Only allow fields that are defined. Deny other fields in body.

[ammo8600]

I am looking for something that only allows the fields defined in the chain, but return error on field that are not required.

Like if i require only body('username').exists() it should only accept username field, any other field may return an error.

Is there something i can do?

[sergeytangyan]

I can't find this feature too. There should be a way to remove/prevent extra fields

UPDATE
nvm, there is a workaround:

matchedData(req, { locations: ['body'], includeOptionals: true });

[gustavohenke]

@ammo8600 does @sergeytangyan's solution work for you?

[igbominadeveloper]

@gustavohenke I am thinking of adding support for passing stripUnknown: true to the function
matchedData(req, { locations: ['body'], includeOptionals: true, stripUnknown: true });
like this. So that express-validator just removes any fields that are not in the schema definition from the request body.
Should I have a go at it?

[liqiang372]

I think the request from OP is doable if we can enhance the api validationResult a bit. like

validationResult(req, {strictParams: true}) // will generate errors if params is not in validation chain or checkSchema

The tricky part would be that we need to check locations for body, cookies, headers, params, query. It's not feasible to know which are unaccepted keys especially in cookies and headers as they have a lot of their own key-value pairs.

And I think body and params are the most frequently used one, so probably we can allow users to pass in locations as option to only enumerate key-values there to compare if unwanted keys are present.

validationResult(req, {strictParams: ['body']}

What do you think @gustavohenke

[ammo8600]

@ammo8600 does @sergeytangyan's solution work for you?

Yeh, it serves the purpose.

[rezicosta]

I can't find this feature too. There should be a way to remove/prevent extra fields

UPDATE nvm, there is a workaround:

matchedData(req, { locations: ['body'], includeOptionals: true });

Works, but only with non array fields. Is there a workaround to also match array fields?

Note: Solution works for non optional arrays. Optional arrays are neglected and full passed in data is returned from matchedData.

[jaeger-dvlp]

Hey, I found a workaround with help of CoPilot.
Using matchedData, after validationResult.

const Validator = (req, res, next) => {
  const errors = validationResult(req);
  const data = matchedData(req);

// Validate the required fields first.
  if (!errors.isEmpty()) {
    return res.status(422).send({
      status: 'error',
      errors: errors.array({ onlyFirstError: true, flatten: true }),
    });
  }

// If fields valid, then check unwanted fields.
  if (Object.keys(data).length !== Object.keys(req.body).length) {
    return res.status(400).send({
      status: 'error',
      message: 'Invalid request body.',
    });
  }

  return next();
};

Yes, it's not that secure because it only checks the field length. At least it's better than nothing.

[gustavohenke]

@jaeger-dvlp but also your solution would not check deeper levels, e.g. if foo.bar is allowed but not foo.baz

[gustavohenke]

By the way everybody, I'm working on this for v7 right now 🙂

[gustavohenke]

Hi hi, https://github.com/express-validator/express-validator/releases/tag/v7.0.0 is out with a fix for this 🙂

[GuilhermeLessa]

@gustavohenke I just here to say thank you, you are doing a beautiful job here. Br rules \o/

[chlorophant]

Is there a way to do this with request body schema? Docs dont seem to mention it.