Validating & Sanitizing Input

One of the most important lesson you learn with implementing API service is that you never trust the input your receive. You must validate the input, which means check that the input passes constraints, and sanitize the input, which means converting it from a text-based value to its concrete representation, such as a Date or a String.

Blueprint facilitates validating and sanitizing the input on the controller action. The controller action has the option of using the schema property to perform static validation. The value of the schema property is a schema definition from express-validator. You can also use the validate() method, which is used to perform dynamic and asynchronous validation.

In our super-rentals example, we only need to validate the id parameter for getOne(), update(), and delete(). The schema for each method will be the same so we are only going to show the schema for the getOne() method.

module.exports = ResourceController.extend ({
  // ...
  
  getOne () {
    return Action.extend ({
      // express-validator schema
      schema: {
        [this.id]: {
          in: 'params',
          optional: false,
        }
      },
  
      execute (req, res) {
        const { rentalId } = req.params;
        const rental = this.controller.rentals.get (rentalId);
  
        if (rental) {
          res.status (200).json ({ data: [rental] });
        }
        else {
          res.sendStatus (404);
        }
      }
    })
  }
});