Input validation in Express with Zod

Input Validation with Zod

Never trust user input. Validate every incoming request body, query parameter, and route parameter before touching your database or business logic. Zod is the cleanest validation library for Node.js — schemas are type-safe and parse, they don't just check.

Install and Define a Schema

npm install zod

// validation/userSchema.js
const { z } = require('zod');

const createUserSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
  age: z.number().int().min(0).max(150).optional()
});

module.exports = { createUserSchema };

Validation Middleware

// middleware/validate.js
const validate = (schema) => (req, res, next) => {
  const result = schema.safeParse(req.body);
  if (!result.success) {
    return res.status(422).json({
      errors: result.error.errors.map(e => ({
        field: e.path.join('.'),
        message: e.message
      }))
    });
  }
  req.validatedBody = result.data;
  next();
};

module.exports = validate;

// In your route
router.post('/users', validate(createUserSchema), createUser);

Use safeParse not parse — safeParse returns a result object instead of throwing, which works cleanly with middleware. Attach the parsed data to req.validatedBody so controllers use the coerced, validated value rather than raw input.