Data Validation Patterns for Robust Applications

Data validation is your application's first line of defense. Invalid data causes bugs, security vulnerabilities, and corrupted databases. Robust validation catches problems early and provides clear feedback to users and developers.

Validation Principles#

Validate at Boundaries#

External input → Validation → Internal processing

Boundaries:
- API endpoints
- Form submissions
- File uploads
- Database reads (legacy data)
- Third-party API responses
- Environment variables

Fail Fast#

// ❌ Late validation - error deep in system
function processOrder(order) {
  // ... 50 lines of processing
  if (!order.items.length) {
    throw new Error('No items'); // Too late!
  }
}

// ✅ Early validation - catch immediately
function processOrder(order) {
  validateOrder(order); // Throws if invalid
  // ... safe processing
}

Schema Validation with Zod#

Basic Schemas#

import { z } from 'zod';

const userSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8).max(100),
  name: z.string().min(1).max(255),
  age: z.number().int().positive().optional(),
});

type User = z.infer<typeof userSchema>;

// Validation
const result = userSchema.safeParse(input);
if (!result.success) {
  console.error(result.error.format());
} else {
  const user: User = result.data;
}

Complex Schemas#

const orderSchema = z.object({
  customerId: z.string().uuid(),

  items: z.array(z.object({
    productId: z.string().uuid(),
    quantity: z.number().int().positive(),
    price: z.number().positive(),
  })).min(1),

  shipping: z.discriminatedUnion('method', [
    z.object({
      method: z.literal('standard'),
      address: addressSchema,
    }),
    z.object({
      method: z.literal('pickup'),
      storeId: z.string(),
    }),
  ]),

  couponCode: z.string().optional(),

  metadata: z.record(z.string()).optional(),
});

Transformations#

const userInputSchema = z.object({
  email: z.string().email().toLowerCase(),
  name: z.string().trim(),
  birthDate: z.string().transform(str => new Date(str)),
  tags: z.string().transform(str => str.split(',').map(s => s.trim())),
});

const passwordSchema = z.string()
  .min(8)
  .refine(
    (password) => /[A-Z]/.test(password),
    { message: 'Must contain uppercase letter' }
  )
  .refine(
    (password) => /[0-9]/.test(password),
    { message: 'Must contain number' }
  )
  .refine(
    (password) => /[!@#$%^&*]/.test(password),
    { message: 'Must contain special character' }
  );

const registrationSchema = z.object({
  password: passwordSchema,
  confirmPassword: z.string(),
}).refine(
  (data) => data.password === data.confirmPassword,
  { message: 'Passwords must match', path: ['confirmPassword'] }
);

API Validation#

Express Middleware#

import { z } from 'zod';
import { Request, Response, NextFunction } from 'express';

function validate<T extends z.ZodSchema>(schema: T) {
  return (req: Request, res: Response, next: NextFunction) => {
    const result = schema.safeParse({
      body: req.body,
      query: req.query,
      params: req.params,
    });

    if (!result.success) {
      return res.status(400).json({
        error: 'Validation failed',
        details: result.error.format(),
      });
    }

    req.validated = result.data;
    next();
  };
}

// Usage
const createUserSchema = z.object({
  body: z.object({
    email: z.string().email(),
    name: z.string().min(1),
  }),
});

app.post('/users', validate(createUserSchema), (req, res) => {
  const { email, name } = req.validated.body;
  // Guaranteed valid
});

tRPC Integration#

import { z } from 'zod';
import { router, publicProcedure } from './trpc';

const userRouter = router({
  create: publicProcedure
    .input(z.object({
      email: z.string().email(),
      name: z.string().min(1),
    }))
    .mutation(async ({ input }) => {
      // input is typed and validated
      return createUser(input);
    }),

  getById: publicProcedure
    .input(z.string().uuid())
    .query(async ({ input: id }) => {
      return getUserById(id);
    }),
});

Form Validation#

React Hook Form + Zod#

import { useForm } from 'react-hook-form';
import { zodResolver } from '@hookform/resolvers/zod';
import { z } from 'zod';

const formSchema = z.object({
  email: z.string().email('Invalid email'),
  password: z.string().min(8, 'Password must be at least 8 characters'),
  acceptTerms: z.literal(true, {
    errorMap: () => ({ message: 'You must accept the terms' }),
  }),
});

type FormData = z.infer<typeof formSchema>;

function SignupForm() {
  const {
    register,
    handleSubmit,
    formState: { errors },
  } = useForm<FormData>({
    resolver: zodResolver(formSchema),
  });

  return (
    <form onSubmit={handleSubmit(onSubmit)}>
      <input {...register('email')} />
      {errors.email && <span>{errors.email.message}</span>}

      <input type="password" {...register('password')} />
      {errors.password && <span>{errors.password.message}</span>}

      <input type="checkbox" {...register('acceptTerms')} />
      {errors.acceptTerms && <span>{errors.acceptTerms.message}</span>}

      <button type="submit">Sign Up</button>
    </form>
  );
}

Database Validation#

Prisma Integration#

// Validate before database operations
const createProductSchema = z.object({
  name: z.string().min(1).max(255),
  price: z.number().positive(),
  categoryId: z.string().uuid(),
});

async function createProduct(input: unknown) {
  const validated = createProductSchema.parse(input);

  return prisma.product.create({
    data: validated,
  });
}

Database Constraints as Backup#

-- Database-level validation as last defense
CREATE TABLE users (
  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  email VARCHAR(255) NOT NULL UNIQUE,
  name VARCHAR(255) NOT NULL,
  age INTEGER CHECK (age > 0),
  created_at TIMESTAMP NOT NULL DEFAULT NOW(),

  CONSTRAINT email_format CHECK (email ~* '^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$')
);

Environment Validation#

At Startup#

const envSchema = z.object({
  NODE_ENV: z.enum(['development', 'production', 'test']),
  DATABASE_URL: z.string().url(),
  JWT_SECRET: z.string().min(32),
  PORT: z.string().regex(/^\d+$/).transform(Number).default('3000'),
  REDIS_URL: z.string().url().optional(),
});

type Env = z.infer<typeof envSchema>;

function validateEnv(): Env {
  const result = envSchema.safeParse(process.env);

  if (!result.success) {
    console.error('Invalid environment variables:');
    console.error(result.error.format());
    process.exit(1);
  }

  return result.data;
}

export const env = validateEnv();

Error Messages#

User-Friendly Messages#

const userSchema = z.object({
  email: z.string({
    required_error: 'Email is required',
    invalid_type_error: 'Email must be a string',
  }).email('Please enter a valid email address'),

  password: z.string()
    .min(8, 'Password must be at least 8 characters')
    .max(100, 'Password must be less than 100 characters'),

  age: z.number({
    required_error: 'Age is required',
    invalid_type_error: 'Age must be a number',
  }).int('Age must be a whole number')
    .positive('Age must be positive'),
});

Error Formatting#

function formatValidationErrors(error: z.ZodError) {
  return error.errors.map(err => ({
    field: err.path.join('.'),
    message: err.message,
  }));
}

// Output:
// [
//   { field: 'email', message: 'Invalid email' },
//   { field: 'password', message: 'Password too short' }
// ]

Sanitization#

Input Sanitization#

import DOMPurify from 'dompurify';

const commentSchema = z.object({
  content: z.string()
    .min(1)
    .max(10000)
    .transform(str => DOMPurify.sanitize(str)),
});

const userInputSchema = z.object({
  name: z.string()
    .trim()
    .replace(/[<>]/g, ''),  // Remove angle brackets

  url: z.string()
    .url()
    .refine(
      url => url.startsWith('https://'),
      'URL must use HTTPS'
    ),
});

Testing Validation#

describe('userSchema', () => {
  it('accepts valid input', () => {
    const input = { email: 'test@example.com', name: 'John' };
    expect(() => userSchema.parse(input)).not.toThrow();
  });

  it('rejects invalid email', () => {
    const input = { email: 'not-an-email', name: 'John' };
    const result = userSchema.safeParse(input);
    expect(result.success).toBe(false);
    expect(result.error?.issues[0].path).toContain('email');
  });

  it('rejects empty name', () => {
    const input = { email: 'test@example.com', name: '' };
    const result = userSchema.safeParse(input);
    expect(result.success).toBe(false);
  });

  it('transforms email to lowercase', () => {
    const input = { email: 'TEST@EXAMPLE.COM', name: 'John' };
    const result = userSchema.parse(input);
    expect(result.email).toBe('test@example.com');
  });
});

Best Practices#

1. Single Source of Truth#

// Define once, use everywhere
export const userSchema = z.object({...});
export type User = z.infer<typeof userSchema>;

// API uses it
app.post('/users', validate(userSchema), handler);

// Form uses it
const form = useForm({ resolver: zodResolver(userSchema) });

// Tests use it
const validUser = generateValid(userSchema);

2. Composition#

const addressSchema = z.object({
  street: z.string(),
  city: z.string(),
  zipCode: z.string(),
});

const userSchema = z.object({
  email: z.string().email(),
  address: addressSchema,
  billingAddress: addressSchema.optional(),
});

3. Graceful Degradation#

const configSchema = z.object({
  apiUrl: z.string().url(),
  timeout: z.number().default(5000),
  retries: z.number().default(3),
  features: z.object({
    darkMode: z.boolean().default(false),
    analytics: z.boolean().default(true),
  }).default({}),
});

// Works with partial input
const config = configSchema.parse({ apiUrl: 'https://api.example.com' });

Conclusion#

Validation is not optional—it's essential for security, reliability, and user experience. Use schema validation libraries like Zod for type-safe, composable validation that works across your entire stack.

Validate at every boundary, fail fast with clear errors, and test your validation logic thoroughly. The effort invested in robust validation pays dividends in prevented bugs and security issues.

Share this article