flowchart LR
S["π· <b>Schema</b><br/><i>Pydantic / Zod</i>"]
S --> V["β
<b>Request &<br/>Response Validation</b>"]
S --> T["π <b>Type Safety</b><br/><i>IDE autocomplete</i>"]
S --> D["π <b>OpenAPI / JSON Schema</b>"]
D --> UI["π <b>Interactive Docs</b><br/><i>/docs • Swagger UI</i>"]
D --> CG["βοΈ <b>Client Code<br/>Generation</b>"]
style S fill:#e3f2fd,stroke:#1565c0,color:#0d47a1
style V fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20
style T fill:#e8f5e9,stroke:#2e7d32,color:#1b5e20
style D fill:#fff3e0,stroke:#e65100,color:#bf360c
style UI fill:#fce4ec,stroke:#c62828,color:#b71c1c
style CG fill:#fce4ec,stroke:#c62828,color:#b71c1c
Parse, Donβt Pray: The Case for Data Validation
Indrajeet Patil
Source code: github.com/IndrajeetPatil/parse-dont-pray
What Youβll Learn
- Why data validation libraries are essential for robust applications
- Why validation is needed on both client and server (not just one)
- How Pydantic (Python) and Zod (TypeScript) improve code quality
- Benefits across readability, runtime behavior, typing, testing, and security
π― Goal
Create a validated type system that works at runtime, ensuring data actually matches your assumptions.
Examples assume a Python-TypeScript full-stack, but the principles apply to other stacks.
Python examples use from pydantic import * for brevity; prefer explicit imports in production.
Introduction
Why data validation matters
Dynamic vs Static Typing
Type systems differ in when they catch type errors.
Statically Typed (e.g., Java, C++, Rust)
- Types checked at compile time
- Type errors caught before runtime
- More verbose type declarations
- Compiler guarantees type safety
Dynamically Typed (e.g., Python, JavaScript)
- Types checked at runtime
- Type errors appear during execution
- More flexible, less verbose
- No compile-time type guarantees
Why validation matters more for dynamic languages:
Without compile-time checks, runtime validation ensures data integrity.
What is Data Validation?
Ensuring data meets specific criteria before use.
β Without validation libraries
Manual checks scattered throughout code:
- Type, range, and format checks written by hand
- Logic spreads across codebase
- Difficult to maintain and extend
β With validation libraries
Schemas automatically validate, parse, and type data:
- Centralized, self-documenting rules
- Automatic type coercion
- Detailed error messages
- Easier to maintain and evolve
Meet the Libraries
Benefits of Data Validation Libraries
Creating robust, maintainable applications
Readability
Self-documenting schemas that reduce cognitive load
Self-Documenting Schemas
import { z } from "zod";
const UserName = z.string().min(3).max(20);
const UserProfileSchema = z.object({
username: UserName,
email: z.string().email(),
age: z.number().int().min(18).max(120),
role: z.enum(["admin", "user", "guest"]),
isActive: z.boolean().default(true),
});
type UserProfile = z.infer<typeof UserProfileSchema>;The schema is the documentation β no separate docs needed!
Schema definition, validation logic, and type information live in one place β a single source of truth.
Declarative Syntax
Without Pydantic
# Imperative: Lots of manual checks
def validate_user(data):
if not isinstance(data.get('email'), str):
raise ValueError('Email must be string')
if '@' not in data['email']:
raise ValueError('Invalid email')
if not isinstance(data.get('age'), int):
raise ValueError('Age must be integer')
if data['age'] < 18 or data['age'] > 120:
raise ValueError('Age must be 18-120')
# ... and so onWithout Zod
// Imperative: Lots of manual checks
function validateUser(data: any) {
if (typeof data.email !== 'string') {
throw new Error('Email must be string');
}
if (!data.email.includes('@')) {
throw new Error('Invalid email');
}
if (typeof data.age !== 'number') {
throw new Error('Age must be number');
}
if (data.age < 18 || data.age > 120) {
throw new Error('Age must be 18-120');
}
// ... and so on
}Describes what the data should look like, not how to validate it.
Specific Types Over Generic
β
Best: AcmeEmailStr
- Domain-specific
- Business rule enforced
- Crystal clear intent
str β EmailStr β AcmeEmailStr = Increasing specificity = Better readability
Runtime Behavior
Catch errors early before they propagate
Automatic Validation
Schema Definition
Schema Definition
Data validated as it enters the system, catching errors early.
Data Coercion & Parsing
Schema Definition
Schema Definition
Handles common API/JSON data format conversions automatically!
Detailed Error Messages
Schema Definition
Schema Definition
Error Messages
const result = SignupFormSchema.safeParse({
username: "ab", // Too short
email: "not-an-email", // Invalid format
});
if (!result.success) {
console.log(result.error.format());
// Output:
// {
// "username": {
// "_errors": ["at least 3 character(s)"]
// },
// "email": { "_errors": ["Invalid email"] }
// }
}Specific, actionable feedback about whatβs wrong and where.
Typing
Type inference that bridges static and runtime worlds
Type Inference
Schema Definition
Type Inference
# Type checkers understand types automatically
def get_person_city(person: Person) -> str:
return person.address.city
# No separate type annotations needed
person = Person(
name="Alice",
age=30,
address=Address(
street="123 Main St",
city="Boston",
zipcode="02101"
)
)
city: str = get_person_city(person)Schema Definition
Type Inference
// Types automatically inferred from schema
type Person = z.infer<typeof PersonSchema>;
function getPersonCity(person: Person): string {
return person.address.city;
}
const person = PersonSchema.parse({
name: "Alice",
age: 30,
address: {
street: "123 Main St",
city: "Boston",
zipcode: "02101"
}
});
const city: string = getPersonCity(person);Schema is both validator and type definition!
End-to-End Type Safety
Schema Definition
Type-Safe Usage
def fetch_data_from_api() -> ApiResponse:
raw_response = requests.get(
"https://api.example.com/data"
).json()
# Validates runtime data
return ApiResponse(**raw_response)
def process_response(response: ApiResponse) -> None:
# Type-safe throughout
if response.status == "success":
for item in response.data:
process_item(item)
response = fetch_data_from_api()
process_response(response)Schema Definition
Type-Safe Usage
async function fetchDataFromApi(): Promise<ApiResponse> {
const rawResponse = await fetch(
"https://api.example.com/data"
);
const json = await rawResponse.json();
// Validates runtime data
return ApiResponseSchema.parse(json);
}
function processResponse(response: ApiResponse): void {
// Type-safe throughout
if (response.status === "success") {
for (const item of response.data) {
processItem(item);
}
}
}External data is validated before entering your type-safe code!
Testing
Reduce test burden with built-in validation
Reduced Test Burden
Without Pydantic
With Pydantic
Without Zod
With Zod
import { z } from "zod";
const UserSchema = z.object({
email: z.string().email(),
age: z.number().min(18).max(120),
});
type User = z.infer<typeof UserSchema>;
// Only test business logic, not validation
describe("User permissions", () => {
it("admin has delete permission", () => {
const admin = UserSchema.parse({
email: "a@test.com", age: 30,
});
expect(admin.hasPermission("delete_users")).toBe(true);
});
});
// Validation is covered by Zod itself.Validation testing is delegated to the well-tested library!
Easy Mock Data Generation
from pydantic import *
from hypothesis import given
from hypothesis.strategies import builds
class Product(BaseModel):
name: str = Field(min_length=1, max_length=100)
price: PositiveFloat = Field(le=10000)
# Hypothesis auto-generates valid instances from the schema
@given(builds(Product))
def test_product_discount(product):
discounted = apply_discount(product, 0.1)
assert discounted.price < product.priceimport { z } from "zod";
import { faker } from "@faker-js/faker";
const ProductSchema = z.object({
name: z.string().min(1).max(100),
price: z.number().positive().max(10000),
});
type Product = z.infer<typeof ProductSchema>;
// Faker generates valid test data matching the schema
function generateProduct(): Product {
return ProductSchema.parse({
name: faker.commerce.productName(),
price: faker.number.float({ min: 0.01, max: 10000 }),
});
}Generate hundreds of valid test cases from your schema!
Security
Prevent vulnerabilities through validation
Input Sanitization
Schema Definition
Schema Definition
Attackers canβt inject fields to escalate privileges!
Type Confusion Prevention
Schema Definition
Type Confusion Prevention
# β
Valid payment
PaymentRequest(
user_id="USR-123",
amount=10.0,
currency="USD"
)
# π« String instead of float blocked
PaymentRequest(
user_id="USR-123",
amount="0.01 OR 1=1", # Attack!
currency="USD"
)
# π« Array instead of string blocked
PaymentRequest(
user_id=["USR-123", "ADMIN"], # Attack!
amount=10.0,
currency="USD"
)Schema Definition
Type Confusion Prevention
// β
Valid payment
PaymentRequestSchema.parse({
userId: "USR-123",
amount: 10.0,
currency: "USD",
});
// π« String instead of number blocked
PaymentRequestSchema.parse({
userId: "USR-123",
amount: "0.01 OR 1=1", // Attack!
currency: "USD",
});
// π« Array instead of string blocked
PaymentRequestSchema.parse({
userId: ["USR-123", "ADMIN"], // Attack!
amount: 10.0,
currency: "USD",
});Use strict schemas at trust boundaries; coerce only when intentional.
Size & Range Limits
Schema Definition
from pydantic import *
from typing import Annotated
class CommentSubmission(BaseModel):
post_id: str
author: str = Field(min_length=1, max_length=50)
content: str = Field(min_length=1, max_length=5000)
tags: list[Annotated[str, Field(max_length=30)]] = Field(max_length=10)
rating: int = Field(ge=1, le=5)Schema Definition
DoS Attack Prevention
// π« Massive content blocked
CommentSubmissionSchema.parse({
postId: "POST-123",
author: "attacker",
content: "X".repeat(1_000_000), // 1MB!
tags: Array(1000).fill("spam"), // 1000 tags!
rating: 999, // Out of range!
});
// Errors:
// - content: max 5000 character(s)
// - tags: max 10 element(s)
// - rating: max 5Limit input sizes to prevent memory/storage exhaustion attacks!
Full-Stack Validation
Client + Server validation for UX and security
Why Both Sides Matter
β Client-Only Validation
Frontend never ran β attacker sends "admin" directly. Without server validation, this is privilege escalation.
Client validation is for UX (fast feedback), not security.
β οΈ Server-Only Validation
No client-side checks means every mistake requires a server round trip:
- Submit β βEmail invalidβ β fix β resubmit
- βAge too lowβ β fix β resubmit
- Finally succeeds after 3 round trips
Server validation is mandatory for security, but without client validation, users get a frustrating trial-and-error experience.
Additional Benefits
More advantages of using validation libraries
API Design & Documentation
One schema drives validation, types, and documentation.
API docs generated from schemas, always accurate!
Immutable Configs: Validate Once, Done
Validate once at startup, use confidently everywhere without re-checking.
Summary
Creating a validated type system that works at runtime
Key Takeaways
Data validation libraries like Pydantic and Zod transform how we build applications:
Readability: Self-documenting schemas that serve as single source of truth
Runtime Safety: Catch errors at system boundaries before they propagate
Type Safety: Bridge the gap between static types and runtime data
Testing: Reduce test burden and generate mock data easily
Security: Prevent injection, mass assignment, and DoS attacks
Parse, donβt pray! Validate data at boundaries and trust it throughout your application.
Thank You
And Happy Parsing! π
Check out my other slide decks on software development best practices