/garde

A powerful validation library for Rust

Primary LanguageRustApache License 2.0Apache-2.0

Garde   Documentation Latest Version

A Rust validation library

Basic usage example

To get started, install garde:

cargo add garde -F full

And attach the Validate derive to your type. garde will generate an implementation of the Validate trait for you, allowing you to call the validate method.

Here's what that looks like in full:

use garde::{Validate, Valid};

#[derive(Validate)]
struct User<'a> {
    #[garde(ascii, length(min=3, max=25))]
    username: &'a str,
    #[garde(length(min=15))]
    password: &'a str,
}

let user = User {
    username: "test",
    password: "not_a_very_good_password",
};

if let Err(e) = user.validate() {
    println!("invalid user: {e}");
}

Garde can also validate enums:

use garde::{Validate, Valid};

#[derive(Validate)]
enum Data {
    Struct {
        #[garde(range(min=-10, max=10))]
        field: i32,
    },
    Tuple(
        #[garde(ascii)]
        String
    ),
}

let data = Data::Struct { field: 100 };
if let Err(e) = data.validate() {
    println!("invalid data: {e}");
}

Available validation rules

name format validation feature flag
required #[garde(required)] is value set -
ascii #[garde(ascii)] only contains ASCII -
alphanumeric #[garde(alphanumeric)] only letters and digits -
email #[garde(email)] an email according to the HTML5 spec1 email
url #[garde(url)] a URL url
ip #[garde(ip)] an IP address (either IPv4 or IPv6) -
ipv4 #[garde(ipv4)] an IPv4 address -
ipv6 #[garde(ipv6)] an IPv6 address -
credit card #[garde(credit_card)] a credit card number credit-card
phone number #[garde(phone_number)] a phone number phone-number
length #[garde(length(<mode>, min=<usize>, max=<usize>, equal=<usize>)] a container with length in min..=max or equal -
matches #[garde(matches(<field>))] a field matches another field -
range #[garde(range(min=<expr>, max=<expr>, equal=<expr>))] a number in the range min..=max or equal -
contains #[garde(contains(<string>))] a string-like value containing a substring -
prefix #[garde(prefix(<string>))] a string-like value prefixed by some string -
suffix #[garde(suffix(<string>))] a string-like value suffixed by some string -
pattern #[garde(pattern("<regex>"))] a string-like value matching some regular expression regex
pattern #[garde(pattern(<matcher>))] a string-like value matched by some Matcher -
dive #[garde(dive)] nested validation, calls validate on the value -
skip #[garde(skip)] skip validation -
custom #[garde(custom(<function or closure>))] a custom validator -

Additional notes:

  • required is only available for Option fields.
  • The <mode> argument for length is explained here
  • For length and range:
    • If equal is defined, min and max must be omitted.
    • Assuming equal is omitted, either min or max may be omitted, but not both.
    • min and max use an inclusive upper bound (min..=max). Setting min == max is equivalent to using equal.
  • For contains, prefix, and suffix, the pattern must be a string literal, because the Pattern API is currently unstable.
  • Garde does not enable the default features of the regex crate - if you need extra regex features (e.g. Unicode) or better performance, add a dependency on regex = "1" to your Cargo.toml.

If most of the fields on your struct are annotated with #[garde(skip)], you may use #[garde(allow_unvalidated)] instead:

#[derive(garde::Validate)]
struct Foo<'a> {
    #[garde(length(min = 1))]
    a: &'a str,

    #[garde(skip)]
    b: &'a str, // this field will not be validated
}

#[derive(garde::Validate)]
#[garde(allow_unvalidated)]
struct Bar<'a> {
    #[garde(length(min = 1))]
    a: &'a str,

    b: &'a str, // this field will not be validated
                // note the lack of `#[garde(skip)]`
}

Length modes

The length rule accepts an optional mode argument, which determines what kind of length it will validate.

The options are:

  • simple
  • bytes
  • graphemes
  • utf16
  • chars

The simple is the default used when the mode argument is omitted. The meaning of "simple length" depends on the type. It is currently implemented for strings, where it validates the number of bytes, and std::collections, where it validates the number of items.

#[derive(garde::Validate)]
struct Foo {
    #[garde(length(min = 1, max = 100))]
    string: String,

    #[garde(length(min = 1, max = 100))]
    collection: Vec<u32>
}

The bytes, graphemes, utf16, and chars exist mostly for string validation:

  • bytes validates the number of bytes
  • graphemens uses the unicode-segmentation crate, and validates the number of graphemes
  • utf16 uses encode_utf16, and validates the number of UTF-16 code points
  • chars uses chars, and validates the number of unicode scalar values
#[derive(garde::Validate)]
struct Foo {
    #[garde(length(bytes, min = 1, max = 100))]
    a: String, // `a.len()`
    
    #[garde(length(graphemes, min = 1, max = 100))]
    b: String, // `b.graphemes().count()`
    
    #[garde(length(utf16, min = 1, max = 100))]
    c: String, // `c.encode_utf16().count()`
    
    #[garde(length(chars, min = 1, max = 100))]
    d: String, // `d.chars().count()`
}

Inner type validation

If you need to validate the "inner" type of a container, such as the String in Vec<String>, then use the inner modifier:

#[derive(garde::Validate)]
struct Test {
    #[garde(
        length(min = 1),
        inner(ascii, length(min = 1)), // wrap the rule in `inner`
    )]
    items: Vec<String>,
}

The above type would fail validation if:

  • the Vec is empty
  • any of the inner String elements is empty
  • any of the inner String elements contains non-ASCII characters

To validate a deeply-nested type, such as Vec<Option<String>>, the inner modifier must be nested for each level of generics:

#[derive(garde::Validate)]
struct Test {
    #[garde(
        length(min = 1), // applies to `Vec`
        inner(inner(ascii, length(min = 1))), // applies to `String`
    )]
    items: Vec<Option<String>>,
}

You can apply separate rules to every level of the nested type:

#[derive(garde::Validate)]
struct Test {
    #[garde(
        length(min = 1), // applies to `Vec`
        inner(required), // applies to `Option`
        inner(inner(ascii, length(min = 1))), // applies to `String`
    )]
    items: Vec<Option<String>>,
}

Newtypes

The best way to re-use validation rules on a field is to use the newtype idiom with #[garde(transparent)]:

#[derive(garde::Validate)]
#[garde(transparent)]
struct Username(#[garde(length(min = 3, max = 20))] String);

#[derive(garde::Validate)]
struct User {
    // later used with `dive`:
    #[garde(dive)]
    username: Username,
}

The username field in the above example will inherit all the validation rules from the String field on Username. The result is that the error path will be flattened by one level, resulting in cleaner error messages:

User {
  username: Username("")
}.validate()

"username: length is lower than 3"

Without the #[garde(transparent)] attribute, it would instead be:

User {
  username: Username("")
}.validate()

"username[0]: length is lower than 3"

Structs with the #[garde(transparent)] attribute may have more than one field, but there must be only one unskipped field. That means every field other than the one you wish to validate must be #[garde(skip)].

Handling Option

Every rule works on Option<T> fields. The field will only be validated if it is Some. If you additionally want to validate that the Option<T> field is Some, use the required rule:

#[derive(garde::Validate)]
struct Test {
    #[garde(required, ascii, length(min = 1))]
    value: Option<String>,
}

The above type would fail validation if:

  • value is None
  • the inner value is empty
  • the inner value contains non-ASCII characters

Custom validation

Validation may be customized via the custom rule, and the context attribute.

The context may be any type without generic parameters. By default, the context is ().

#[derive(garde::Validate)]
#[garde(context(PasswordContext))]
struct User {
    #[garde(custom(is_strong_password))]
    password: String,
}

struct PasswordContext {
    min_entropy: f32,
    entropy: cracken::password_entropy::EntropyEstimator,
}

fn is_strong_password(value: &str, context: &PasswordContext) -> garde::Result {
    let bits = context.entropy.estimate_password_entropy(value.as_bytes())
        .map(|e| e.mask_entropy)
        .unwrap_or(0.0);
    if bits < context.min_entropy {
        return Err(garde::Error::new("password is not strong enough"));
    }
    Ok(())
}

let ctx = PasswordContext { /* ... */ };
let user = User { /* ... */ };
user.validate(&ctx)?;

The validator function may accept the value as a reference to any type which it derefs to. In the above example, it is possible to use &str, because password is a String, and String derefs to &str.

The #[garde(custom(...))] attribute accepts any expression which evalutes to a something which implements the following trait:

FnOnce(&T, &<T as Validate>::Context) -> garde::Result

That means it's possible to use higher order functions:

// Returns a function which does the actual validation.
fn my_equals(other: &str) -> impl FnOnce(&str, &()) -> garde::Result + '_ {
    move |value, _| {
        if value != other {
            return Err(garde::Error::new(format!("not equal to {other}")));
        }

        Ok(())
    }
}

#[derive(garde::Validate)]
struct User {
    #[garde(length(min = 1, max = 255))]
    password: String,
    // Combined with `self` access in rules:
    #[garde(custom(my_equals(&self.password2)))]
    password2: String,
}

Context/Self access

It's generally possible to also access the context and self, because they are in scope in the output of the proc macro:

struct Limits {
    min: usize,
    max: usize,
}

struct Config {
    username: Limits,
}

#[derive(garde::Validate)]
#[garde(context(Config as ctx))]
struct User {
    #[garde(length(min = ctx.username.min, max = ctx.username.max))]
    username: String,
}

Implementing rules

Say you want to implement length checking for a custom string-like type. To do this, you would implement one of the length traits for it, depending on what kind of validation you are looking for.

#[repr(transparent)]
pub struct MyString(String);

impl garde::rules::length::HasSimpleLength for MyString {
    fn length(&self) -> usize {
        self.0.len()
    }
}
#[derive(garde::Validate)]
struct Foo {
    // Now the `length` check may be used with `MyString`
    #[garde(length(min = 1, max = 1000))]
    field: MyString,
}

Each rule comes with its own trait that may be implemented by custom types in your code. They are all available under garde::rules.

Implementing Validate

In case you have a container type for which you'd like to support nested validation (using the #[garde(dive)] rule), you may implement Validate for it:

#[repr(transparent)]
struct MyVec<T>(Vec<T>);

impl<T: garde::Validate> garde::Validate for MyVec<T> {
    type Context = T::Context;

    fn validate_into(
        &self,
        ctx: &Self::Context,
        mut parent: &mut dyn FnMut() -> garde::Path,
        report: &mut garde::Report
    ) {
        for (index, item) in self.0.iter().enumerate() {
            let mut path = garde::util::nested_path!(parent, index);
            item.validate_into(ctx, &mut path, report);
        }
    }
}

#[derive(garde::Validate)]
struct Foo {
  #[garde(dive)]
  field: MyVec<Bar>,
}

#[derive(garde::Validate)]
struct Bar {
  #[garde(range(min = 1, max = 10))]
  value: u32,
}

Rule adapters

Adapters allow you to implement validation for third-party types without using a newtype.

An adapter may look like this:

mod my_str_adapter {
    #![allow(unused_imports)]
    pub use garde::rules::*; // re-export garde's rules

    pub mod length {
        pub use garde::rules::length::*; // re-export `length` rules

        pub mod simple {
            // re-implement `simple`, but _only_ for the concrete type &str!
            pub fn apply(v: &str, (min, max): (usize, usize)) -> garde::Result {
                if !(min..=max).contains(&v.len()) {
                    Err(garde::Error::new("my custom error message"))
                } else {
                    Ok(())
                }
            }
        }
    }
}

You create a module, add a public glob re-export of garde::rules inside of it, and then re-implement the specific rule you're interested in. This is a form of duck typing. Any rule which you have not re-implemented is simply delegated to garde's impl.

It's quite verbose, but in exchange it is maximally flexible. To use the adapter, add an adapt attribute to a field:

#[derive(garde::Validate)]
struct Stuff<'a> {
    #[garde(
        adapt(my_str_adapter),
        length(min = 1),
        ascii,
    )]
    v: &'a str,
}

The length rule will now use your custom implementation, but the ascii rule will continue to use garde's implementation.

Integration with web frameworks

Feature flags

name description extra dependencies
derive Enables the usage of the derive(Validate) macro garde_derive
url Validation of URLs via the url crate. url
email Validation of emails according to HTML5 regex, once_cell
email-idna Support for Internationalizing Domain Names for Applications in email addresses idna
regex Support for regular expressions in pattern via the regex crate regex, once_cell
credit-card Validation of credit card numbers via the card-validate crate card-validate
phone-number Validation of phone numbers via the phonenumber crate phonenumber
unicode Validation of grapheme count via the unicode-segmentation crate unicode-segmentation

Why garde?

Garde means guard in French. I am not French, nor do I speak the language, but guard was taken, and this is close enough :).

Development

Contributing to garde only requires a somewhat recent version of Rust.

This repository also makes use of the following tools, but they are optional:

  • insta for snapshot testing (tests/rules).
  • just for running recipes defined in the justfile. Run just -l to see what recipes are available.

License

Licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Acknowledgements

This crate is heavily inspired by the validator crate. It is essentially a full rewrite of validator. The creation of this crate was prompted by this comment and a few others talking about a potential rewrite.

Footnotes

  1. HTML5 forms - valid email address