Security HardeningLesson 5.3

Input validation and sanitization for auth routes

express-validator, email validation, password complexity rules, input sanitization, SQL injection via auth fields, error message consistency, reject unknown fields

Why Auth Inputs Need Validation

Unvalidated inputs lead to crashes, unexpected behavior, and injection attacks. Your auth routes accept user-controlled data and must validate it before any database or comparison logic runs.

npm install express-validator

const { body, validationResult } = require('express-validator');

const registerValidation = [
  body('email')
    .isEmail().normalizeEmail()
    .withMessage('Valid email required'),
  body('password')
    .isLength({ min: 8 })
    .matches(/[A-Z]/).withMessage('Password needs uppercase')
    .matches(/[0-9]/).withMessage('Password needs a number')
];

app.post('/auth/register', registerValidation, (req, res) => {
  const errors = validationResult(req);
  if (!errors.isEmpty()) {
    return res.status(400).json({ errors: errors.array() });
  }
  // Safe to proceed
});

Do Not Over-Restrict Passwords

Do not impose a maximum password length below 64 characters — it signals you are storing passwords in a way that makes length matter (i.e., plaintext or weak encryption). bcrypt accepts up to 72 bytes natively. Reject passwords longer than 1000 characters to prevent DoS via intentionally slow bcrypt on huge inputs.