Secure Your ASP.Net Web API with Request Validation: Best Practices and Techniques

Comments off | Back end By · 26/02/2023



Secure Your ASP.Net Web API with Request Validation: Best Practices and Techniques

Secure Your ASP.Net Web API with Request Validation: Best Practices and Techniques

#coding #codingbootcamp #softwaredeveloper

Enter to win free tuition! Enter below!
https://StartupHakk.com/start-now?source=yt

Github Repo: https://github.com/slthomason/StartupHakk/tree/main/20_Aspnet_WebApi_Request_Validation

First approach
A very common scenario is to use the controller’s layers to validate the code, most people do that to avoid spending resources and calling methods if we still have invalid fields, so let’s create the simplest validation approach.
The simple Person class, has purposely a few properties just to test how we can validate them.
This validation approach of the PersonController class works, but there are a few problems we can highlight:
1 — We are not returning to the client the validation problems
2 — There is a big chance of duplicating the validation code in other methods.
3 — There is no separation of concerns.
4 — The errors will be reported one by one to the caller and not at the same time
Of course, we can change the code to use a shared utils class to validate, or create a validation list and add the errors to this list, but this will not solve all the errors with this new approach. Instead, we can use what asp.net already provides to us.

Data Annotations
Asp.net provides a set of classes that we can use to decorate properties and classes with, these classes are under the System.ComponentModel.DataAnnotations namespace and are simple classes that inherit from the ValidationAttribute abstract class.
Even though you can create custom classes and inherit from ValidationAtrribute there is plenty of built-in classes that will solve a big part of your validation logic such as RequiredAttribute , MaxLengthAttribute , RangeAttribute , EmailAttribute, CreditCardAttribute , and many many others. This basic validation will be enough for now, notice that we can multiple annotations for a single property.
The next step will be validating the class once the data it will be provided by the caller, and we can do that using the Asp.Net Model Binding validation.

Model Binding validation
Asp.net binds the information sent in the request body to the action’s parameters and we have access to this information through the controller’s ModelState object which has the IsValid property that as the name suggests returns if the model is valid or not, if the validation fails all the errors will be kept in the ModelState object and they can be returned by the caller in a BadRequestActionResult which also returns a 400 status code. Using DataAnnotations and ModelBinding I can replace all the dirty validation logic in the controllers for a clean and separated validation logic directly on the application models. But on the other hand, when working with multiple actions, we are duplication the model binding validation for all actions and it would be great if we can reuse this piece of validation code. But fortunately, we can do this using Action Filters.

Action Filters
Asp.Net Action Filters are one type of Filter provided by Asp.net, and they are pieces of code that will always run before and after each request in the application.
To create an Action Filter we just need to create a new class, and implement the IActionFilter interface, which allows us to implement the methods OnActionExecuting and OnActionExecuted so moving the validation code from the controllers to the OnActionExecuting will have the same effect.
By doing this we solve one more issue and clean all validation code from all controllers, which is awesome.
But what if we have a very complicated validation logic and the current DataAnnotations are not enough for my project?
For sure this is a very common need and most of us already have this requirement in our project, which brings us to the initial approach, create a class with a custom validation code and use it across the application.
As an example imagine that we need to run a lot of checks against the VAT person’s number provided by the client, such as checking if the code is valid against a database, or checking if the VAT is forbidden, denied, of whatever.
Luckily we can use our current approach and extend the behavior to customize all our validation logic, and even use an existent validation library to help.

Custom Attributes
As I mentioned before, the classes from the DataAnnotationnamespace inherit from ValidationAttribute , so to create the custom attributes we just need to create a new class, inherit from ValidationAttribute override the IsValid property and write a custom validation code there
In this custom logic, I am just checking if the VAT contains the number 1111 but in this class, we can do all the checking that we need, and we can use this validation exactly how we already use all from DataAnnotation namespace.
I think this is a great validation approach, of course, it could be customized as you wish, you do not need to follow it 100% as explained here since it opens lots of additional options and ways of use.

53GB.COM GPTSTORE CPU Yougpt Gptsio Gpt-store-Nav