Where should validation of request payloads be done?

[RedMarcher]

I was wondering what the Required() keyword does specifically in terms of code generation. Does it generate pre-validation before a request to the API is sent out, or does it create a framework for validation after the server receives the request?

A related question is whether there's any point in validating a request multiple times. For example, if I have a portal server which is a part of the public API, does it then still make sense to have microservices in the internal API validate requests they receive?

Thanks in advance!

[raphael]

Hello!

Validations are run on data that comes from external systems. This means:

• Server side: validations are run after the request has been decoded and before the service method (user code) is called
• Client side: validations are run after the response has been decoded and before the client method (user code) is called

In particular, validations are NOT performed on responses sent by the server or requests sent by the client since in these cases the payload is created by code that the user has control on. The idea is to avoid doing extra unnecessary validations on each request for performance.

[RedMarcher]

So does marking data as Required in payloads and responses auto-generate this validation? Thanks for getting back to me so quickly.

[raphael]

Yes, any validation defined on request payloads and response results are enforced during decoding (server side) and encoding (client side). This includes required fields and all other possible validations (min, max, min length, max length, pattern, format etc.). See for example https://github.com/goadesign/examples/blob/master/cellar/gen/http/storage/server/types.go#L264