These patches move all request handling logic to controller functions. Route files now only map routes to controller functions. This is more similar to what Sooyou had set up before. When I pulled some "business logic" (like playlist handling) into core I dropped the controller files and called the core APIs straight from route files. This patch instead takes a few clues from https://github.com/KunalKapadia/express-mongoose-es6-rest-api and puts all logic into controllers, even if it's just a single function call. This makes it much clearer where the work happens (always in the controllers/ directory).

The second patch also removes most by-hand validation from controllers and instead uses the validation library Joi. Nice thing about Joi is that validators are written in the shape of the data you expect, so instead of doing

Array.isArray(body.items) && (typeof body.after === 'string' || body.after === -1)

we can do

joi.object({
  items: joi.array().required(),
  after: [
    objectID, // Insert after ID
    joi.number().valid(-1), // Prepend
  ],
})

which makes it more obvious what the incoming data actually looks like. (Also, the former doesn't check that the after property is actually a valid MongoDB ObjectID, whilst the latter does, so it's more robust as well!)