[question] Validation on filter values

Question

[question] Validation on filter values

TimmayNL opened this issue 9 months ago · 4 comments

Hi all,

I am new to json:api and this package, so maybe I am overlooking something.
But the issue I have is the following:

I am exposing the index action of one of my resources and am using a CollectionQuery. It has several fields that are allowed to filter on. In the documentation I read the following line in the Query Parameters section:

Therefore, we recommend adding additional rules for each value. For example:

return [
      'filter' => [
        'nullable',
        'array',
        JsonApiRule::filter(),
      ],

      'filter.foo' => [
        'filled',
        'string',
      ],

      // ...
  ];

I tried this by adding

            'filter.id' => ['array'],
            'filter.id.*' => [Rule::integer()],
...

to the rules in my CollectionQuery. But when I do this for one field, the filter stops working for other fields.
So in the example above, I can filter on id field, but when I want to filter on name, it does nothing; I get all resources unfiltered back.

When I now add extra line with validation for name

            'filter.name' => ['filled', 'string'],

filtering on name works again. But this means that once I add validation for one field, I am forced to add validation for all filterable fields. I even need to add the fields of resources that are included via relations, otherwise I won't be able to filter on their fields. Since I have set maxDepth to 3, I need to add quite some validation in my CollectionQuery.

Is this expected behaviour?

Answer 1 · 2024-04-15T15:21:49.000Z

Hi! This is down to how the Laravel validation works, rather than this package. You will indeed need to validate all fields in an array i .e. id and name rather than just one. But that's best practice anyway - the input here is coming from an untrusted source (an API client), so you should validate everything.

Answer 2 · 2024-04-15T17:40:03.000Z

Hi, thnx for the reply. I understand, that makes sense.

One more question. Is there a good way to manage the validation of fields of related resources?

For instance, I have resource posts with fields id and name and can access it as relation of resources authors and comments

In the CollectionQuery comments I have to add rules

            ...
            'filter.post.id' => ['array'],
            'filter.post.id.*' => [Rule::integer()],
            'filter.post.name' => ['filled', 'string'],

In the CollectionQuery authors I have to add rules

            ...
            'filter.posts.id' => ['array'],
            'filter.posts.id.*' => [Rule::integer()],
            'filter.posts.name' => ['filled', 'string'],

Do I have to do this in all CollectionQueries for all resources directly related (and indirectly via the maxDepth)? Or is there a better way to manage this?

Answer 3 · 2024-04-17T08:19:55.000Z

Yes unfortunately you do have to do that at the moment. However, the next major version of this package will remove that need - as the rules are being moved to the filters themselves. So for filters that are relationships, it will be able to work out the validation rules for properties on the inverse resource type.

So it's a bit of a pain now, but will be solved in the future.

Answer 4 · 2024-04-17T09:12:21.000Z

Ok, then I will just continue doing it like that, I can live with that :-)
And good to know it will be easier in next release.