DEV Community

Joi — awesome code validation for Node.js and Express

Chris Noring on July 28, 2019

Follow me on Twitter, happy to take your suggestions on topics or improvements /Chris Validation of data is an interesting topic, we tend to writ...

Read full post

José Muñoz • Jul 28 '19

Great Post! I personally use Yup which is based on Joi but tailored for the frontend, smaller footprint and whatnot, its pretty much the same API and it is wonderful to work with, specially with Formik

Chris Noring • Jul 28 '19

Hi José. Appreciate the comment. Will look into Yup :)

Netanel Draiman • Jul 28 '19

Cool, didn't know about Yup.
Aside from validating API responses, what other use-cases do you use it for?

José Muñoz • Jul 29 '19

on the frontend it is useful to validate form data before sending it on a request :)

slidenerd • Dec 17 '20

does yup work on the backend and frontend, also what is the difference between yup and joi in terms of functionality, is one superior to the other in any way apart from the footprint you mentioned

Sudhanshu • May 11 '21

Yup doesn't support Dictionary-like structure that Joi does out of the box.
github.com/jquense/yup/issues/1275...

António Avelar • Aug 5 '19 • Edited

I personally use Joi to validate my REST API routes. Each route has a controller, responsible for getting the user request parameters. That controller then passes those params to a service. On that service i have a Joi validation that looks like this:

   async function create(data) {
      return Joi.validate(data, schemas.accountCreation, async (err, value) => {
         if (err) {
            return {
               success: false,
               message: err.message,
               status: 400
            }
         }

         //service logic....        

      }
   }

Each validation is stored in a file that can be reused across all application/microservice. It looks like this:


module.exports = {
    user: {
        accountCreation: Joi.object().keys({
            firstname: Joi.string().min(1).required(),
            lastname: Joi.string().min(1).required(),
            email: Joi.string().regex(EMAIL_REGEX).email().required(),
            password: Joi.string().regex(/^[\x20-\x7E]+$/).min(8).max(72).required()
        }),
        authentication: Joi.object().keys({
            email: Joi.string().regex(EMAIL_REGEX).email().required(),
            password: Joi.string().regex(/^[\x20-\x7E]+$/).min(8).max(72).required()
        })
    },
    collection: {
        create: Joi.object().keys({
            collectionName: Joi.string().regex(ascii).min(1).max(30).required(),
            fields: Joi.array().min(1).required(),
            fieldsToShow: Joi.number().min(1).optional()
        }),
        getCollectionsByOwner: Joi.string().uuid().required(),
        getCollectionsById: Joi.string().uuid().required()
    },
    items: {
        create: Joi.object().keys({
            collectionId: Joi.string().uuid().required(),
            image: Joi.optional(),
            fields: Joi.object({}).min(1).required().unknown()
        }).unknown(),
        getById: Joi.string().uuid().required(),
        deleteItemByUUID: Joi.string().uuid().required()
    }
}

Chris Noring • Aug 5 '19

Thanks for sharing Antonio :)

Dylan Landry • Jul 28 '19 • Edited

I've got it.
The organization which supports Joi is Hapijs. The repository, hapijs/joi sounds like happy joy.

I remember vaguely a song, something like "Happy happy joy joy; happy happy joy." Google reveals it is a song from the old 1996 television show Ren and Stimpy. Could there be a connection?

The hapi.js logo seems familiar, too. Google reveals this 2016 GitHub issue: New Logo?

"I think it's time. We are no longer using the Ren & Stimpy theme so maybe refresh the logo with something cleaner and more up to date?"

Ladies and gentlemen, we got him.

Chris Noring • Jul 28 '19

Wow.. Thanks for that added context Dylan :)

Jacob Evans • Jul 28 '19

Would TypeScript eliminate the need for Joi (I've used Joi before at work)?

I know Flow is similar to TypeScript so usually, people won't use both.

Yawar Amin • Jul 28 '19

You would get the greatest benefit by using a static typechecker like TypeScript or Flow in combination with a dynamic validator like Joi or Ajv. It works roughly like this:

Define a static type
Define a validator function for that type, using Joi or Ajv as the underlying validation tool
Make the validator function return the input value cast to the static type (if validation succeeded) or the validation error (if validation failed)

For example:

interface Person {
  id: string;
  name: string;
}

const personValidator: Validator<Person> = Validator(
  Joi.object().keys({id: Joi.string(), name: Joi.string()}),
);

...

const result = personValidator.validate(personObj);
if (result instanceof ValidationError) {...}
else {
  // Now we know 100% that result is a valid Person with id and name
}

Justin Gross • Jul 28 '19

I was thinking about Typescript while reading this too. In Typescript you have Typeguards which are basically a validation function (you write it, it's a normal function) which would, like Joi here, validate that the object is what you are expecting. During design time you're relatively safe, as a developer, from using the wrong type of object (because Typescript tslint will yell at you, and tsc will exception) and then during runtime you can validate using the Typeguards.

In my travels of JavaScript I realized I started writing more and more boilerplate and tons of extra code to address the fact that JavaScript is not typed and is functional first and OO second. When I finally tried Typescript I felt relieved that I could finally stop writing so much extra code to make up for the fact that JavaScript wasnt typed and didn't have OO as a first class paradigm. Also the IDE and tooling support is so amazing in Typescript.

They say JavaScript ate the world... Next will be Typescript.

Jacob Evans • Jul 28 '19

I actually plan on learning TypeScript 🤣😆 I just have to get over the setup and config excuse... I know once I do it ill be able too to spin it up faster the next times... Just being the bad kind of lazy, procrastinating.

The superset though is exciting and I look forward to all its tooling and power! VSCode is a prime example of the awesomeness TS can be utilized for.

Chris Noring • Jul 28 '19

hi Jacob. Would you benefit from an article that shows how you set up TypeScript + Jest + TS and shows a CI pipeline?

Jacob Evans • Jul 28 '19

Definitely. Especially if you can tie it into a project that already exists... I use React, Babel, Eslint, Parcel, Yarn if that helps at all.

Justin Gross • Jul 28 '19 • Edited

I've created a GitHub template for Typescript. It doesn't teach how to set up a new project and it is opinionated but if you wanted to play around with Typescript, unit testing, code coverage, dependency injection, auto-doc creation, hot-reload and dts rollups it's a ready to go template with a VS Code workspace to boot! Take it or leave.

github.com/JustinTime4Tea/ts-template

Dmitry Erman • Jan 23 '20 • Edited

Great Article Chris. Covers something I've had in my code for a while. There is one more feature that you're not covering.

Joi returns sanitized values of parameters in a 2nd parameter. For example, you can have Joi validate (truthy, falsy, etc) that 'false', false, 0, and 'N' are all equivalent to false for your filter=N query parameter. It will then return false as a boolean. By default all query parameters come through as strings.

To apply the above to your code you would do something like this to manipulate the request object with the sanitized version of the objects:

const middleware = (schema, property) => { 
  return (req, res, next) => { 
  const { error, values } = Joi.validate(req[property], schema); 
  const valid = error == null; 

  if (valid) { 

    /**
    * Manipulate the existing request object with sanitized versions from Joi. This is an example
    * and I'm sure there are other and more efficient ways.
   **/
    if(value && Object.keys(value).length > 0){
        for(const prop in value){

          //maybe not necessary, but defensive coding all the way.
          if(value.hasOwnProperty(prop)){
            if(req.query && req.query[prop]){
              req.query[prop] = value[prop];
            }

            if(req.body && req.body[prop]) {
              req.body[prop] = value[prop];
            }

            if(req.params && req.params[prop]) {
              req.params[prop] = value[prop];
            }
          }
        }
      }
    next(); 
  } else { 
    const { details } = error; 
    const message = details.map(i => i.message).join(',');

    console.log("error", message); 
   res.status(422).json({ error: message }) } 
  } 
}

You can also append the values object to req.options = values that would allow you to have both. But then your code will need to know which one to grab.

O'Dane Brissett • Sep 15 '19

This an excellent Article. I was wonder how I was gonna validate route level instead on controller level. Saved me a ton of time.

Chris Noring • Sep 15 '19

Thank you for that. Glad it helped :)

Carlos Caballero • Jul 28 '19

Thanks!

Joi is a essential element in web development today!

IG:DjArc [Hey-R-C] • Mar 12 '20

Thank you Chris for a great article, I have a question about Unit testing.... The question is how do you Test the next() or how do you test these schemas in general? thank you again.

Chris Noring • Mar 12 '20

hi there. I usually like a mocking approach, cause we are talking middleware right? codewithhugo.com/express-request-r...

IG:DjArc [Hey-R-C] • Mar 12 '20

Hey Chris, thank you very much for that prompt reply. I am ACTUALLY please and surprised with your quickness. So I looked at the example you shared. I have to be honest I am still a novice to this testing life. So I have attached my module and test. Any pointer/guidance would be appreciated.

Here is the module