CoachnestCoachnest
Sign InGet Started
Back to course

Mastering CRUD: Build Full-Stack Database Applications

…
—
Contents
1

What Is CRUD and Why It Matters

Reading12mFree
2

CRUD, REST, and HTTP Verbs

Reading14mFree
3

The Data Lifecycle of a Record

Reading11m
4

Course Project Tour: TaskFlow

Video9m
5

Chapter 1 — Quiz

Quiz8m
6

Tables, Rows, Columns & Types

Reading14m
7

Primary Keys & IDs (Auto-increment vs UUID)

Reading13m
8

Relationships: One-to-Many & Many-to-Many

Reading16m
9

Normalization & Schema Design Principles

Reading14m
10

Modeling TaskFlow with Prisma

Reading13m
11

Chapter 2 — Quiz

Quiz8m
12

INSERT — Creating Rows

Reading13m
13

SELECT — Reading & Filtering

Reading16m
14

UPDATE — Changing Rows Safely

Reading12m
15

DELETE — Removing Rows

Reading11m
16

Live SQL: A Full CRUD Session

Video15m
17

Chapter 3 — Quiz

Quiz9m
18

REST API Design for CRUD Resources

Reading14m
19

HTTP Status Codes That Tell the Truth

Reading12m
20

Scaffolding the API (Express & Next.js)

Reading16m
21

Connecting an ORM (Prisma) to Your Routes

Reading13m
22

Chapter 4 — Quiz

Quiz8m

Building the Create Endpoint End-to-End

Reading15m
24

Reading a Single Resource

Reading11m
25

Listing Collections

Reading13m
26

Live Coding: Create & Read

Video16m
27

Chapter 5 — Quiz

Quiz8m
28

PUT vs PATCH: Full vs Partial Updates

Reading13m
29

Authorization: Who Can Change This Row?

Reading12m
30

Soft Delete, Hard Delete & Restore

Reading14m
31

Idempotency & Concurrency Control

Reading13m
32

Chapter 6 — Quiz

Quiz9m
33

Input Validation with Zod

Reading14m
34

Mass Assignment & Over-Posting

Reading11m
35

SQL Injection & Safe Queries

Reading13m
36

Consistent Error Handling

Reading12m
37

Chapter 7 — Quiz

Quiz9m
38

Offset vs Cursor Pagination

Reading15m
39

Filtering & Dynamic WHERE Clauses

Reading13m
40

Safe Sorting & Full-Text Search

Reading14m
41

Indexing for Fast Reads

Reading13m
42

Chapter 8 — Quiz

Quiz9m
43

Forms & Creating Records from the UI

Reading14m
44

Fetching & Displaying Data

Reading13m
45

Optimistic Updates & Deletes

Reading14m
46

Building the TaskFlow UI

Video17m
47

Chapter 9 — Quiz

Quiz8m
48

Transactions & Data Integrity

Reading15m
49

Testing Your CRUD Endpoints

Reading14m
50

Caching, N+1 & Performance

Reading13m
51

Deploying & Migrating Safely

Reading14m
52

Chapter 10 — Final Quiz

Quiz10m
←→navigate lessons
Chapter 5 of 10·Chapter 5 — Create & Read in Practice
Lesson 23 of 52Reading15 min

Building the Create Endpoint End-to-End

Building the Create Endpoint End-to-End¶

Let's build POST /tasks properly — not just "it works", but production-shaped.

The Full Handler¶

ts
37 lines
1// app/api/v1/tasks/route.ts
2import { NextRequest, NextResponse } from "next/server";
3import { z } from "zod";
4import { prisma } from "@/lib/prisma";
5import { getSession } from "@/lib/auth";
6
7const CreateTask = z.object({
8  title: z.string().min(1).max(200),
9  description: z.string().max(2000).optional(),
10  dueDate: z.coerce.date().optional(),
11});
12
13export async function POST(req: NextRequest) {
14  // 1. Authenticate
15  const session = await getSession();
16  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
17
18  // 2. Validate
19  const parsed = CreateTask.safeParse(await req.json());
20  if (!parsed.success) {
21    return NextResponse.json(
22      { error: "Validation failed", issues: parsed.error.flatten() },
23      { status: 400 },
24    );
25  }
26
27  // 3. Create — owner comes from the session, never the body
28  const task = await prisma.task.create({
29    data: { ...parsed.data, ownerId: session.userId },
30  });
31
32  // 4. Respond 201 with a Location header
33  return NextResponse.json(
34    { data: task },
35    { status: 201, headers: { Location: `/api/v1/tasks/${task.id}` } },
36  );
37}

The Four Things Every Create Does¶

  1. 1.Authenticate — who is making the request?
  2. 2.Validate — is the body well-formed and within limits?
  3. 3.Persist — write the row, deriving server-controlled fields (owner, timestamps, id) on the server.
  4. 4.Respond — 201, the created resource, and a Location header.

Never Trust the Client for Identity¶

ts
5 lines
1// ❌ ownerId from the body — a user could create tasks for someone else
2data: { ...body }
3
4// ✅ ownerId from the authenticated session
5data: { ...parsed.data, ownerId: session.userId }

This single rule prevents a whole class of "mass assignment" vulnerabilities, covered fully in Chapter 7.

Returning the Created Resource¶

Always return the created row (including its generated id and timestamps) so the client doesn't need a follow-up read.

Previous

Chapter 4 — Quiz

Next

Reading a Single Resource

Use ← → arrow keys to navigate between lessons