When I write code, I’m not writing it to get the job done, and I’m not writing it for myself. I’m writing it for the next person who reads or writes it.
Writing code that compiles isn’t difficult for most people who write code professionally, and similarly, writing bugs isn’t difficult. The former is how it should be, but we should strive to limit the ability of future developers to write bugs.
This is why, when I write cod e, I strive for compile-time safety: I want your IDE to tell you “this won’t work” before your tests do — or worse, your production environment. That’s why, me, like many developers prefer Typescript over Javascript — we want our IDE’s to verify, as much as possible, that our code is correct.
We’ve established that I’m on a quest for “impossible to break” code (as long as we’re acting in good faith): That’s why when I saw this, I knew changes had to be made.
The big issue here is that we do no verification on req.body . We just… trust that the client sent in the right data. If our trust is broken, the client isn’t going to get “400: Bad Request”, they’re going to get “500: tried calling fn on undefined” or something similar.