides many hooks to validate and sanitize HTTP requests. When validation fails, they return an HttpResponseBadRequest
object whose body contains the validation errors.
Example
#
ValidateBodyIt validates the request body (Context.request.body
).
HTTP request
Controller (first example)
Controller (second example)
HTTP response (400 - BAD REQUEST)
#
ValidateHeader & ValidateHeadersIt validates the request headers (Context.request.headers
).
HTTP request
Controller (first example)
Controller (second example)
Controller (third example)
HTTP response (400 - BAD REQUEST)
#
ValidateCookie & ValidateCookiesIt validates the request cookies (Context.request.cookies
).
HTTP request
Controller (first example)
Controller (second example)
Controller (third example)
HTTP response (400 - BAD REQUEST)
#
ValidatePathParam & ValidateParamsIt validates the request path parameter (Context.request.params
).
HTTP request
Controller (first example)
Controller (second example)
Controller (third example)
HTTP response (400 - BAD REQUEST)
#
ValidateQueryParam & ValidateQueryIt validates the request query (Context.request.query
).
HTTP request
Controller (first example)
Controller (second example)
Controller (third example)
HTTP response (400 - BAD REQUEST)
#
Sanitization ExampleAssuming that you did not change Foal's default configuration of Ajv (see above), you will get these results:
Request | Response |
---|---|
GET /no-sanitization?name=Alex&apiKey=34&city=Paris | { name: 'Alex', apiKey: '34', city: 'Paris' } |
GET /sanitization?name=Alex&apiKey=34&city=Paris | { name: 'Alex', apiKey: 34 } |
#
With a Validation Class (class-validator)The class-validator library can also be used in Foal to validate an object against a validation class.
Example
#
Usage with a HookIf you want to use it within a hook to validate request bodies, you can install the package @foal/typestack
for this. It provides a @ValidateBody
hook that validates the body against a given validator. This body is also unserialized and turned into an instance of the class.
social-post.validator.ts
social-post.controller.ts (first example)
social-post.controller.ts (second example)
HTTP request (example)
HTTP response (example)
The hook takes also an optional parameter to specify the options of the class-transformer and class-validator libraries.
#
Usage with TypeORM entitiesThe validation decorators are compatible with TypeORM entities. So you can use one single class to define both your model and validation rules.