I'm a big fan of how NestJS handle validation using class-validator library. There are many advantages of using an external library for validation. For most of the typical cases default integration via ValidationPipe
is good enough. But as you know, daily work likes to verify and challenge us.
A few days ago I had a specific need – I needed to validate something with ValidatorPipe and class-validator library, but one of the validation factors, was user ID. In this project, user ID is pulled out from JWT token, during the authorization process, and added to the request object.
My first thought was – just use the Injection Request Scope, like we can do it in NestJS services:
constructor(@Inject(REQUEST) private request: Request) {}
Obviously – it doesn't work, otherwise this article wouldn't be here. Here is a short explanation made by NestJS creator, Kamil Myśliwiec:
Ok. So, there is basically no simple way to get request object data in custom validation constraint. But there is a way around! Not perfect, but it works. And if it can't be pretty, at least it should do its job. What steps we need to take, to achieve it?
- Create Interceptor, which will add the User Object to the request type you need (Query, Body or Param)
- Write your Validator Constraint, Extended Validation Arguments interface, use the User data you need.
- Create Pipe, which will strip the request type object from User data context.
- Create the appropriate decorators, one for each type of request.
- Use newly created decorators in Controllers, when you need to "inject" User data to your validation class.
Not great, not terrible. Right?
Interceptor
Create Interceptor, which will add User Object to request type you need (Query, Body or Param). For the demonstration purposes, I assume you store your User Object in request.user
attribute.
export const REQUEST_CONTEXT = '_requestContext';
@Injectable()
export class InjectUserInterceptor implements NestInterceptor {
constructor(private type?: Nullable<'query' | 'body' | 'param'>) {}
intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
const request = context.switchToHttp().getRequest();
if (this.type && request[this.type]) {
request[this.type][REQUEST_CONTEXT] = {
user: request.user,
};
}
return next.handle();
}
}
Custom validation decorator
Write your Validator Constraint and custom decorator, Extended Validation Arguments interface, use the User data you need.
@ValidatorConstraint({ async: true })
@Injectable()
export class IsUserCommentValidatorConstraint implements ValidatorConstraintInterface {
constructor(private commentsRepository: CommentsRepository) {}
async validate(commentId: number, args?: ExtendedValidationArguments) {
const userId = args?.object[REQUEST_CONTEXT].user.id;
if (userId && Number.isInteger(commentId)) {
const comment = await this.commentsRepository.findByUserId(userId, commentId); // Checking if comment belongs to selected user
if (!comment) {
return false;
}
}
return true;
}
defaultMessage(): string {
return 'The comment does not belong to the user';
}
}
export function IsUserComment(validationOptions?: ValidationOptions) {
return function (object: any, propertyName: string) {
registerDecorator({
name: 'IsUserComment',
target: object.constructor,
propertyName: propertyName,
options: validationOptions,
validator: IsUserCommentValidatorConstraint,
});
};
}
If you don't know how to inject dependencies into a custom validator in class-validator library, this article can help you.
My ExtendedValidationArguments
interface looks like this:
export interface ExtendedValidationArguments extends ValidationArguments {
object: {
[REQUEST_CONTEXT]: {
user: IUser; // IUser is my interface for User class
};
};
}
It allows me to use valid typing in ValidatorConstraint
. Without it, TypeScript will print out an error, that the _requestContext
property doesn't exist.
Stripping Pipe
Create Pipe, which will strip the request type object from User data context. If we don't do that, our DTO object will contain attached previously request data. We don't want that to happen. I'm using here one of the lodash
function – omit(). It allows removing chosen properties from an object.
@Injectable()
export class StripRequestContextPipe implements PipeTransform {
transform(value: any) {
return omit(value, REQUEST_CONTEXT);
}
}
New decorators
Creating new decorators is not necessary, but it's definitely a more clean and DRY approach than manually adding Interceptors and Pipes to the methods. We're going to use NestJS built-in function – applyDecorators
, which allows merging multiple different decorators into a new one.
export function InjectUserToQuery() {
return applyDecorators(InjectUserTo('query'));
}
export function InjectUserToBody() {
return applyDecorators(InjectUserTo('body'));
}
export function InjectUserToParam() {
return applyDecorators(InjectUserTo('params'));
}
export function InjectUserTo(context: 'query' | 'body' | 'params') {
return applyDecorators(UseInterceptors(new InjectUserInterceptor(context)), UsePipes(StripRequestContextPipe));
}
To add your user data, just decorate your controller's method with one of the above decorators.
@InjectUserToParam()
async edit(@Param() params: EditParams){}
Now, if you wanted to use your IsUserComment
decorator in EditParams
, you will be able to access injected user data.
export class EditParams {
@IsUserComment()
commentId: number;
}
And that's all! You can use this method, to add any data from the request object to your custom validation class. Hope you find it helpful!
You can find an example repository on my GitHub.
In case you use in your ValidationPipe
whitelist: true
parameter, and above example doesn't work for you – check this issue.
This article is highly inspired by the idea I've found in this comment on GitHub.
PS. It's just proof of concept, and this comment ownership validation is a simple example of usage.
Top comments (21)
You can go a step forward and use request context.
npmjs.com/package/@medibloc/nestjs...
Thanks for your tips, it helped me.
this is not working ValidationArguments does not hold REQUEST_CONTEXT
There was obviously typo in decorator composition class. Instead of
AddUseTo
, there should beInjectUserTo
. Please try if it works for you now.Are you sure you created interceptor, which injects the REQUEST_CONTEXT? I'm using similar code in my production-ready app and it works for me.
yes i am using but its not working btw.I did exactly the way you said
even console logged the args but REQUEST_CONTEXT returns undefined
@monirul017 @avantar
I had exactly same problem and after investigating it is happening because of
{whitelist: true}
of ValidationPipe and when you set it to false it will working properly but I didn't continue in this way because I want to whitelist the properties so temporary I added_requestContext
to the related DTO file that I used in my controller and added it as an @IsOptional() decoratorIgnore "\" from the above code.
For others trying to use this article as a solution continue using from attached repository.
At the end thank you @avantar for your solution.
Thank you, @siavash_habil! This can be helpful as well.
github.com/AvantaR/nestjs-validati...
@avantar This is almost happened at the same time for both of us because I solved it about 20 hours ago. :)
Thank you for sharing.
What a coincidence! Magic 🎉
Have you considered using a Symbol instead of a string for the
REQUEST_CONTEXT
constant?export const REQUEST_CONTEXT = Symbol('REQUEST_CONTEXT');
In this case, you will not need to do this
omit(value, REQUEST_CONTEXT);
this is awesome but not sure if i want to use this !! not a clean solution
Totally agree, but sometimes we need to do something dirty way 🤷♂️ Thanks for your feedback! 🙏
When using @ValidateNested(), the
args?.object[REQUEST_CONTEXT]
is undefined because the context passed to the nested validation is not the same as the one at the top level.ValidationArguments does not hold REQUEST_CONTEXT when using nested validation object
Hey! Thank you for a great article!
Thanks! Glad you like it! 🙏
Did you ever managed to port a similar approach to graphql in Nest? Namely, to have access to part or even whole gql context inside validator or validation rule?
Hi!
No, I haven't tried to use it with GraphQL, sorry.
It didn’t work if I request data with multipart/form-data. Is there any solution for form data request.
stackoverflow.com/a/75139788
Maybe it's late but I found the solution for inject current user into body when using form-data
I have tested and it works perfectly for me