How to handle sorting in Node.js APIs

Thursday, December 11, 2025

Implementing sorting is essential for Node.js APIs that return lists of data, allowing clients to order results by any field. As the creator of CoreUI with over 11 years of Node.js development experience since 2014, I’ve built sortable APIs for countless enterprise applications. The most effective solution is to accept sort field and direction as query parameters and apply them to database queries. This approach is flexible, performant, and follows REST API best practices.

Use query parameters to implement sorting in Node.js APIs.

const express = require('express')
const { User } = require('./models')

const app = express()

app.get('/api/users', async (req, res) => {
  const sortBy = req.query.sortBy || 'createdAt'
  const sortOrder = req.query.order || 'DESC'

  const allowedFields = ['name', 'email', 'createdAt', 'updatedAt']
  const allowedOrders = ['ASC', 'DESC']

  if (!allowedFields.includes(sortBy)) {
    return res.status(400).json({ error: 'Invalid sort field' })
  }

  if (!allowedOrders.includes(sortOrder.toUpperCase())) {
    return res.status(400).json({ error: 'Invalid sort order' })
  }

  const users = await User.findAll({
    order: [[sortBy, sortOrder]]
  })

  res.json(users)
})

The API accepts sortBy and order query parameters with sensible defaults. An allowlist validates the sort field to prevent SQL injection and ensure only valid columns are used. The sort order is validated to accept only ASC or DESC. Sequelize’s order option accepts an array where the first element is the field name and the second is the direction. Multiple sort fields can be supported by passing multiple field-direction pairs.

Best Practice Note

This is the same sorting pattern we use in CoreUI backend APIs for data tables and lists. Always validate sort fields against an allowlist rather than directly using user input in queries. For APIs supporting multiple sort fields, accept a comma-separated list like ?sortBy=name,createdAt&order=ASC,DESC and parse it appropriately.

Speed up your responsive apps and websites with fully-featured, ready-to-use open-source admin panel templates—free to use and built for efficiency.

About the Author

Łukasz Holeczek, Founder of CoreUI, is a seasoned Fullstack Developer and entrepreneur with over 25 years of experience. As the lead developer for all JavaScript, React.js, and Vue.js products at CoreUI, they specialize in creating open-source solutions that empower developers to build better and more accessible user interfaces.

With expertise in TypeScript, JavaScript, Node.js, and modern frameworks like React.js, Vue.js, and Next.js, Łukasz combines technical mastery with a passion for UI/UX design and accessibility. CoreUI’s mission is to provide developers with tools that enhance productivity while adhering to accessibility standards.

Łukasz shares its extensive knowledge through a blog with technical software development articles. It also advises enterprise companies on building solutions from A to Z. Through CoreUI, it offers professional services, technical support, and open-core products that help developers and businesses achieve their goals.

Learn more about CoreUI’s solutions and see how your business can benefit from working with us.