[ [0x80] Security ] Schema Validation

Schema Validation

> Validate all inputs with Zod schemas for type-safe, secure data handling.

Overview

[ [0x80] STATUS ]

Schema validation ensures all data entering your application is properly validated and typed. Zod provides runtime validation with automatic TypeScript type inference.

Features

[ [0x01] TYPE_SAFE ]

STATUS: READY

DESC: Full TypeScript inference from your schemas.

[ [0x02] API_VALIDATI ]

STATUS: READY

DESC: Validate request and response bodies.

[ [0x03] FORM_VALIDAT ]

STATUS: READY

DESC: Works with react-hook-form out of the box.

[ [0x04] ENV_VALIDATI ]

STATUS: READY

DESC: Validate environment variables at startup.

Usage

[ [0x84] BASIC ZOD SCHEMA ]

Define schemas to validate data

1// src/lib/validations/user.ts
2
3import { z } from "zod";
4
5export const userSchema = z.object({
6  email: z
7    .string()
8    .email("Invalid email address")
9    .min(1, "Email is required"),
10  password: z
11    .string()
12    .min(8, "Password must be at least 8 characters")
13    .regex(
14      /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/,
15      "Password must contain uppercase, lowercase, and number"
16    ),
17  name: z
18    .string()
19    .min(2, "Name must be at least 2 characters")
20    .max(100, "Name must be less than 100 characters"),
21});
22
23// Infer TypeScript type from schema
24export type UserInput = z.infer<typeof userSchema>;

[ [0x36] API ROUTE VALIDATION ]

Validate request bodies in API routes

1// src/app/api/users/route.ts
2
3import { NextRequest, NextResponse } from "next/server";
4import { z } from "zod";
5
6const createUserSchema = z.object({
7  email: z.string().email(),
8  name: z.string().min(1).max(100),
9  role: z.enum(["user", "admin"]).default("user"),
10});
11
12export async function POST(request: NextRequest) {
13  try {
14    const body = await request.json();
15
16    // Validate request body
17    const result = createUserSchema.safeParse(body);
18
19    if (!result.success) {
20      return NextResponse.json(
21        {
22          error: "Validation failed",
23          details: result.error.flatten().fieldErrors,
24        },
25        { status: 400 }
26      );
27    }
28
29    // result.data is fully typed
30    const { email, name, role } = result.data;
31
32    // Create user with validated data
33    // ...
34
35    return NextResponse.json({ success: true });
36  } catch (_) {
37    return NextResponse.json(
38      { error: "Invalid JSON body" },
39      { status: 400 }
40    );
41  }
42}

[ [0xF5] COMMON VALIDATION PATTERNS ]

Reusable validation patterns for common fields

1// src/lib/validations/common.ts
2
3import { z } from "zod";
4
5// Email validation
6export const emailSchema = z
7  .string()
8  .email("Invalid email")
9  .toLowerCase()
10  .trim();
11
12// Password with strength requirements
13export const passwordSchema = z
14  .string()
15  .min(8, "Minimum 8 characters")
16  .max(128, "Maximum 128 characters")
17  .regex(/[a-z]/, "Must contain lowercase letter")
18  .regex(/[A-Z]/, "Must contain uppercase letter")
19  .regex(/[0-9]/, "Must contain number")
20  .regex(/[^a-zA-Z0-9]/, "Must contain special character");
21
22// UUID validation
23export const uuidSchema = z.string().uuid("Invalid ID format");
24
25// URL validation
26export const urlSchema = z.string().url("Invalid URL").optional();
27
28// Phone number (basic)
29export const phoneSchema = z
30  .string()
31  .regex(/^\+?[1-9]\d{1,14}$/, "Invalid phone number");
32
33// Date validation
34export const dateSchema = z.coerce.date();
35
36// Pagination
37export const paginationSchema = z.object({
38  page: z.coerce.number().int().positive().default(1),
39  limit: z.coerce.number().int().min(1).max(100).default(20),
40});
41
42// Sort order
43export const sortSchema = z.object({
44  sortBy: z.string().optional(),
45  order: z.enum(["asc", "desc"]).default("desc"),
46});

[ [0xAB] FORM VALIDATION ]

Use schemas with react-hook-form

1"use client";
2
3import { useForm } from "react-hook-form";
4import { zodResolver } from "@hookform/resolvers/zod";
5import { z } from "zod";
6
7const contactSchema = z.object({
8  name: z.string().min(1, "Name is required"),
9  email: z.string().email("Invalid email"),
10  message: z.string().min(10, "Message must be at least 10 characters"),
11});
12
13type ContactForm = z.infer<typeof contactSchema>;
14
15export function ContactForm() {
16  const {
17    register,
18    handleSubmit,
19    formState: { errors },
20  } = useForm<ContactForm>({
21    resolver: zodResolver(contactSchema),
22  });
23
24  const onSubmit = (data: ContactForm) => {
25    // data is fully validated and typed
26    // Process validated data
27  };
28
29  return (
30    <form onSubmit={handleSubmit(onSubmit)}>
31      <div>
32        <input {...register("name")} placeholder="Name" />
33        {errors.name && (
34          <p className="text-destructive">{errors.name.message}</p>
35        )}
36      </div>
37
38      <div>
39        <input {...register("email")} placeholder="Email" />
40        {errors.email && (
41          <p className="text-destructive">{errors.email.message}</p>
42        )}
43      </div>
44
45      <div>
46        <textarea {...register("message")} placeholder="Message" />
47        {errors.message && (
48          <p className="text-destructive">{errors.message.message}</p>
49        )}
50      </div>
51
52      <button type="submit">Send</button>
53    </form>
54  );
55}

[ [0xE8] QUERY PARAMETER VALIDATION ]

Validate URL search params

1// src/app/api/items/route.ts
2
3import { NextRequest, NextResponse } from "next/server";
4import { z } from "zod";
5
6const querySchema = z.object({
7  page: z.coerce.number().int().positive().default(1),
8  limit: z.coerce.number().int().min(1).max(100).default(20),
9  search: z.string().optional(),
10  status: z.enum(["active", "inactive", "all"]).default("all"),
11});
12
13export async function GET(request: NextRequest) {
14  const searchParams = request.nextUrl.searchParams;
15
16  // Convert searchParams to object
17  const params = Object.fromEntries(searchParams.entries());
18
19  // Validate
20  const result = querySchema.safeParse(params);
21
22  if (!result.success) {
23    return NextResponse.json(
24      { error: "Invalid query parameters" },
25      { status: 400 }
26    );
27  }
28
29  const { page, limit, search, status } = result.data;
30
31  // Use validated params for database query
32  // ...
33}

[ [0xF0] ENVIRONMENT VARIABLE VALIDATION ]

Validate environment variables at startup

1// src/lib/env.ts
2
3import { z } from "zod";
4
5const envSchema = z.object({
6  // Required
7  DATABASE_URL: z.string().url(),
8  NEXTAUTH_SECRET: z.string().min(32),
9  NEXTAUTH_URL: z.string().url(),
10
11  // Optional with defaults
12  NODE_ENV: z
13    .enum(["development", "production", "test"])
14    .default("development"),
15
16  // Conditional (required in production)
17  STRIPE_SECRET_KEY: z.string().startsWith("sk_").optional(),
18  STRIPE_WEBHOOK_SECRET: z.string().startsWith("whsec_").optional(),
19});
20
21// Validate at build/startup time
22const parsed = envSchema.safeParse(process.env);
23
24if (!parsed.success) {
25  console.error("❌ Invalid environment variables:");
26  console.error(parsed.error.flatten().fieldErrors);
27  throw new Error("Invalid environment variables");
28}
29
30export const env = parsed.data;

[ [0xBB] CUSTOM TRANSFORMATIONS ]

Transform and sanitize data during validation

1import { z } from "zod";
2
3const userInputSchema = z.object({
4  // Trim and lowercase email
5  email: z
6    .string()
7    .email()
8    .transform((val) => val.toLowerCase().trim()),
9
10  // Sanitize name
11  name: z
12    .string()
13    .transform((val) => val.trim().replace(/\s+/g, " ")),
14
15  // Parse JSON string
16  metadata: z
17    .string()
18    .transform((val, ctx) => {
19      try {
20        return JSON.parse(val);
21      } catch {
22        ctx.addIssue({
23          code: z.ZodIssueCode.custom,
24          message: "Invalid JSON",
25        });
26        return z.NEVER;
27      }
28    }),
29
30  // Convert string to array
31  tags: z
32    .string()
33    .transform((val) => val.split(",").map((s) => s.trim())),
34});

Next Steps

[ [0x00] AUDIT LOGGING ]

DESC: Track all security-relevant events

[ [0x00] API ROUTES ]

DESC: Build secure API endpoints

Features

[ [0x01] TYPE_SAFE ]

STATUS: READY

DESC: Full TypeScript inference from your schemas.

[ [0x02] API_VALIDATI ]

STATUS: READY

DESC: Validate request and response bodies.

[ [0x03] FORM_VALIDAT ]

STATUS: READY

DESC: Works with react-hook-form out of the box.

[ [0x04] ENV_VALIDATI ]

STATUS: READY

DESC: Validate environment variables at startup.

Usage

[ [0x84] BASIC ZOD SCHEMA ]

Define schemas to validate data

1// src/lib/validations/user.ts
2
3import { z } from "zod";
4
5export const userSchema = z.object({
6  email: z
7    .string()
8    .email("Invalid email address")
9    .min(1, "Email is required"),
10  password: z
11    .string()
12    .min(8, "Password must be at least 8 characters")
13    .regex(
14      /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)/,
15      "Password must contain uppercase, lowercase, and number"
16    ),
17  name: z
18    .string()
19    .min(2, "Name must be at least 2 characters")
20    .max(100, "Name must be less than 100 characters"),
21});
22
23// Infer TypeScript type from schema
24export type UserInput = z.infer<typeof userSchema>;

[ [0x36] API ROUTE VALIDATION ]

Validate request bodies in API routes

1// src/app/api/users/route.ts
2
3import { NextRequest, NextResponse } from "next/server";
4import { z } from "zod";
5
6const createUserSchema = z.object({
7  email: z.string().email(),
8  name: z.string().min(1).max(100),
9  role: z.enum(["user", "admin"]).default("user"),
10});
11
12export async function POST(request: NextRequest) {
13  try {
14    const body = await request.json();
15
16    // Validate request body
17    const result = createUserSchema.safeParse(body);
18
19    if (!result.success) {
20      return NextResponse.json(
21        {
22          error: "Validation failed",
23          details: result.error.flatten().fieldErrors,
24        },
25        { status: 400 }
26      );
27    }
28
29    // result.data is fully typed
30    const { email, name, role } = result.data;
31
32    // Create user with validated data
33    // ...
34
35    return NextResponse.json({ success: true });
36  } catch (_) {
37    return NextResponse.json(
38      { error: "Invalid JSON body" },
39      { status: 400 }
40    );
41  }
42}

[ [0xF5] COMMON VALIDATION PATTERNS ]

Reusable validation patterns for common fields

1// src/lib/validations/common.ts
2
3import { z } from "zod";
4
5// Email validation
6export const emailSchema = z
7  .string()
8  .email("Invalid email")
9  .toLowerCase()
10  .trim();
11
12// Password with strength requirements
13export const passwordSchema = z
14  .string()
15  .min(8, "Minimum 8 characters")
16  .max(128, "Maximum 128 characters")
17  .regex(/[a-z]/, "Must contain lowercase letter")
18  .regex(/[A-Z]/, "Must contain uppercase letter")
19  .regex(/[0-9]/, "Must contain number")
20  .regex(/[^a-zA-Z0-9]/, "Must contain special character");
21
22// UUID validation
23export const uuidSchema = z.string().uuid("Invalid ID format");
24
25// URL validation
26export const urlSchema = z.string().url("Invalid URL").optional();
27
28// Phone number (basic)
29export const phoneSchema = z
30  .string()
31  .regex(/^\+?[1-9]\d{1,14}$/, "Invalid phone number");
32
33// Date validation
34export const dateSchema = z.coerce.date();
35
36// Pagination
37export const paginationSchema = z.object({
38  page: z.coerce.number().int().positive().default(1),
39  limit: z.coerce.number().int().min(1).max(100).default(20),
40});
41
42// Sort order
43export const sortSchema = z.object({
44  sortBy: z.string().optional(),
45  order: z.enum(["asc", "desc"]).default("desc"),
46});

[ [0xAB] FORM VALIDATION ]

Use schemas with react-hook-form

1"use client";
2
3import { useForm } from "react-hook-form";
4import { zodResolver } from "@hookform/resolvers/zod";
5import { z } from "zod";
6
7const contactSchema = z.object({
8  name: z.string().min(1, "Name is required"),
9  email: z.string().email("Invalid email"),
10  message: z.string().min(10, "Message must be at least 10 characters"),
11});
12
13type ContactForm = z.infer<typeof contactSchema>;
14
15export function ContactForm() {
16  const {
17    register,
18    handleSubmit,
19    formState: { errors },
20  } = useForm<ContactForm>({
21    resolver: zodResolver(contactSchema),
22  });
23
24  const onSubmit = (data: ContactForm) => {
25    // data is fully validated and typed
26    // Process validated data
27  };
28
29  return (
30    <form onSubmit={handleSubmit(onSubmit)}>
31      <div>
32        <input {...register("name")} placeholder="Name" />
33        {errors.name && (
34          <p className="text-destructive">{errors.name.message}</p>
35        )}
36      </div>
37
38      <div>
39        <input {...register("email")} placeholder="Email" />
40        {errors.email && (
41          <p className="text-destructive">{errors.email.message}</p>
42        )}
43      </div>
44
45      <div>
46        <textarea {...register("message")} placeholder="Message" />
47        {errors.message && (
48          <p className="text-destructive">{errors.message.message}</p>
49        )}
50      </div>
51
52      <button type="submit">Send</button>
53    </form>
54  );
55}

[ [0xE8] QUERY PARAMETER VALIDATION ]

Validate URL search params

1// src/app/api/items/route.ts
2
3import { NextRequest, NextResponse } from "next/server";
4import { z } from "zod";
5
6const querySchema = z.object({
7  page: z.coerce.number().int().positive().default(1),
8  limit: z.coerce.number().int().min(1).max(100).default(20),
9  search: z.string().optional(),
10  status: z.enum(["active", "inactive", "all"]).default("all"),
11});
12
13export async function GET(request: NextRequest) {
14  const searchParams = request.nextUrl.searchParams;
15
16  // Convert searchParams to object
17  const params = Object.fromEntries(searchParams.entries());
18
19  // Validate
20  const result = querySchema.safeParse(params);
21
22  if (!result.success) {
23    return NextResponse.json(
24      { error: "Invalid query parameters" },
25      { status: 400 }
26    );
27  }
28
29  const { page, limit, search, status } = result.data;
30
31  // Use validated params for database query
32  // ...
33}

[ [0xF0] ENVIRONMENT VARIABLE VALIDATION ]

Validate environment variables at startup

1// src/lib/env.ts
2
3import { z } from "zod";
4
5const envSchema = z.object({
6  // Required
7  DATABASE_URL: z.string().url(),
8  NEXTAUTH_SECRET: z.string().min(32),
9  NEXTAUTH_URL: z.string().url(),
10
11  // Optional with defaults
12  NODE_ENV: z
13    .enum(["development", "production", "test"])
14    .default("development"),
15
16  // Conditional (required in production)
17  STRIPE_SECRET_KEY: z.string().startsWith("sk_").optional(),
18  STRIPE_WEBHOOK_SECRET: z.string().startsWith("whsec_").optional(),
19});
20
21// Validate at build/startup time
22const parsed = envSchema.safeParse(process.env);
23
24if (!parsed.success) {
25  console.error("❌ Invalid environment variables:");
26  console.error(parsed.error.flatten().fieldErrors);
27  throw new Error("Invalid environment variables");
28}
29
30export const env = parsed.data;

[ [0xBB] CUSTOM TRANSFORMATIONS ]

Transform and sanitize data during validation

1import { z } from "zod";
2
3const userInputSchema = z.object({
4  // Trim and lowercase email
5  email: z
6    .string()
7    .email()
8    .transform((val) => val.toLowerCase().trim()),
9
10  // Sanitize name
11  name: z
12    .string()
13    .transform((val) => val.trim().replace(/\s+/g, " ")),
14
15  // Parse JSON string
16  metadata: z
17    .string()
18    .transform((val, ctx) => {
19      try {
20        return JSON.parse(val);
21      } catch {
22        ctx.addIssue({
23          code: z.ZodIssueCode.custom,
24          message: "Invalid JSON",
25        });
26        return z.NEVER;
27      }
28    }),
29
30  // Convert string to array
31  tags: z
32    .string()
33    .transform((val) => val.split(",").map((s) => s.trim())),
34});