feat: implement validation middleware tests with tests and docs

[Johnsmichael150]

Summary

Adds comprehensive unit tests for all three validation middleware layers and the core validation engine. Also fixes a missing zod runtime dependency.

Changes

File	Change
src/middleware/validation.test.ts	New — 15 unit tests for validateRequest, validateParams, validateQuery
src/middleware/requestValidation.test.ts	New — 22 unit tests for createRequestValidationMiddleware
src/middleware/validate.middleware.test.ts	Expanded — 11 tests (was 3) for validateSchema
src/validation/requestSchema.test.ts	Expanded — 28 tests (was 7) for validateSegment
docs/backend/validation-middleware-tests.md	New — test coverage and security notes
package.json / package-lock.json	Added missing zod runtime dependency

Test Coverage

validateRequest / validateParams / validateQuery (validation.ts)

• Valid input calls next() with no arguments
• ZodError returns 400 with field-level details
• Non-Zod errors return 400 with generic message (no stack leakage)
• Type coercion attack (string-as-number) rejected
• .strict() schemas reject extra fields

createRequestValidationMiddleware (requestValidation.ts)

• Valid inputs across body, query, params
• Partial schemas (body-only, query-only, etc.)
• Unknown field rejection on all three segments
• Required field enforcement
• Type mismatches: string/number/boolean
• Constraint violations: minLength, maxLength, min, max, enum, pattern
• Non-object segments (array, null) rejected
• Aggregated errors from all segments in one response

validateSchema (validate.middleware.ts)

• Combined body/query/params validation
• Strict schema extra-field rejection
• Invalid UUID in params
• Non-Zod errors forwarded to next(error), not serialized to client

validateSegment (requestSchema.ts)

• NaN, Infinity, -Infinity rejected as non-finite
• null treated as missing for required fields
• Array and null segments rejected before field validation
• Segment name propagated correctly in all error messages
• Empty schema rejects any incoming field

Security Notes

• Unknown fields are always rejected — prevents field injection and prototype pollution
• Strict type checking prevents query-string type coercion attacks
• Non-finite numbers rejected to prevent downstream arithmetic errors
• Non-Zod errors never serialized to client — no stack trace leakage

How to Test

npm test -- --testPathPatterns="src/middleware/validation\.test$|src/middleware/requestValidation\.test$|src/middleware/validate\.middleware\.test$|src/validation/requestSchema\.test$"

Related

• Closes [Mike] 40. Validation middleware tests #90
• See docs/backend/validation-middleware-tests.md for full coverage reference
• See docs/backend/request-validation-framework.md for implementation details

[drips-wave]

@Johnsmichael150 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits