Validate HTTP input passed into frontend microservice

[NimJay]

• This was pointed out by @iennae.
• See all instances of FormValue inside /src/frontend/handlers.go.
• The frontend microservice doesn't properly validate these values.
• We should look into the best practices around validating HTTP FormValues — in Golang — and implement a layer of code that performs validation.
• For instance, the frontend could check that value of this quantity variable is between 1 and some other number (1000?).

[emzola]

Hi @NimJay, I would like to work on this issue. Since no one has commented, may I continue with this work?

[NimJay]

Hi @emzola, thank you for reaching out and your interest in contributing. :) I just assigned this ticket you.

What I suggest as next steps:

1. Go through /.github/CONTRIBUTING.md.
2. Research best practices for validating HTTP input in Golang. Share you findings in this GitHub issue. I would look into https://github.com/go-playground/validator. It seems promising.
3. Set up your Online Boutique dev environment. See development guide here.

Other thoughts:

• If input is invalid, the response should return a 422 HTTP status.
• I would start small. For instance, after briefly researching and agreeing on an implementation (e.g., which libraries to use), we can work on a PR that performs validation for just one handler such as the placeOrderHandler handler.

[emzola]

Great! I’ve looked at the following validation packages:

https://github.com/asaskevich/govalidator https://github.com/go-ozzo/ozzo-validation https://github.com/go-playground/validator

I decided to settle for go playground (like you suggested) because in addition to being promising and used by lots of projects, I think the package provides functions and tags that are easier to understand.

I’ve also looked through the codebase of the frontend microservice. I see that there are 3 handlers in src/frontend/handlers.go that require validation (addToCartHandler, placeOrderHandler and setCurrencyHandler).

In terms of how to go about implementing a validation layer, I’m thinking about creating a validator package in the src/frontend folder. In this package, there will be maybe 2 files: validator.go and validator_test.go. In validator.go, we could have 3 structs. Each struct will represent the HTTP form data expected from each handler. Of course, we specify the validation rules for each struct field using tags, and each struct will have a Validate method that actually performs the validation based on the rules set in the tags.

Then in src/frontend/handlers.go, in each handler that requires validation, we initialize a validator struct and populate it with data from r.FormValue. We call the Validate method on the struct and return a HTTP error with 422 status code if validation fails.

That’s a rough idea of things. I could translate this to code for just the placeOrderHandler and make a PR so you see.

[NimJay]

@emzola, thank you for that very clear explanation and excellent progress! 💯

Let's go with what you suggested! :)

• A separate validator package containing validator.go and validator_test.go.
• Respond with 422 if there is an invalid field.
• 3 structs inside validator.go (for each handler).

Optional: Ideally, the body of the 422 HTTP error response would state which field is invalid (e.g., "The streetAddress in your request is invalid."). But this is totally optional — since I don't think it will add a lot of value.