jbvc/backend-dev-guidelines
Opinionated backend development standards for Node.js + Express + TypeScript microservices. Covers layered architecture, BaseController pattern, dependency injection, Prisma repositories, Zod validation, unifiedConfig, Sentry error tracking, async safety, and testing discipline.
71
Quality
71%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Securityby
Passed
No known issues
validation-patterns.mdresources/
Validation Patterns - Input Validation with Zod
Complete guide to input validation using Zod schemas for type-safe validation.
Table of Contents
- Why Zod?
- Basic Zod Patterns
- Schema Examples from Codebase
- Route-Level Validation
- Controller Validation
- DTO Pattern
- Error Handling
- Advanced Patterns
Why Zod?
Benefits Over Joi/Other Libraries
Type Safety:
- ✅ Full TypeScript inference
- ✅ Runtime + compile-time validation
- ✅ Automatic type generation
Developer Experience:
- ✅ Intuitive API
- ✅ Composable schemas
- ✅ Excellent error messages
Performance:
- ✅ Fast validation
- ✅ Small bundle size
- ✅ Tree-shakeable
Migration from Joi
Modern validation uses Zod instead of Joi:
// ❌ OLD - Joi (being phased out)
const schema = Joi.object({
email: Joi.string().email().required(),
name: Joi.string().min(3).required(),
});
// ✅ NEW - Zod (preferred)
const schema = z.object({
email: z.string().email(),
name: z.string().min(3),
});Basic Zod Patterns
Primitive Types
import { z } from 'zod';
// Strings
const nameSchema = z.string();
const emailSchema = z.string().email();
const urlSchema = z.string().url();
const uuidSchema = z.string().uuid();
const minLengthSchema = z.string().min(3);
const maxLengthSchema = z.string().max(100);
// Numbers
const ageSchema = z.number().int().positive();
const priceSchema = z.number().positive();
const rangeSchema = z.number().min(0).max(100);
// Booleans
const activeSchema = z.boolean();
// Dates
const dateSchema = z.string().datetime(); // ISO 8601 string
const nativeDateSchema = z.date(); // Native Date object
// Enums
const roleSchema = z.enum(['admin', 'operations', 'user']);
const statusSchema = z.enum(['PENDING', 'APPROVED', 'REJECTED']);Objects
// Simple object
const userSchema = z.object({
email: z.string().email(),
name: z.string(),
age: z.number().int().positive(),
});
// Nested objects
const addressSchema = z.object({
street: z.string(),
city: z.string(),
zipCode: z.string().regex(/^\d{5}$/),
});
const userWithAddressSchema = z.object({
name: z.string(),
address: addressSchema,
});
// Optional fields
const userSchema = z.object({
name: z.string(),
email: z.string().email().optional(),
phone: z.string().optional(),
});
// Nullable fields
const userSchema = z.object({
name: z.string(),
middleName: z.string().nullable(),
});Arrays
// Array of primitives
const rolesSchema = z.array(z.string());
const numbersSchema = z.array(z.number());
// Array of objects
const usersSchema = z.array(
z.object({
id: z.string(),
name: z.string(),
})
);
// Array with constraints
const tagsSchema = z.array(z.string()).min(1).max(10);
const nonEmptyArray = z.array(z.string()).nonempty();Schema Examples from Codebase
Form Validation Schemas
File: /form/src/helpers/zodSchemas.ts
import { z } from 'zod';
// Question types enum
export const questionTypeSchema = z.enum([
'input',
'textbox',
'editor',
'dropdown',
'autocomplete',
'checkbox',
'radio',
'upload',
]);
// Upload types
export const uploadTypeSchema = z.array(
z.enum(['pdf', 'image', 'excel', 'video', 'powerpoint', 'word']).nullable()
);
// Input types
export const inputTypeSchema = z
.enum(['date', 'number', 'input', 'currency'])
.nullable();
// Question option
export const questionOptionSchema = z.object({
id: z.number().int().positive().optional(),
controlTag: z.string().max(150).nullable().optional(),
label: z.string().max(100).nullable().optional(),
order: z.number().int().min(0).default(0),
});
// Question schema
export const questionSchema = z.object({
id: z.number().int().positive().optional(),
formID: z.number().int().positive(),
sectionID: z.number().int().positive().optional(),
options: z.array(questionOptionSchema).optional(),
label: z.string().max(500),
description: z.string().max(5000).optional(),
type: questionTypeSchema,
uploadTypes: uploadTypeSchema.optional(),
inputType: inputTypeSchema.optional(),
tags: z.array(z.string().max(150)).optional(),
required: z.boolean(),
isStandard: z.boolean().optional(),
deprecatedKey: z.string().nullable().optional(),
maxLength: z.number().int().positive().nullable().optional(),
isOptionsSorted: z.boolean().optional(),
});
// Form section schema
export const formSectionSchema = z.object({
id: z.number().int().positive(),
formID: z.number().int().positive(),
questions: z.array(questionSchema).optional(),
label: z.string().max(500),
description: z.string().max(5000).optional(),
isStandard: z.boolean(),
});
// Create form schema
export const createFormSchema = z.object({
id: z.number().int().positive(),
label: z.string().max(150),
description: z.string().max(6000).nullable().optional(),
isPhase: z.boolean().optional(),
username: z.string(),
});
// Update order schema
export const updateOrderSchema = z.object({
source: z.object({
index: z.number().int().min(0),
sectionID: z.number().int().min(0),
}),
destination: z.object({
index: z.number().int().min(0),
sectionID: z.number().int().min(0),
}),
});
// Controller-specific validation schemas
export const createQuestionValidationSchema = z.object({
formID: z.number().int().positive(),
sectionID: z.number().int().positive(),
question: questionSchema,
index: z.number().int().min(0).nullable().optional(),
username: z.string(),
});
export const updateQuestionValidationSchema = z.object({
questionID: z.number().int().positive(),
username: z.string(),
question: questionSchema,
});Proxy Relationship Schema
// Proxy relationship validation
const createProxySchema = z.object({
originalUserID: z.string().min(1),
proxyUserID: z.string().min(1),
startsAt: z.string().datetime(),
expiresAt: z.string().datetime(),
});
// With custom validation
const createProxySchemaWithValidation = createProxySchema.refine(
(data) => new Date(data.expiresAt) > new Date(data.startsAt),
{
message: 'expiresAt must be after startsAt',
path: ['expiresAt'],
}
);Workflow Validation
// Workflow start schema
const startWorkflowSchema = z.object({
workflowCode: z.string().min(1),
entityType: z.enum(['Post', 'User', 'Comment']),
entityID: z.number().int().positive(),
dryRun: z.boolean().optional().default(false),
});
// Workflow step completion schema
const completeStepSchema = z.object({
stepInstanceID: z.number().int().positive(),
answers: z.record(z.string(), z.any()),
dryRun: z.boolean().optional().default(false),
});Route-Level Validation
Pattern 1: Inline Validation
// routes/proxyRoutes.ts
import { z } from 'zod';
const createProxySchema = z.object({
originalUserID: z.string().min(1),
proxyUserID: z.string().min(1),
startsAt: z.string().datetime(),
expiresAt: z.string().datetime(),
});
router.post(
'/',
SSOMiddlewareClient.verifyLoginStatus,
async (req, res) => {
try {
// Validate at route level
const validated = createProxySchema.parse(req.body);
// Delegate to service
const proxy = await proxyService.createProxyRelationship(validated);
res.status(201).json({ success: true, data: proxy });
} catch (error) {
if (error instanceof z.ZodError) {
return res.status(400).json({
success: false,
error: {
message: 'Validation failed',
details: error.errors,
},
});
}
handler.handleException(res, error);
}
}
);Pros:
- Quick and simple
- Good for simple routes
Cons:
- Validation logic in routes
- Harder to test
- Not reusable
Controller Validation
Pattern 2: Controller Validation (Recommended)
// validators/userSchemas.ts
import { z } from 'zod';
export const createUserSchema = z.object({
email: z.string().email(),
name: z.string().min(2).max(100),
roles: z.array(z.enum(['admin', 'operations', 'user'])),
isActive: z.boolean().default(true),
});
export const updateUserSchema = z.object({
email: z.string().email().optional(),
name: z.string().min(2).max(100).optional(),
roles: z.array(z.enum(['admin', 'operations', 'user'])).optional(),
isActive: z.boolean().optional(),
});
export type CreateUserDTO = z.infer<typeof createUserSchema>;
export type UpdateUserDTO = z.infer<typeof updateUserSchema>;// controllers/UserController.ts
import { Request, Response } from 'express';
import { BaseController } from './BaseController';
import { UserService } from '../services/userService';
import { createUserSchema, updateUserSchema } from '../validators/userSchemas';
import { z } from 'zod';
export class UserController extends BaseController {
private userService: UserService;
constructor() {
super();
this.userService = new UserService();
}
async createUser(req: Request, res: Response): Promise<void> {
try {
// Validate input
const validated = createUserSchema.parse(req.body);
// Call service
const user = await this.userService.createUser(validated);
this.handleSuccess(res, user, 'User created successfully', 201);
} catch (error) {
if (error instanceof z.ZodError) {
// Handle validation errors with 400 status
return this.handleError(error, res, 'createUser', 400);
}
this.handleError(error, res, 'createUser');
}
}
async updateUser(req: Request, res: Response): Promise<void> {
try {
// Validate params and body
const userId = req.params.id;
const validated = updateUserSchema.parse(req.body);
const user = await this.userService.updateUser(userId, validated);
this.handleSuccess(res, user, 'User updated successfully');
} catch (error) {
if (error instanceof z.ZodError) {
return this.handleError(error, res, 'updateUser', 400);
}
this.handleError(error, res, 'updateUser');
}
}
}Pros:
- Clean separation
- Reusable schemas
- Easy to test
- Type-safe DTOs
Cons:
- More files to manage
DTO Pattern
Type Inference from Schemas
import { z } from 'zod';
// Define schema
const createUserSchema = z.object({
email: z.string().email(),
name: z.string(),
age: z.number().int().positive(),
});
// Infer TypeScript type from schema
type CreateUserDTO = z.infer<typeof createUserSchema>;
// Equivalent to:
// type CreateUserDTO = {
// email: string;
// name: string;
// age: number;
// }
// Use in service
class UserService {
async createUser(data: CreateUserDTO): Promise<User> {
// data is fully typed!
console.log(data.email); // ✅ TypeScript knows this exists
console.log(data.invalid); // ❌ TypeScript error!
}
}Input vs Output Types
// Input schema (what API receives)
const createUserInputSchema = z.object({
email: z.string().email(),
name: z.string(),
password: z.string().min(8),
});
// Output schema (what API returns)
const userOutputSchema = z.object({
id: z.string().uuid(),
email: z.string().email(),
name: z.string(),
createdAt: z.string().datetime(),
// password excluded!
});
type CreateUserInput = z.infer<typeof createUserInputSchema>;
type UserOutput = z.infer<typeof userOutputSchema>;Error Handling
Zod Error Format
try {
const validated = schema.parse(data);
} catch (error) {
if (error instanceof z.ZodError) {
console.log(error.errors);
// [
// {
// code: 'invalid_type',
// expected: 'string',
// received: 'number',
// path: ['email'],
// message: 'Expected string, received number'
// }
// ]
}
}Custom Error Messages
const userSchema = z.object({
email: z.string().email({ message: 'Please provide a valid email address' }),
name: z.string().min(2, { message: 'Name must be at least 2 characters' }),
age: z.number().int().positive({ message: 'Age must be a positive number' }),
});Formatted Error Response
// Helper function to format Zod errors
function formatZodError(error: z.ZodError) {
return {
message: 'Validation failed',
errors: error.errors.map((err) => ({
field: err.path.join('.'),
message: err.message,
code: err.code,
})),
};
}
// In controller
catch (error) {
if (error instanceof z.ZodError) {
return res.status(400).json({
success: false,
error: formatZodError(error),
});
}
}
// Response example:
// {
// "success": false,
// "error": {
// "message": "Validation failed",
// "errors": [
// {
// "field": "email",
// "message": "Invalid email",
// "code": "invalid_string"
// }
// ]
// }
// }Advanced Patterns
Conditional Validation
// Validate based on other field values
const submissionSchema = z.object({
type: z.enum(['NEW', 'UPDATE']),
postId: z.number().optional(),
}).refine(
(data) => {
// If type is UPDATE, postId is required
if (data.type === 'UPDATE') {
return data.postId !== undefined;
}
return true;
},
{
message: 'postId is required when type is UPDATE',
path: ['postId'],
}
);Transform Data
// Transform strings to numbers
const userSchema = z.object({
name: z.string(),
age: z.string().transform((val) => parseInt(val, 10)),
});
// Transform dates
const eventSchema = z.object({
name: z.string(),
date: z.string().transform((str) => new Date(str)),
});Preprocess Data
// Trim strings before validation
const userSchema = z.object({
email: z.preprocess(
(val) => typeof val === 'string' ? val.trim().toLowerCase() : val,
z.string().email()
),
name: z.preprocess(
(val) => typeof val === 'string' ? val.trim() : val,
z.string().min(2)
),
});Union Types
// Multiple possible types
const idSchema = z.union([z.string(), z.number()]);
// Discriminated unions
const notificationSchema = z.discriminatedUnion('type', [
z.object({
type: z.literal('email'),
recipient: z.string().email(),
subject: z.string(),
}),
z.object({
type: z.literal('sms'),
phoneNumber: z.string(),
message: z.string(),
}),
]);Recursive Schemas
// For nested structures like trees
type Category = {
id: number;
name: string;
children?: Category[];
};
const categorySchema: z.ZodType<Category> = z.lazy(() =>
z.object({
id: z.number(),
name: z.string(),
children: z.array(categorySchema).optional(),
})
);Schema Composition
// Base schemas
const timestampsSchema = z.object({
createdAt: z.string().datetime(),
updatedAt: z.string().datetime(),
});
const auditSchema = z.object({
createdBy: z.string(),
updatedBy: z.string(),
});
// Compose schemas
const userSchema = z.object({
id: z.string(),
email: z.string().email(),
name: z.string(),
}).merge(timestampsSchema).merge(auditSchema);
// Extend schemas
const adminUserSchema = userSchema.extend({
adminLevel: z.number().int().min(1).max(5),
permissions: z.array(z.string()),
});
// Pick specific fields
const publicUserSchema = userSchema.pick({
id: true,
name: true,
// email excluded
});
// Omit fields
const userWithoutTimestamps = userSchema.omit({
createdAt: true,
updatedAt: true,
});Validation Middleware
// Create reusable validation middleware
import { Request, Response, NextFunction } from 'express';
import { z } from 'zod';
export function validateBody<T extends z.ZodType>(schema: T) {
return (req: Request, res: Response, next: NextFunction) => {
try {
req.body = schema.parse(req.body);
next();
} catch (error) {
if (error instanceof z.ZodError) {
return res.status(400).json({
success: false,
error: {
message: 'Validation failed',
details: error.errors,
},
});
}
next(error);
}
};
}
// Usage
router.post('/users',
validateBody(createUserSchema),
async (req, res) => {
// req.body is validated and typed!
const user = await userService.createUser(req.body);
res.json({ success: true, data: user });
}
);Related Files:
- SKILL.md - Main guide
- routing-and-controllers.md - Using validation in controllers
- services-and-repositories.md - Using DTOs in services
- async-and-errors.md - Error handling patterns