feature-custom-validators-sanitizers.md 3.2 KB


id: custom-validators-sanitizers

title: Custom validators/sanitizers

Although express-validator offers plenty of handy validators and sanitizers through its underlying dependency validator.js, it doesn't always suffice when building your application.

For these cases, you may consider writing a custom validator or a custom sanitizer.

Custom validator

A custom validator may be implemented by using the chain method .custom(). It takes a validator function.

Custom validators may return Promises to indicate an async validation (which will be awaited upon), or throw any value/reject a promise to use a custom error message.

Note: if your custom validator returns a promise, it must reject to indicate that the field is invalid.

Example: checking if e-mail is in use

const { body } = require('express-validator');

app.post(
  '/user',
  body('email').custom(value => {
    return User.findUserByEmail(value).then(user => {
      if (user) {
        return Promise.reject('E-mail already in use');
      }
    });
  }),
  (req, res) => {
    // Handle the request
  },
);
import { body, CustomValidator } from 'express-validator';
// This allows you to reuse the validator
const isValidUser: CustomValidator = value => {
  return User.findUserByEmail(value).then(user => {
    if (user) {
      return Promise.reject('E-mail already in use');
    }
  });
};

app.post('/user', body('email').custom(isValidUser), (req, res) => {
  // Handle the request
});

Example: checking if password confirmation matches password

const { body } = require('express-validator');

app.post(
  '/user',
  body('passwordConfirmation').custom((value, { req }) => {
    if (value !== req.body.password) {
      throw new Error('Password confirmation does not match password');
    }

    // Indicates the success of this synchronous custom validator
    return true;
  }),
  (req, res) => {
    // Handle the request
  },
);

Custom sanitizers

Custom sanitizers can be implemented by using the method .customSanitizer(), no matter if the validation chain one or the sanitization chain one.
Just like with the validators, you specify the sanitizer function, which must be synchronous at the moment.

Example: converting to MongoDB's ObjectID

const { param } = require('express-validator');

app.post(
  '/object/:id',
  param('id').customSanitizer(value => {
    return ObjectId(value);
  }),
  (req, res) => {
    // Handle the request
  },
);
import { param } from 'express-validator';
// This allows you to reuse the validator
const toObjectId: CustomSanitizer = value => {
  return ObjectId(value);
};

app.post('/object/:id', param('id').customSanitizer(toObjectId), (req, res) => {
  // Handle the request
});