Custom validators/sanitizers

Although express-validator offers plenty of handy validators and sanitizers through its underlying dependency validator.js, it doesn't always suffice when building your application.

For these cases, you may consider writing a custom validator or a custom sanitizer.

Custom validator

A custom validator may be implemented by using the chain method .custom(). It takes a validator function.

Custom validators may return Promises to indicate an async validation (which will be awaited upon), or throw any value/reject a promise to use a custom error message.

info

If your custom validator returns a promise, it must reject to indicate that the field is invalid.

Example: checking if e-mail is in use

JavaScript

const { body } = require('express-validator');

app.post(
  '/user',
  body('email').custom(value => {
    return User.findUserByEmail(value).then(user => {
      if (user) {
        return Promise.reject('E-mail already in use');
      }
    });
  }),
  (req, res) => {
    // Handle the request
  },
);

TypeScript

import { body, CustomValidator } from 'express-validator';
// This allows you to reuse the validator
const isValidUser: CustomValidator = value => {
  return User.findUserByEmail(value).then(user => {
    if (user) {
      return Promise.reject('E-mail already in use');
    }
  });
};

app.post('/user', body('email').custom(isValidUser), (req, res) => {
  // Handle the request
});

Note: In the example above, validation might fail even due to issues with fetching User information. The implications of accessing the data layer during validation should be carefully considered.

Example: checking if password confirmation matches password

const { body } = require('express-validator');

app.post(
  '/user',
  body('password').isLength({ min: 5 }),
  body('passwordConfirmation').custom((value, { req }) => {
    if (value !== req.body.password) {
      throw new Error('Password confirmation does not match password');
    }

    // Indicates the success of this synchronous custom validator
    return true;
  }),
  (req, res) => {
    // Handle the request
  },
);

Custom sanitizers

Custom sanitizers can be implemented by using the method .customSanitizer(), no matter if the validation chain one or the sanitization chain one. Just like with the validators, you specify the sanitizer function, which must be synchronous at the moment.

Example: converting to MongoDB's ObjectID

JavaScript

const { param } = require('express-validator');

app.post(
  '/object/:id',
  param('id').customSanitizer(value => {
    return ObjectId(value);
  }),
  (req, res) => {
    // Handle the request
  },
);

TypeScript

import { value param } from 'express-validator';
// This allows you to reuse the validator
const toObjectId: CustomSanitizer = value => {
  return ObjectId(value);
};

app.post('/object/:id', param('id').customSanitizer(toObjectId), (req, res) => {
  // Handle the request
});