Thread

Riderman de Sousa Barbosa

Frontend Developer

Oct 10, 2018

"E-mail address already been taken" is responsibility of validator library or UI?

Le'ts suppouse we have the follow architrecture..

Lib (npm library) that validate some data:

So for instance.. the RegisterForm have the fields (Name, email and password) The RegisterForm imports the library (validator) that validate the data (name, email and password)

import registerValidator from 'validator'

onSubmit(values) {
    if (registerValidator.validate(values) {
        // Is valid, we can register new user...
    }
}

One of the rules that should be follow before the user can be registered, is that the e-mail address should be unique on our database.

The question is:

should I made this validation (fetch my API to check if the e-mail was already taken) on validator library ?
should I validade this on onSubmit after the data is valid.. something like this.

This...

import registerValidator from 'validator'

onSubmit(values) {
    if (registerValidator.validate(values) { // perform fetch operation to check on our database if the email was already taken
        // Is valid, we can register new user...
    }
}

Or this ...

import registerValidator from 'validator'
import isUniqueEmail from 'api/user';

async onSubmit(values) {
    if (registerValidator.validate(values) { // Is valid e-mail
        const isUniqueEmail = await isUniqueEmail(values.email); // is not taken yet
        if (isUniqueEmail) {
            // Is valid, we can register new user...
        }
    }
}

I know that the post method for the user register should check this .. but this is only an example to ask where the rule `e-mail must be uniqueà should placed

#general-advice #javascript

Responses(2)

Paulo Guarnier De Mitri

Oct 11, 2018

The backend will check for the uniqueness of the email throw a response 409 or 422 (if you are dealing with REST).

That way your UI will receive those error codes and show the appropriate error.

Considering any script kiddie can pimp-slap aside client-side scripting, this is something you MUST do server-side even if you have a client-side aid.

This is really none of the UI's business in terms of the security functionality since again, one script kiddie swapping your app to developer mode -- or client side JS via tampermonkey if this is running in a browser -- can kick that client-side check right in the groin.

ANY 'validation' you do via the submit even should be thought of in those terms, they are an enhancement and convenience, but should NEVER be used for actual functionality or security checks. Basically if you want good practices, you should write it to work as if client-side scripting (or even HTML 5 level) checks do not even exist FIRST.

Search Hashnode

"E-mail address already been taken" is responsibility of validator library or UI?

Responses(2)

Recent threads