Facebook Pixel

Why not validate in controllers?

It duplicates logic across controllers. Validation in a middleware is applied per route and reusable. Controllers should focus on business logic, not validation.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in Common Validation Mistakes in Express (and How to Fix Them)

No validation at all, only validating the body (forgetting params and query), not replacing req.body with parsed data, no type coercion, validating in controllers (duplication), validating too late, generic error messages, not handling Mongoose ValidationErrors, no runValidators on updates, and trusting client-side validation.

Invalid params (e.g., a non-24-char ObjectId) crash Mongoose. Invalid query (e.g., a non-numeric skip) breaks pagination. Validate all three with separate factories: validate, validateParams, validateQuery.

Because Zod coerces types (string to number, defaults, transforms). If you keep the original req.body, downstream code uses uncoerced strings. Replace req.body = result.data so the handler sees the parsed, coerced data.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.