This tutorial requires prior knowledge of using the expressjs framework

Why do we need server-side validation?

  • Your client side validation is not enough and it may be subverted
  • More prone to Man in middle attacks, and the server should never trust the client-side
  • A user can turn off client-side JavaScript validation and manipulate the data

If you have been building web applications using an Express framework or any other Node.js framework, validation plays a crucial role in any web app which requires you to validate the request body param query.

Writing your own middleware function can be cumbersome if

  • you want to move fast while maintaining the quality of code or
  • you want to avoid using if (req.body.head) or if (req.params.isCool) in your main controller function where you define business logic

In this tutorial, you’ll learn how to validate input in an Express.js app using an open source and popular module called express-validator.

Introduction to express-validator

The definition on Github says:

express-validator is a set of express.js middlewares that wraps validator.js validator and sanitizer functions.

The module implements five important API’s:

  • Check API
  • Filter API
  • Sanitization chain API
  • Validation chain API
  • Validation Result API

Let's take a look at a basic user route without any validation module to create a user: /route/user.js

* @api {post} /api/user Create user
* @apiName Create new user
* @apiPermission admin
* @apiGroup User
* @apiParam  {String} [userName] username
* @apiParam  {String} [email] Email
* @apiParam  {String} [phone] Phone number
* @apiParam  {String} [status] Status
* @apiSuccess (200) {Object} mixed `User` object
*/'/', userController.createUser)

Now in user controller /controllers/user.js

const User = require('./models/user')

exports.createUser = (req, res, next) => {
  /** Here you need to validate user input. 
   Let's say only Name and email are required field
  const { userName, email, phone, status } = req.body
  if (userName && email &&  isValidEmail(email)) { 
    // isValidEmail is some custom email function to validate email which you might need write on your own or use npm module
    .then(user => res.json(user))

The above code is just a basic example of validating fields on your own.

You can handle some validations in your user model using Mongoose. For best practices, we want to make sure validation happens before business logic.

express-validator will take care of all these validations and the sanitization of inputs as well.


npm install --save express-validator

Include module in your main server.js file:

const express = require('express')
const bodyParser = require('body-parser')
const expressValidator = require('express-validator')
const app = express()
const router = express.Router()



app.use('/api', router)

Now using express-validator, your /routes/user.js will be like this:

Here userController.validate is a middleware function which is explained below. It accepts the method name for which the validation will be used.

Let’s create a middleware function validate()in our/controllers/user.js:

const { body } = require('express-validator/check')

exports.validate = (method) => {
  switch (method) {
    case 'createUser': {
     return [ 
        body('userName', 'userName doesn't exists').exists(),
        body('email', 'Invalid email').exists().isEmail(),
        body('status').optional().isIn(['enabled', 'disabled'])

Please refer to this article to know more about function definition and its use.

The body function will only validate req.body and takes two arguments. First is the property name. Second is your custom message that will be shown if validation fails. If you don’t provide a custom message, then the default message will be used.

As you can see, for a required field we are using the .exists() method. We are using .optional()for an optional field. Similarly isEmail() isInt() is used to validate email and integer.

If you want an input field to include only certain values, then you can use .isIn([]). This takes an array of values, and if you receive values other than the above, then an error will be thrown.

For example, the status field in the above code snippet can only have an enabled or disabled value. If you provide any value other than that, an error will be thrown.

In /controllers/user.js let’s write acreateUser function where you can write business logic. It will be called after validate() with the result of the validations.

const { validationResult } = require('express-validator/check');

exports.createUser = async (req, res, next) => {
   try {
      const errors = validationResult(req); // Finds the validation errors in this request and wraps them in an object with handy functions

      if (!errors.isEmpty()) {
        res.status(422).json({ errors: errors.array() });

      const { userName, email, phone, status } = req.body
      const user = await User.create({





   } catch(err) {
     return next(err)

If you are wondering what is validationResult(req)?

This function finds the validation errors in this request and wraps them in an object with handy functions

Now whenever request includes invalid body params or userName field is missing in req.body, your server will respond like this:

  "errors": [{
    "location": "body",
    "msg": "userName is required",
    "param": "userName"

So if userName or email failed to satisfy the validation then each error returned by .array()method has the following format by default:

  "msg": "The error message",
  "param": "param name", 
  "value": "param value",   
  // Location of the param that generated this error.   
  // It's either body, query, params, cookies or headers.   
  "location": "body",    
  // nestedErrors only exist when using the oneOf function
  "nestedErrors": [{ ... }] 

As you can see, this module really helps us take care of most of the validations on its own. It maintains code quality as well, and focuses mainly on business logic.

This was the introduction to input validation using the express-validator module and check out how to validate an array of the item and make your own custom validation in Part 2 of this series.

I have tried my best and hope I covered enough to explain it in detail so that you can get started.

If you encounter any problems, feel free to get in touch or comment below.
I would be happy to help :)

Follow Shailesh Shekhawat to get notified whenever I publish a new post.

Don’t hesitate to clap if you considered this a worthwhile read!

Originally published at on September 2, 2018.