Validate HTTP input passed into frontend microservice

Question

Validate HTTP input passed into frontend microservice

NimJay opened this issue 8 months ago · 4 comments

NimJay commented 8 months ago

This was pointed out by @iennae.
See all instances of FormValue inside /src/frontend/handlers.go.
The frontend microservice doesn't properly validate these values.
We should look into the best practices around validating HTTP FormValues — in Golang — and implement a layer of code that performs validation.
For instance, the frontend could check that value of this quantity variable is between 1 and some other number (1000?).

Answer 1 · 2024-03-12T06:19:39.000Z

Hi @NimJay, I would like to work on this issue. Since no one has commented, may I continue with this work?

Answer 2 · 2024-03-13T15:28:11.000Z

Hi @emzola, thank you for reaching out and your interest in contributing. :)
I just assigned this ticket you.

What I suggest as next steps:

Go through /.github/CONTRIBUTING.md.
Research best practices for validating HTTP input in Golang. Share you findings in this GitHub issue. I would look into https://github.com/go-playground/validator. It seems promising.
Set up your Online Boutique dev environment. See development guide here.

Other thoughts:

If input is invalid, the response should return a 422 HTTP status.
I would start small. For instance, after briefly researching and agreeing on an implementation (e.g., which libraries to use), we can work on a PR that performs validation for just one handler such as the placeOrderHandler handler.

Answer 3 · 2024-03-13T19:34:44.000Z

Great! I’ve looked at the following validation packages:

https://github.com/asaskevich/govalidator
https://github.com/go-ozzo/ozzo-validation
https://github.com/go-playground/validator

I decided to settle for go playground (like you suggested) because in addition to being promising and used by lots of projects, I think the package provides functions and tags that are easier to understand.

I’ve also looked through the codebase of the frontend microservice. I see that there are 3 handlers in src/frontend/handlers.go that require validation (addToCartHandler, placeOrderHandler and setCurrencyHandler).

In terms of how to go about implementing a validation layer, I’m thinking about creating a validator package in the src/frontend folder. In this package, there will be maybe 2 files: validator.go and validator_test.go. In validator.go, we could have 3 structs. Each struct will represent the HTTP form data expected from each handler. Of course, we specify the validation rules for each struct field using tags, and each struct will have a Validate method that actually performs the validation based on the rules set in the tags.

Then in src/frontend/handlers.go, in each handler that requires validation, we initialize a validator struct and populate it with data from r.FormValue. We call the Validate method on the struct and return a HTTP error with 422 status code if validation fails.

That’s a rough idea of things. I could translate this to code for just the placeOrderHandler and make a PR so you see.

Answer 4 · 2024-03-14T13:59:16.000Z

@emzola, thank you for that very clear explanation and excellent progress! 💯

Let's go with what you suggested! :)

A separate validator package containing validator.go and validator_test.go.
Respond with 422 if there is an invalid field.
3 structs inside validator.go (for each handler).

Optional: Ideally, the body of the 422 HTTP error response would state which field is invalid (e.g., "The streetAddress in your request is invalid."). But this is totally optional — since I don't think it will add a lot of value.