Validate the incoming JSON schemas

One Paragraph Explainer

Validation is about being very explicit on what payload our app is willing to accept and failing fast should the input deviate from the expectations. This minimizes the attacker’s surface who can no longer try out payloads with a different structure, values and length. Practically it prevents attacks like DDOS (code is unlikely to fail when the input is well defined) and Insecure Deserialization (JSON contain no surprises). Though validation can be coded or relied upon classes and types (TypeScript, ES6 classes) the community seems to increasingly like JSON-based schemas as these allow declaring complex rules without coding and share the expectations with the frontend. JSON-schema is an emerging standard that is supported by many npm libraries and tools (e.g. jsonschema, Postman), joi is also highly popular with sweet syntax. Typically JSON syntax can’t cover all validation scenario and custom code or pre-baked validation frameworks like validator.js come in handy. Regardless of the chosen syntax, ensure to run the validation as early as possible - For example, by using Express middleware that validates the request body before the request is passed to the route handler

Example - JSON-Schema validation rules

  1. {
  2. "$schema": "http://json-schema.org/draft-06/schema#",
  3. "title": "Product",
  4. "description": "A product from Acme's catalog",
  5. "type": "object",
  6. "properties": {
  7. "name": {
  8. "description": "Name of the product",
  9. "type": "string"
  10. },
  11. "price": {
  12. "type": "number",
  13. "exclusiveMinimum": 0
  14. }
  15. },
  16. "required": ["id", "name", "price"]
  17. }

Example - Validating an entity using JSON-Schema

  1. const JSONValidator = require('jsonschema').Validator;
  2. class Product {
  3. validate() {
  4. const v = new JSONValidator();
  5. return v.validate(this, schema);
  6. }
  7. static get schema() {
  8. //define JSON-Schema, see example above
  9. }
  10. }

Example - Usage of middleware validator

  1. // The validator is a generic middleware that gets the entity it should validate and takes care to return
  2. // HTTP status 400 (Bad Request) should the body payload validation fail
  3. router.post('/' , **validator(Product.validate)**, async (req, res, next) => {
  4. // route handling code goes here
  5. });

What other bloggers say

From the blog Gergely Nemeth:

Validating user input is one of the most important things to do when it comes to the security of your application. Failing to do it correctly can open up your application and users to a wide range of attacks, including command injection, SQL injection or stored cross-site scripting.

To validate user input, one of the best libraries you can pick is joi. Joi is an object schema description language and validator for JavaScript objects.