This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Scope of API Validation that needs to be handled at Apigee.

Posted on 12-03-2019 07:17 AM
aniketbhat
New Member
Reply posted on --/--/---- --:-- AM

Hi All,

Let's say Apigee has been implemented for APIs from the Banking domain. There is a parameter named as 'loanId'(can be present anywhere - request payload or query parameters). Now we have below requirements -

1. To check if loanId is greater than 0

2. To check the value of some parameter is within the specified range or not? Like value should be greater than 10 but less than 40.

3. There is an array coming in request payload. Requirement is to check if root element of request payload is - let's say 'abc' then that array must be present in request. If root tag is "xyz" then array should not be present in request.

Question - Is it good to implement these kinds of validations at Apigee level?

I am asking this question because main principle of using API Management tool states that we should not implement complext logic at API Management level.

Waiting for inputs.

Solved Solved
0 3 349
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

It's up to you.

Of course input from a client must be validated somewhere.

Often it is the case that apps validate input at multiple levels. This is not always just a security tool or technique; sometimes it's a user-assistance technique.

Imagine a single-page web app that provides client-side validation of form fields. That won't deter any hacker of course, but it could provide the basis for a User Interface that tells people: oh, you need to provide 10 digits for a telephone number. Or "that doesn't look like an email address".

Now, moving to validation within Apigee - or any API Management layer. It depends. If you see that you have a significant proportion of invalid inputs, you may want to relieve your backend from some of the cost of handling those invalid calls by including validation in the API Gateway. Suppose 20% of your calls are invalid. Would it be good for the overall system if you introduced validation at the API gateway layer? What if you added validation in the official clients?

It makes good sense to avoid "complex logic" in the API Gateway layer. I don't consider basic validation to be complex, so that guideline doesn't rule out performing validation in that layer. On the other hand, nothing is free; there is a dev and maintenance cost to introducing validation in Apigee. So you need to consider the cost/benefit of the approach.

Sorry, there is not an easy one-size-fits-all answer.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

It's up to you.

Of course input from a client must be validated somewhere.

Often it is the case that apps validate input at multiple levels. This is not always just a security tool or technique; sometimes it's a user-assistance technique.

Imagine a single-page web app that provides client-side validation of form fields. That won't deter any hacker of course, but it could provide the basis for a User Interface that tells people: oh, you need to provide 10 digits for a telephone number. Or "that doesn't look like an email address".

Now, moving to validation within Apigee - or any API Management layer. It depends. If you see that you have a significant proportion of invalid inputs, you may want to relieve your backend from some of the cost of handling those invalid calls by including validation in the API Gateway. Suppose 20% of your calls are invalid. Would it be good for the overall system if you introduced validation at the API gateway layer? What if you added validation in the official clients?

It makes good sense to avoid "complex logic" in the API Gateway layer. I don't consider basic validation to be complex, so that guideline doesn't rule out performing validation in that layer. On the other hand, nothing is free; there is a dev and maintenance cost to introducing validation in Apigee. So you need to consider the cost/benefit of the approach.

Sorry, there is not an easy one-size-fits-all answer.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
aniketbhat
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

I agree to what you said. I specified 3 validations out which first two are very easy and doable. But main concern is 3rd one. I think it should not be performed at Apigee level. What are your thoughts on this?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to aniketbhat
Reply posted on --/--/---- --:-- AM

I'm not clear on root tag and array and what you're talking about there.

Regardless of the specific rules you are applying, I don't think it would be difficult to validate in Apigee. The question is only, is it worth it?

Jump to Solution
0 Likes