feat(validation): introduce express-validator on CMS user and article endpoints

Replaces the broken fieldValidation helper (called next() without return,
so execution continued on invalid input) with express-validator chains
applied at the route level. Validation covers: email format, username
constraints, password min length, field lengths, URL and phone formats.
products and tags controllers retain their local fieldValidation pending
a separate ecommerce validation pass.
This commit is contained in:
2026-04-26 22:06:28 +02:00
parent f1f913f63f
commit 61cdec00e7
7 changed files with 113 additions and 35 deletions
-18
View File
@@ -32,10 +32,6 @@ module.exports.authenticate = asyncHandler(async (req, res, next) => {
module.exports.createUser = asyncHandler(async (req, res, next) => {
try {
fieldValidation(req.body.user.username, next);
fieldValidation(req.body.user.email, next);
fieldValidation(req.body.user.password, next);
const { username, firstname, lastname, phone, email, password } = req.body.user;
const userSlug = UserService.slugify(username);
const slugInDB = await UserService.isUsernameUsed(userSlug);
@@ -92,12 +88,6 @@ module.exports.getUser = asyncHandler(async (req, res, next) => {
module.exports.loginAsUser = asyncHandler(async (req, res, next) => {
try {
if (!req.body.user.email) {
return res.status(422).json({ errors: { email: "email can't be blank" } });
}
if (!req.body.user.password) {
return res.status(422).json({ errors: { password: " password can't be blank" } });
}
passport.authenticate('local', { session: false }, function (err, user, info) {
if (err) {
return next(err);
@@ -161,7 +151,6 @@ module.exports.updateUserEmail = asyncHandler(async (req, res, next) => {
return next(new ErrorResponse("Unauthorized", 401, "You are not allowed to access this resource."));
}
fieldValidation(req.body.user.email, next);
if (typeof req.body.user.email !== 'undefined') {
user.email = req.body.user.email;
}
@@ -205,7 +194,6 @@ module.exports.updateUserRole = asyncHandler(async (req, res, next) => {
return next(new ErrorResponse("Forbidden", 403, "You are not allowed to change user roles."));
}
fieldValidation(req.body.user.role, next);
if (typeof req.body.user.role !== 'undefined') {
user.role = req.body.user.role;
}
@@ -226,7 +214,6 @@ module.exports.updateUserUsername = asyncHandler(async (req, res, next) => {
return next(new ErrorResponse("Unauthorized", 401, "You are not allowed to access this resource."));
}
fieldValidation(req.body.user.username, next);
if (typeof req.body.user.username !== 'undefined') {
user.username = req.body.user.username;
}
@@ -240,8 +227,3 @@ module.exports.updateUserUsername = asyncHandler(async (req, res, next) => {
}
});
const fieldValidation = (field, next) => {
if (!field) {
return next(new ErrorResponse(`Missing fields`, 400));
}
};