feat: add zod validation for auth routes

Author: Likhi2005

backend/package.json

@@ -20,7 +20,8 @@
     "express-session": "^1.18.1",
     "mongoose": "^8.8.2",
     "passport": "^0.7.0",
-    "passport-local": "^1.0.0"
+    "passport-local": "^1.0.0",
+    "zod": "^4.4.3"
   },
   "devDependencies": {
     "nodemon": "^3.1.9"

backend/routes/auth.js

@@ -1,12 +1,14 @@
 const express = require("express");
 const passport = require("passport");
 const User = require("../models/User");
+const { signupSchema, loginSchema } = require("../validators/authValidator");
+const { validateRequest } = require("../validators/validationRequest");
 const router = express.Router();
 
 // Signup route
-router.post("/signup", async (req, res) => {
+router.post("/signup", validateRequest(signupSchema), async (req, res) => {
 
-    const { username,  email, password } = req.body;
+    const { username,  email, password } = req.validated;
 
     try {
         const existingUser = await User.findOne( {email} );
@@ -23,7 +25,7 @@ router.post("/signup", async (req, res) => {
 });
 
 // Login route
-router.post("/login", passport.authenticate('local'), (req, res) => {
+router.post("/login", validateRequest(loginSchema), passport.authenticate('local'), (req, res) => {
     res.status(200).json( { message: 'Login successful', user: req.user } );
 });
 

backend/validators/authValidator.js

@@ -0,0 +1,36 @@
+const { z } = require("zod");
+
+const signupSchema = z.object({
+    username: z.string()
+        .min(3, "Username must be at least 3 characters long")
+        .max(30, "Username must be at most 30 characters long")
+        .regex(/^[a-zA-Z0-9_]+$/, "Username can only contain letters, numbers, and underscores")
+        .trim(),
+    
+    email: z.string()
+        .email("Invalid email address")
+        .toLowerCase()
+        .trim(),
+
+    password: z.string()
+        .min(8, "Password must be at least 8 characters long")
+        .max(100, "Password must be at most 100 characters long")
+        .regex(
+            /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]/,
+            'Password must contain uppercase, lowercase, number, and special character'
+        ),
+});
+
+
+const loginSchema = z.object({
+    email: z.string()
+        .email("Invalid email address")
+        .toLowerCase()
+        .trim(),
+    password: z.string()
+        .min(8, "Password must be at least 8 characters long")
+        .max(100, "Password must be at most 100 characters long")
+});
+
+
+module.exports = { signupSchema, loginSchema };

backend/validators/validationRequest.js

@@ -0,0 +1,19 @@
+const validateRequest = (schema) => (req,res, next) => {
+    const result = schema.safeParse(req.body);
+
+    if(!result.success) {
+        return res.status(400).json({
+            success: false,
+            message: 'Validation failed',
+            errors: result.error.issues.map((err) => ({
+                field: err.path.join('.'),
+                message: err.message,
+            })),
+        });
+    }
+
+    req.validated = result.data;
+    next();
+}
+
+module.exports = { validateRequest };