Skip to content

Add comprehensive input validation middleware for controller layer #204

Open
Open
Add comprehensive input validation middleware for controller layer#204
Labels
enhancementNew feature or request
@grantfox-development

Description

@grantfox-development
grantfox-development
bot
opened on May 5, 2026

Problem

Controllers and services lack consistent input validation. While the Photo module (src/modules/photo/presentation/controllers/PhotoController.ts) uses express-validator, most endpoints accept raw request bodies without validation, including:

  • createVolunteer in src/controllers/VolunteerController.ts
  • createProject in src/controllers/Project.controller.ts
  • Auth endpoints (register/login)

This creates risk of:

  • Invalid data types persisting to the database (e.g., parseInt(userId, 10) in PhotoController.ts:51 without prior validation).
  • Missing required fields not caught until the service/repository layer.
  • Date parsing issues (new Date(startDate) in the project controller without format validation).
  • Inconsistent error responses for validation failures across modules.

express-validator and class-validator are already installed but underutilized.

Proposed Solution

  1. Create a reusable ValidationPipe middleware in src/middleware/ that wraps express-validator chains and returns a standardized 400 response.
  2. Define DTOs/validation schemas using class-validator decorators in src/dtos/ (or co-located with each module): CreateProjectDTO, CreateVolunteerDTO, RegisterUserDTO, LoginDTO, UploadPhotoDTO.
  3. Apply the validation middleware consistently across auth, project, volunteer, user, and photo routes.
  4. Standardize the validation error response format with field-level error details.
  5. Add tests/validation.test.ts covering positive and negative cases for at least 5 critical endpoints.

Acceptance Criteria

  • Validation middleware handles email, UUID, date, enum, and custom string-length/regex constraints.
  • All POST/PUT endpoints have validation applied; invalid input returns HTTP 400 with structured field-level errors.
  • DTOs document the expected input schema and live next to the module they serve.
  • At least 5 critical endpoints covered: register, login, createProject, createVolunteer, upload photo.
  • Integration test validates both passing and failing validation paths and checks error response shape.
  • No regression in existing tests; CI passes.

Out of Scope

  • Refactoring existing service-layer validation (separate effort).
  • Changing the auth strategy or JWT logic.

Suggested Labels

enhancement, code-quality, testing

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions