POST input validation

server/package.json

@@ -15,6 +15,7 @@
     "express": "^4.19.2",
     "mysql2": "^3.10.1",
     "nodemon": "^3.1.3",
-    "sequelize": "^6.37.3"
+    "sequelize": "^6.37.3",
+    "yup": "^1.4.0"
   }
 }

server/pnpm-lock.yaml

@@ -23,6 +23,9 @@ dependencies:
   sequelize:
     specifier: ^6.37.3
     version: 6.37.3(mysql2@3.10.1)
+  yup:
+    specifier: ^1.4.0
+    version: 1.4.0
 
 packages:
 
@@ -632,6 +635,10 @@ packages:
     engines: {node: '>=8.6'}
     dev: false
 
+  /property-expr@2.0.6:
+    resolution: {integrity: sha512-SVtmxhRE/CGkn3eZY1T6pC8Nln6Fr/lu1mKSgRud0eC73whjGfoAogbn78LkD8aFL0zz3bAFerKSnOl7NlErBA==}
+    dev: false
+
   /proxy-addr@2.0.7:
     resolution: {integrity: sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==}
     engines: {node: '>= 0.10'}
@@ -837,6 +844,10 @@ packages:
       has-flag: 3.0.0
     dev: false
 
+  /tiny-case@1.0.3:
+    resolution: {integrity: sha512-Eet/eeMhkO6TX8mnUteS9zgPbUMQa4I6Kkp5ORiBD5476/m+PIRiumP5tmh5ioJpH7k51Kehawy2UDfsnxxY8Q==}
+    dev: false
+
   /to-regex-range@5.0.1:
     resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==}
     engines: {node: '>=8.0'}
@@ -853,11 +864,20 @@ packages:
     resolution: {integrity: sha512-OsLcGGbYF3rMjPUf8oKktyvCiUxSbqMMS39m33MAjLTC1DVIH6x3WSt63/M77ihI09+Sdfk1AXvfhCEeUmC7mg==}
     dev: false
 
+  /toposort@2.0.2:
+    resolution: {integrity: sha512-0a5EOkAUp8D4moMi2W8ZF8jcga7BgZd91O/yabJCFY8az+XSzeGyTKs0Aoo897iV1Nj6guFq8orWDS96z91oGg==}
+    dev: false
+
   /touch@3.1.1:
     resolution: {integrity: sha512-r0eojU4bI8MnHr8c5bNo7lJDdI2qXlWWJk6a9EAFG7vbhTjElYhBVS3/miuE0uOuoLdb8Mc/rVfsmm6eo5o9GA==}
     hasBin: true
     dev: false
 
+  /type-fest@2.19.0:
+    resolution: {integrity: sha512-RAH822pAdBgcNMAfWnCBU3CFZcfZ/i1eZjwFU/dsLKumyuuP3niueg2UAukXYF0E2AAoc82ZSSf9J0WQBinzHA==}
+    engines: {node: '>=12.20'}
+    dev: false
+
   /type-is@1.6.18:
     resolution: {integrity: sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==}
     engines: {node: '>= 0.6'}
@@ -904,3 +924,12 @@ packages:
     dependencies:
       '@types/node': 20.14.6
     dev: false
+
+  /yup@1.4.0:
+    resolution: {integrity: sha512-wPbgkJRCqIf+OHyiTBQoJiP5PFuAXaWiJK6AmYkzQAh5/c2K9hzSApBZG5wV9KoKSePF7sAxmNSvh/13YHkFDg==}
+    dependencies:
+      property-expr: 2.0.6
+      tiny-case: 1.0.3
+      toposort: 2.0.2
+      type-fest: 2.19.0
+    dev: false

server/routes/users.js

@@ -1,12 +1,29 @@
 const express = require("express");
+const yup = require("yup");
 const { Op } = require("sequelize");
 const { User } = require("../models");
 const router = express.Router();
 
 router.post("/", async (req, res) => {
   let data = req.body;
-  let result = await User.create(data);
-  res.json(result);
+  // Validate request body
+  let validationSchema = yup.object({
+    id: yup.number().min(0).required(),
+    firstName: yup.string().trim().min(1).max(100).required(),
+    lastName: yup.string().trim().min(1).max(100).required(),
+    email: yup.string().trim().min(5).max(69).email().required(),
+    phoneNumber: yup.string().trim().length(8).required(),
+    passwordHash: yup.string().trim().min(128).max(255).required(),
+    description: yup.string().trim().min(3).max(500).required(),
+  });
+  try {
+    data = await validationSchema.validate(data, { abortEarly: false });
+    // Process valid data
+    let result = await User.create(data);
+    res.json(result);
+  } catch (err) {
+    res.status(400).json({ errors: err.errors });
+  }
 });
 
 router.get("/", async (req, res) => {