Server vs Client generation differences on data validation

[webron]

From @zanona on March 3, 2016 16:10

I have noticed that most clients that can be generated through Swagger such as javascript will comply to JSON's Schema properties like enum, maxLength, minimum, required, etc for request body (i.e: /users/POST [User Model])

However from what I have tested, all generated server codes such as Node.js, Go, etc, will simply skip that information and leave the API wide open for accepting any kind of payload or wrong property format through the requests, differently than API in the wild such as Github's, Twitter, etc where those will probably filter the payload and block any unwanted data format or analyse of all required properties for the body object have been sent.

Is the fact that most generated servers are not analysing this information something that has been discussed before? It would be interesting to know the reason for validations being only made from client-side generated code leaving the API vulnerable?

Copied from original issue: swagger-api/swagger-core#1693

[hiveship]

I would really appreciate to get a mechanism to validate data format on the service side :+1:

[wing328]

@zanona @hiveship if you or anyone from the community wants to contribute to the server stub generator on data validation, please reply to let us know.

I can probably show you some good starting points to add the validation.

[zanona]

Thanks for the help @wing328. I am working on something during the last few days which might be quite helpful for such cases. It's basically a middleware that takes the swagger file and validate the incoming requests through https://github.com/apigee-127/sway which handles this case quite well.

I was interested in knowing if the server side data validation was previously discussed and if perhaps you guys have decided to leave it out of the server code generation, but apparently the project just needs contributors :)

Thanks again.

[jfiala]

For Java (Spring-REST) I added basic JSR-303 Bean Validation support to Springfox (based on Spring-REST), which allows to use an annotation @Valid on the server side, which will simply validate the complete Request using the Bean Validation API without any additional coding. Do you think it makes sense to add this to the server-code-generator templates for spring-mvc (probably better as an option)?

[philwinder]

👍

[wing328]

@jfiala yes, I'm sure others would welcome your contribution on that.

[wing328]

@jfiala We start adding validation to model properties and method arguments in the API client: https://github.com/swagger-api/swagger-codegen/issues/2663

This should not impact your contribution. It's more of an FYI.

[deveshpujari]

@jfiala @wing328 Is there any work in progress about adding JSR303 annotation while generating server code for JAXRS language ? Any pointer for any other language ( server side) for which JSR303 annotation is already added. Any pointer how to start work on this ? thx

[jfiala]

@deveshpujari You have the full-featured implementation of JSR303 for jaxrs-cxf server + jaxrs-cxf-client and for the java client. For the other languages I want to add it language-by-language. If you have any priorities let me know.

[jfiala]

this is the issue where the implementation will be done: #4091, please add your vote there if you prefer a specific language to be supported first...

[deveshpujari]

Thanks @jfiala I added my priority for jaxrs in #4901