Skip to content

Add comprehensive input validation middleware for controller layer #204

Open
Open
Add comprehensive input validation middleware for controller layer#204
Labels
enhancementNew feature or request
@grantfox-development

Description

@grantfox-development
grantfox-development
bot
opened on May 5, 2026

Problem

Controllers and services lack consistent input validation. While the Photo module (src/modules/photo/presentation/controllers/PhotoController.ts) uses express-validator, most endpoints accept raw request bodies without validation, including:

  • createVolunteer in src/controllers/VolunteerController.ts
  • createProject in src/controllers/Project.controller.ts
  • Auth endpoints (register/login)

This creates risk of:

  • Invalid data types persisting to the database (e.g., parseInt(userId, 10) in PhotoController.ts:51 without prior validation).
  • Missing required fields not caught until the service/repository layer.
  • Date parsing issues (new Date(startDate) in the project controller without format validation).
  • Inconsistent error responses for validation failures across modules.

express-validator and class-validator are already installed but underutilized.

Proposed Solution

  1. Create a reusable ValidationPipe middleware in src/middleware/ that wraps express-validator chains and returns a standardized 400 response.
  2. Define DTOs/validation schemas using class-validator decorators in src/dtos/ (or co-located with each module): CreateProjectDTO, CreateVolunteerDTO, RegisterUserDTO, LoginDTO, UploadPhotoDTO.
  3. Apply the validation middleware consistently across auth, project, volunteer, user, and photo routes.
  4. Standardize the validation error response format with field-level error details.
  5. Add tests/validation.test.ts covering positive and negative cases for at least 5 critical endpoints.

Acceptance Criteria

  • Validation middleware handles email, UUID, date, enum, and custom string-length/regex constraints.
  • All POST/PUT endpoints have validation applied; invalid input returns HTTP 400 with structured field-level errors.
  • DTOs document the expected input schema and live next to the module they serve.
  • At least 5 critical endpoints covered: register, login, createProject, createVolunteer, upload photo.
  • Integration test validates both passing and failing validation paths and checks error response shape.
  • No regression in existing tests; CI passes.

Out of Scope

  • Refactoring existing service-layer validation (separate effort).
  • Changing the auth strategy or JWT logic.

Suggested Labels

enhancement, code-quality, testing

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions