diff --git a/server/boot/authentication.js b/server/boot/authentication.js
index eac0e68b8b..c40c864345 100644
--- a/server/boot/authentication.js
+++ b/server/boot/authentication.js
@@ -3,13 +3,13 @@ import { Observable } from 'rx';
 import dedent from 'dedent';
 // import debugFactory from 'debug';
 import { isEmail } from 'validator';
-import { check, validationResult } from 'express-validator/check';
+import { check } from 'express-validator/check';
 
-import { ifUserRedirectTo } from '../utils/middleware';
 import {
-  wrapHandledError,
-  createValidatorErrorFormatter
-} from '../utils/create-handled-error.js';
+  ifUserRedirectTo,
+  createValidatorErrorHandler
+} from '../utils/middleware';
+import { wrapHandledError } from '../utils/create-handled-error.js';
 
 const isSignUpDisabled = !!process.env.DISABLE_SIGNUP;
 // const debug = debugFactory('fcc:boot:auth');
@@ -82,13 +82,6 @@ module.exports = function enableAuthentication(app) {
         token: authTokenId
       } = {}
     } = req;
-    const validation = validationResult(req)
-      .formatWith(createValidatorErrorFormatter('errors', '/email-signup'));
-
-    if (!validation.isEmpty()) {
-      const errors = validation.array();
-      return next(errors.pop());
-    }
 
     const email = User.decodeEmail(encodedEmail);
     if (!isEmail(email)) {
@@ -188,6 +181,7 @@ module.exports = function enableAuthentication(app) {
     '/passwordless-auth',
     ifUserRedirect,
     passwordlessGetValidators,
+    createValidatorErrorHandler('errors', '/email-signup'),
     getPasswordlessAuth
   );
 
@@ -198,12 +192,6 @@ module.exports = function enableAuthentication(app) {
   ];
   function postPasswordlessAuth(req, res, next) {
     const { body: { email } = {} } = req;
-    const validation = validationResult(req)
-      .formatWith(createValidatorErrorFormatter('errors', '/email-signup'));
-    if (!validation.isEmpty()) {
-      const errors = validation.array();
-      return next(errors.pop());
-    }
 
     return User.findOne$({ where: { email } })
       .flatMap(_user => Observable.if(
@@ -222,6 +210,7 @@ module.exports = function enableAuthentication(app) {
     '/passwordless-auth',
     ifUserRedirect,
     passwordlessPostValidators,
+    createValidatorErrorHandler('errors', '/email-signup'),
     postPasswordlessAuth
   );
 
diff --git a/server/boot/settings.js b/server/boot/settings.js
index 9264d16fcb..1df8d1b2e8 100644
--- a/server/boot/settings.js
+++ b/server/boot/settings.js
@@ -1,6 +1,9 @@
-import { isMongoId } from 'validator';
+import { check } from 'express-validator/check';
 
-import { ifNoUser401 } from '../utils/middleware';
+import {
+  ifNoUser401,
+  createValidatorErrorHandler
+} from '../utils/middleware';
 import supportedLanguages from '../../common/utils/supported-languages.js';
 
 export default function settingsController(app) {
@@ -51,11 +54,14 @@ export default function settingsController(app) {
       );
   }
 
+  const updateMyCurrentChallengeValidators = [
+    check('currentChallengeId')
+      .isMongoId()
+      .withMessage('currentChallengeId is not a valid challenge ID')
+  ];
+
   function updateMyCurrentChallenge(req, res, next) {
     const { user, body: { currentChallengeId } } = req;
-    if (!isMongoId('' + currentChallengeId)) {
-      return next(new Error(`${currentChallengeId} is not a valid ObjectId`));
-    }
     return user.update$({ currentChallengeId }).subscribe(
       () => res.json({
         message:
@@ -65,6 +71,14 @@ export default function settingsController(app) {
     );
   }
 
+  api.post(
+    '/update-my-current-challenge',
+    ifNoUser401,
+    updateMyCurrentChallengeValidators,
+    createValidatorErrorHandler('errors'),
+    updateMyCurrentChallenge
+  );
+
   function updateMyTheme(req, res, next) {
     req.checkBody('theme', 'Theme is invalid.').isLength({ min: 4 });
     const { body: { theme } } = req;
@@ -117,13 +131,6 @@ export default function settingsController(app) {
     ifNoUser401,
     updateMyLang
   );
-
-  api.post(
-    '/update-my-current-challenge',
-    ifNoUser401,
-    updateMyCurrentChallenge
-  );
-
   api.post(
     '/update-my-theme',
     ifNoUser401,
diff --git a/server/utils/create-handled-error.js b/server/utils/create-handled-error.js
index d5e9a00934..30eacd11ea 100644
--- a/server/utils/create-handled-error.js
+++ b/server/utils/create-handled-error.js
@@ -18,6 +18,7 @@ export function wrapHandledError(err, {
   return err;
 }
 
+// for use with express-validator error formatter
 export const createValidatorErrorFormatter = (type, redirectTo, status) =>
   ({ msg }) => wrapHandledError(
     new Error(msg),
diff --git a/server/utils/middleware.js b/server/utils/middleware.js
index 1aa455a0fb..f38afbdb37 100644
--- a/server/utils/middleware.js
+++ b/server/utils/middleware.js
@@ -1,4 +1,7 @@
 import dedent from 'dedent';
+import { validationResult } from 'express-validator/check';
+
+import { createValidatorErrorFormatter } from './create-handled-error.js';
 
 export function ifNoUserRedirectTo(url, message, type = 'errors') {
   return function(req, res, next) {
@@ -56,3 +59,16 @@ export function ifUserRedirectTo(path = '/', status) {
     return next();
   };
 }
+
+// for use with express-validator error formatter
+export const createValidatorErrorHandler = (...args) => (req, res, next) => {
+  const validation = validationResult(req)
+    .formatWith(createValidatorErrorFormatter(...args));
+
+  if (!validation.isEmpty()) {
+    const errors = validation.array();
+    return next(errors.pop());
+  }
+
+  return next();
+};