Hello 
That’s a really good question. createElement
is just a helper function, just like you said. This function is not part of the Node.js or the Express, it’s just a function defined in this project to make it easier to manage the code.
So let’s take a look at this function and see if there are any mechanism that validate the second parameter passed to the function.
const { getElementById, getIndexById, updateElement,
seedElements, createElement } = require('./utils');
This line tells us that functions getElementById
, getIndexById
, …, createElement
are defined in the utils.js
file. You can open this file using file explorer:

In this file you should find createElement
function:
const createElement = (elementType, queryArguments) => {
if (queryArguments.hasOwnProperty('emoji') &&
queryArguments.hasOwnProperty('name')) {
let currentId;
if (elementType === 'expressions') {
expressionIdCounter += 1;
currentId = expressionIdCounter;
} else {
animalIdCounter += 1;
currentId = animalIdCounter;
}
return {
'id': currentId,
'emoji': queryArguments.emoji,
'name': queryArguments.name,
};
} else {
return false;
}
};
As you can see, this function starts with an if
checking whether the second parameter has indeed properties emoji
and name
or not. If not (else
block) function returns false
.
This fact is used by the route controller here:
app.post('/expressions', (req, res, next) => {
const receivedExpression = createElement('expressions', req.query);
if (receivedExpression) { // <-- here
expressions.push(receivedExpression);
res.status(201).send(receivedExpression);
} else {
res.status(400).send();
}
});
So if the value returned by the createElement('expressions', req.query)
is false
then the API call will result in HTTP code 400
which means “bad request” and indicates that something was wrong with the request we made.
So, request /expressions?not_emoji=%F0%9F%98%8D¬_name=Heart%20eyes
will result in error 400. But your question is a little broader:
How does the function know that req.query contains the correct parameters for name and emoji?
The answer is - it doesn’t. It just checks if emoji
and name
are present in the parameters, but it does not validate emoji
property to see if it actually is an emoji.
That’s why request /expressions?emoji=not%20a%20real%20emoji&name=Emoji,%20trust%20me
will result in HTTP code 200
(OK) and this output:
{
"id": 5,
"emoji": "not a real emoji",
"name": "Emoji, trust me"
}
I hope that answers your question. If you would like to - you can always add validation that makes sure that emoji
property is, in fact, an emoji 