Runtime validation for request bodies (Zod)

2395 views

                  import { z } from 'zod';
import type { RequestHandler } from 'express';

export function validateBody<T extends z.ZodTypeAny>(schema: T): RequestHandler {
  return (req, res, next) => {
    const parsed = schema.safeParse(req.body);
    if (!parsed.success) {
      return res.status(400).json({
        error: 'VALIDATION_ERROR',
        issues: parsed.error.issues.map(i => ({ path: i.path.join('.'), message: i.message }))
      });
    }
    req.body = parsed.data;
    next();
  };
}

export const CreateProjectSchema = z.object({
  name: z.string().min(2).max(80),
  visibility: z.enum(['private', 'team', 'public']).default('private')
});

TypeScript only protects you at compile time; your API still receives untrusted JSON from the internet. I lean on Zod as the source of truth for parsing + validation so runtime and types stay aligned. The big win is that I don’t try to validate ‘everything’—I validate what I actually use, and I coerce where it’s pragmatic (like turning query strings into numbers). When validation fails, I return a consistent 400 shape (error + issues) so the frontend can render field errors without special casing. This has saved me from subtle bugs during refactors, and it makes versioned endpoints safer because unexpected payloads fail loudly instead of turning into undefined behavior.

Mateo Rodriguez

More from Mateo Rodriguez

Runtime validation for request bodies (Zod)

0 Comments

More from Mateo Rodriguez