Robust Request Validation with Gin and Validator v10
James Reed
Infrastructure Engineer · Leapcell
Introduction: The Unseen Guard of Reliable APIs
In the realm of modern web development, APIs serve as the crucial gateways through which applications interact and exchange data. The health and reliability of an API are not merely judged by its speed or functionality, but fundamentally by the integrity of the data it processes. Mismatched or malformed input data can lead to a cascade of errors, ranging from incorrect database entries and unexpected application behavior to security vulnerabilities. Therefore, robust request data validation is not just a best practice; it's an indispensable component of building resilient and trustworthy backend services.
While frameworks like Gin provide excellent tools for routing and handling HTTP requests, they typically don't offer out-of-the-box, comprehensive data validation capabilities. This is where dedicated validation libraries shine, integrating seamlessly to ensure that incoming data adheres to predefined rules before business logic is ever touched. This article delves into how we can leverage the powerful combination of Gin and the widely-used go‐playground/validator v10 library in Go to construct elaborate and flexible request data validation logic, thereby safeguarding our applications and enhancing API quality.
Core Concepts and Implementation Details
Before we dive into the practical implementation, let's briefly clarify some core concepts that are central to our discussion:
- Gin: A high-performance HTTP web framework written in Go. It's known for its speed and minimalistic design, providing essential features for building web applications and APIs.
- Struct Tag: Metadata attached to struct fields in Go, typically used by reflection. In the context of
validator, struct tags define the validation rules for each field. go-playground/validator(v10): A Go struct and field validation library that supports features like cross-field validation, custom validators, and internationalization. It's highly configurable and efficient.- Custom Validation: The ability to define and register your own validation rules that go beyond the built-in ones provided by the
validatorlibrary. This is crucial for domain-specific business logic. - Cross-Field Validation: Validation rules that depend on the values of multiple fields within the same structure. For example, ensuring a
confirm_passwordfield matches thepasswordfield.
Setting Up the Environment
First, ensure you have Gin and Validator v10 installed:
go get github.com/gin-gonic/gin go get github.com/go-playground/validator/v10
Basic Request Validation
Let's start with a simple example of validating user registration data.
package main import ( "log" "net/http" "github.com/gin-gonic/gin" "github.com/go-playground/validator/v10" ) // UserRegisterRequest defines the structure for user registration data type UserRegisterRequest struct { Username string `json:"username" binding:"required,min=3,max=30"` Email string `json:"email" binding:"required,email"` Password string `json:"password" binding:"required,min=6"` } func main() { r := gin.Default() // Register a handler for user registration r.POST("/register", func(c *gin.Context) { var req UserRegisterRequest if err := c.ShouldBindJSON(&req); err != nil { // Handle validation errors var validationErrors validator.ValidationErrors if ok := c.Error.IsType(&validationErrors); ok { errorResponse := make(map[string]string) for _, fieldErr := range validationErrors { errorResponse[fieldErr.Field()] = fieldErr.Tag() } c.JSON(http.StatusBadRequest, gin.H{"error": "Validation failed", "details": errorResponse}) } else { // Handle other binding errors (e.g., malformed JSON) c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) } return } // If validation passes, process the request c.JSON(http.StatusOK, gin.H{"message": "User registered successfully", "user": req.Username}) }) log.Fatal(r.Run(":8080")) // Listen and serve on 0.0.8080 }
In this example:
- We define a
UserRegisterRequeststruct withjsontags for JSON unmarshalling andbindingtags for validation. binding:"required,min=3,max=30"means theUsernamefield is mandatory, must be at least 3 characters long, and at most 30 characters.binding:"required,email"ensuresEmailis mandatory and a valid email format.c.ShouldBindJSON(&req)attempts to bind the request body to our struct and automatically runs the validations defined by thebindingtags.- Error handling differentiates between validation errors (
validator.ValidationErrors) and other binding errors.
Integrating Custom Validation Rules
Sometimes, built-in validators aren't enough. Let's say we have a requirement that a username cannot be "admin" or "root". We can achieve this with a custom validator.
package main import ( "log" "net/http" "reflect" "github.com/gin-gonic/gin" "github.com/go-playground/validator/v10" ) // Create a global validator instance var validate *validator.Validate // isNotReserved checks if a string is not a reserved username func isNotReserved(fl validator.FieldLevel) bool { reservedUsernames := map[string]bool{ "admin": true, "root": true, } return !reservedUsernames[fl.Field().String()] } // UserRegisterRequest with custom validation type UserRegisterRequest struct { Username string `json:"username" binding:"required,min=3,max=30,notreserved"` // Added 'notreserved' Email string `json:"email" binding:"required,email"` Password string `json:"password" binding:"required,min=6"` } func main() { r := gin.Default() // Initialize the validator and register custom validation validate = validator.New() validate.RegisterValidation(`notreserved`, isNotReserved) // Custom type converter for binding to use our global validator instance if v, ok := binding.Validator.Engine().(*validator.Validate); ok { v.RegisterValidation("notreserved", isNotReserved) } r.POST("/register", func(c *gin.Context) { var req UserRegisterRequest if err := c.ShouldBindJSON(&req); err != nil { var validationErrors validator.ValidationErrors if ok := c.Error.IsType(&validationErrors); ok { errorResponse := make(map[string]string) for _, fieldErr := range validationErrors { errorResponse[fieldErr.Field()] = fieldErr.Tag() } c.JSON(http.StatusBadRequest, gin.H{"error": "Validation failed", "details": errorResponse}) } else { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) } return } c.JSON(http.StatusOK, gin.H{"message": "User registered successfully", "user": req.Username}) }) log.Fatal(r.Run(":8080")) }
Here, we've introduced notreserved as a custom validation rule:
isNotReservedis a function that takesvalidator.FieldLeveland returnstrueif the field value is valid,falseotherwise.validate.RegisterValidation("notreserved", isNotReserved)registers this function with our validator instance.- We ensure Gin's
bindingengine uses our custom validator by checking its type and registering our custom rule. A more robust way to integrate a custom validator gracefully with Gin is to replace Gin's default validator.
Replacing Gin's Default Validator with a Custom One
For more control, especially with custom tags, it's best to replace Gin's default validator.
package main import ( "log" "net/http" "reflect" "strings" "github.com/gin-gonic/gin" "github.com/gin-gonic/gin/binding" "github.com/go-playground/validator/v10" ) // CustomValidator implements gin.Binding.Validator interface type CustomValidator struct { validator *validator.Validate } func (cv *CustomValidator) ValidateStruct(obj interface{}) error { if kind := reflect.TypeOf(obj).Kind(); kind == reflect.Ptr { obj = reflect.ValueOf(obj).Elem().Interface() } return cv.validator.Struct(obj) } func (cv *CustomValidator) Engine() interface{} { return cv.validator } // isNotReserved remains the same func isNotReserved(fl validator.FieldLevel) bool { reservedUsernames := map[string]bool{ "admin": true, "root": true, } return !reservedUsernames[fl.Field().String()] } // PasswordMatch checks if passwords match func PasswordMatch(fl validator.FieldLevel) bool { // Get the whole struct req := fl.Top().Interface().(UserRegisterRequest) return req.Password == req.ConfirmPassword } // UserRegisterRequest with custom and cross-field validation type UserRegisterRequest struct { Username string `json:"username" binding:"required,min=3,max=30,notreserved"` Email string `json:"email" binding:"required,email"` Password string `json:"password" binding:"required,min=6"` ConfirmPassword string `json:"confirm_password" binding:"required,eqfield=Password"` // Cross-field validation } func main() { r := gin.Default() // Initialize our custom validator and register rules validate := validator.New() validate.RegisterValidation("notreserved", isNotReserved) // Optionally, register a custom tag for cross-field validation if `eqfield` isn't expressive enough // validate.RegisterValidation("passwordmatch", PasswordMatch) // This could be an alternative to `eqfield` // Register field name tag func to use json tag as field names in errors validate.RegisterTagNameFunc(func(fld reflect.StructField) string { name := strings.SplitN(fld.Tag.Get("json"), ",", 2)[0] if name == "-" { return "" } return name }) // Replace Gin's default validator binding.Validator = &CustomValidator{validator: validate} r.POST("/register", func(c *gin.Context) { var req UserRegisterRequest if err := c.ShouldBindJSON(&req); err != nil { if validationErrors, ok := err.(validator.ValidationErrors); ok { errorResponse := make(map[string]string) for _, fieldErr := range validationErrors { // Use the custom field name from json tag errorResponse[fieldErr.Field()] = fieldErr.Tag() } c.JSON(http.StatusBadRequest, gin.H{"error": "Validation failed", "details": errorResponse}) } else { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) } return } c.JSON(http.StatusOK, gin.H{"message": "User registered successfully", "user": req.Username}) }) log.Fatal(r.Run(":8080")) }
Notable changes and advanced features in this version:
CustomValidatorstruct: Implementsgin.Binding.Validatorinterface, allowing us to completely control the validation process with ourvalidatorinstance.binding.Validator = &CustomValidator{validator: validate}: This line replaces Gin's default validator with our custom one.eqfield=Password: This is a built-in cross-field validation rule fromvalidatorv10. It ensures thatConfirmPasswordis equal to thePasswordfield.validate.RegisterTagNameFunc: This is a powerful feature that allows us to map field names in validation errors. By default,validatoruses the struct field name (e.g.,Username). We're telling it to use thejsontag name (e.g.,username) instead, which generally leads to more user-friendly error messages when dealing with JSON APIs.
Application Scenarios
This combination of Gin and validator v10 is ideal for a wide array of scenarios:
- User Authentication and Authorization: Validating email formats, password strengths, and ensuring unique usernames.
- E-commerce Platforms: Checking product quantities, valid addresses, and payment information formats.
- APIs for IoT devices: Ensuring data from devices adheres to specific protocols and formats.
- Configuration APIs: Validating complex configuration structures before applying them.
- Form Submissions: Any web form requiring structured and validated input.
The ability to create custom validators allows developers to encapsulate complex business logic validations directly within their DTO (Data Transfer Object) structs, making the code cleaner, more maintainable, and easier to understand.
Conclusion: Fortifying Your API with Intelligent Validation
By deeply integrating go-playground/validator v10 with the Gin web framework, developers can construct sophisticated and highly customizable request data validation logic. This not only preemptively tackles malformed or invalid input, preventing cascading failures and ensuring data integrity, but also significantly improves the robustness, security, and overall reliability of your APIs. Intelligent validation is the unseen guardian of a stable application, turning potential chaos into predictable order.
Share this article
![x](data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 64 64" width="64" height="64" fill-rule="evenodd"><g fill="%23ffffff"><path d="M0,0H64V64H0ZM0 0v64h64V0zm16 17.537h10.125l6.992 9.242 8.084-9.242h4.908L35.39 29.79 48 46.463h-9.875l-7.734-10.111-8.85 10.11h-4.908l11.465-13.105zm5.73 2.783 17.75 23.205h2.72L24.647 20.32z" /></g><g fill="%23000000"><path d="M0 0v64h64V0zm16 17.537h10.125l6.992 9.242 8.084-9.242h4.908L35.39 29.79 48 46.463h-9.875l-7.734-10.111-8.85 10.11h-4.908l11.465-13.105zm5.73 2.783 17.75 23.205h2.72L24.647 20.32z" /></g></svg>){kind=small}
![facebook](data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 64 64" width="64" height="64" fill-rule="evenodd"><g fill="%23ffffff"><path d="M0,0H64V64H0ZM0 0v64h64V0zm39.6 22h-2.8c-2.2 0-2.6 1.1-2.6 2.6V28h5.3l-.7 5.3h-4.6V47h-5.5V33.3H24V28h4.6v-4c0-4.6 2.8-7 6.9-7 2 0 3.6.1 4.1.2z" /></g><g fill="%233b5998"><path d="M0 0v64h64V0zm39.6 22h-2.8c-2.2 0-2.6 1.1-2.6 2.6V28h5.3l-.7 5.3h-4.6V47h-5.5V33.3H24V28h4.6v-4c0-4.6 2.8-7 6.9-7 2 0 3.6.1 4.1.2z" /></g></svg>){kind=small}
![linkedin](data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 64 64" width="64" height="64" fill-rule="evenodd"><g fill="%23ffffff"><path d="M0,0H64V64H0ZM0 0v64h64V0zm25.8 44h-5.4V26.6h5.4zm-2.7-19.7c-1.7 0-3.1-1.4-3.1-3.1s1.4-3.1 3.1-3.1 3.1 1.4 3.1 3.1-1.4 3.1-3.1 3.1M46 44h-5.4v-8.4c0-2 0-4.6-2.8-4.6s-3.2 2.2-3.2 4.5V44h-5.4V26.6h5.2V29h.1c.7-1.4 2.5-2.8 5.1-2.8 5.5 0 6.5 3.6 6.5 8.3V44z" /></g><g fill="%23007fb1"><path d="M0 0v64h64V0zm25.8 44h-5.4V26.6h5.4zm-2.7-19.7c-1.7 0-3.1-1.4-3.1-3.1s1.4-3.1 3.1-3.1 3.1 1.4 3.1 3.1-1.4 3.1-3.1 3.1M46 44h-5.4v-8.4c0-2 0-4.6-2.8-4.6s-3.2 2.2-3.2 4.5V44h-5.4V26.6h5.2V29h.1c.7-1.4 2.5-2.8 5.1-2.8 5.5 0 6.5 3.6 6.5 8.3V44z" /></g></svg>){kind=small}
![reddit](data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 64 64" width="64" height="64" fill-rule="evenodd"><g fill="%23ffffff"><path d="M0,0H64V64H0ZM0 0v64h64V0zm53.344 32a4.67 4.67 0 0 0-7.903-3.2 22.77 22.77 0 0 0-12.32-3.937L35.2 14.88l6.848 1.441a3.2 3.2 0 0 0 3.02 2.852 3.2 3.2 0 1 0-2.602-4.805l-7.84-1.566a1 1 0 0 0-.754.136.98.98 0 0 0-.43.63l-2.37 11.105a22.8 22.8 0 0 0-12.477 3.937 4.672 4.672 0 1 0-5.152 7.648q-.06.704 0 1.407c0 7.168 8.351 12.992 18.656 12.992 10.3 0 18.656-5.824 18.656-12.992a9.4 9.4 0 0 0 0-1.406A4.68 4.68 0 0 0 53.344 32m-32 3.2a3.198 3.198 0 1 1 6.398 0 3.195 3.195 0 0 1-3.199 3.198c-1.766 0-3.2-1.43-3.2-3.199M39.938 44a12.3 12.3 0 0 1-7.907 2.465A12.3 12.3 0 0 1 24.13 44a.87.87 0 0 1 .055-1.16.87.87 0 0 1 1.16-.055A10.48 10.48 0 0 0 32 44.801a10.5 10.5 0 0 0 6.688-1.953.9.9 0 0 1 1.265.015.9.9 0 0 1-.016 1.266Zm-.579-5.473a3.2 3.2 0 0 1-3.199-3.199 3.198 3.198 0 1 1 6.398 0 3.2 3.2 0 0 1-3.23 3.328Zm0 0" /></g><g fill="%23FF4500"><path d="M0 0v64h64V0zm53.344 32a4.67 4.67 0 0 0-7.903-3.2 22.77 22.77 0 0 0-12.32-3.937L35.2 14.88l6.848 1.441a3.2 3.2 0 0 0 3.02 2.852 3.2 3.2 0 1 0-2.602-4.805l-7.84-1.566a1 1 0 0 0-.754.136.98.98 0 0 0-.43.63l-2.37 11.105a22.8 22.8 0 0 0-12.477 3.937 4.672 4.672 0 1 0-5.152 7.648q-.06.704 0 1.407c0 7.168 8.351 12.992 18.656 12.992 10.3 0 18.656-5.824 18.656-12.992a9.4 9.4 0 0 0 0-1.406A4.68 4.68 0 0 0 53.344 32m-32 3.2a3.198 3.198 0 1 1 6.398 0 3.195 3.195 0 0 1-3.199 3.198c-1.766 0-3.2-1.43-3.2-3.199M39.938 44a12.3 12.3 0 0 1-7.907 2.465A12.3 12.3 0 0 1 24.13 44a.87.87 0 0 1 .055-1.16.87.87 0 0 1 1.16-.055A10.48 10.48 0 0 0 32 44.801a10.5 10.5 0 0 0 6.688-1.953.9.9 0 0 1 1.265.015.9.9 0 0 1-.016 1.266Zm-.579-5.473a3.2 3.2 0 0 1-3.199-3.199 3.198 3.198 0 1 1 6.398 0 3.2 3.2 0 0 1-3.23 3.328Zm0 0" /></g></svg>){kind=small}
![telegram](data:image/svg+xml;utf8,<svg xmlns="http://www.w3.org/2000/svg" viewbox="0 0 64 64" width="64" height="64" fill-rule="evenodd"><g fill="%23ffffff"><path d="M0,0H64V64H0ZM0 0v64h64V0zm11.887 33.477c3.73-2.055 7.894-3.77 11.785-5.497 6.695-2.824 13.414-5.597 20.203-8.18 1.324-.44 3.695-.87 3.93 1.087-.13 2.773-.653 5.527-1.012 8.281-.914 6.055-1.969 12.094-2.996 18.133-.356 2.008-2.875 3.05-4.488 1.761-3.871-2.613-7.778-5.207-11.598-7.882-1.254-1.274-.094-3.102 1.027-4.012 3.188-3.145 6.575-5.816 9.598-9.121.816-1.973-1.594-.313-2.39.2-4.368 3.007-8.63 6.202-13.235 8.847-2.352 1.297-5.094.187-7.445-.535-2.11-.871-5.2-1.75-3.38-3.082m0 0" /></g><g fill="%2349a9e9"><path d="M0 0v64h64V0zm11.887 33.477c3.73-2.055 7.894-3.77 11.785-5.497 6.695-2.824 13.414-5.597 20.203-8.18 1.324-.44 3.695-.87 3.93 1.087-.13 2.773-.653 5.527-1.012 8.281-.914 6.055-1.969 12.094-2.996 18.133-.356 2.008-2.875 3.05-4.488 1.761-3.871-2.613-7.778-5.207-11.598-7.882-1.254-1.274-.094-3.102 1.027-4.012 3.188-3.145 6.575-5.816 9.598-9.121.816-1.973-1.594-.313-2.39.2-4.368 3.007-8.63 6.202-13.235 8.847-2.352 1.297-5.094.187-7.445-.535-2.11-.871-5.2-1.75-3.38-3.082m0 0" /></g></svg>){kind=small}
