Menu
I've created simple API in AWS API gateway with following endpoint:
POST /v1/users
In method execution / method request I've added request model:
This model schema looks like this:
However when I make a request to that endpoint with json body { "foo": "bar" } it does not reject it and my lambda function is executed...
So why there is option to define JSON schema if it is not used to validate requests?
451
Amazon API Gateway acts as a proxy to the backend operations that you have configured. Amazon API Gateway will automatically scale to handle the amount of traffic your API receives.
Using JavaScript to Validate API Response Bodies In your API Science monitor, you can use JavaScript to validate any of these fields.
To enable basic validation, you specify validation rules in a request validator, add the validator to the API's map of request validators, and assign the validator to individual API methods. Request body validation and request body passthrough are two separate issues.
Go to the Integration Request tab of your endpoint, click Mapping Templates , set Request body passthrough to never , add a mapping template for application/javascript , and click Method Request Passthrough from the dropdown next to Generate template .
Just trying to figure this out myself, and I see you also only just asked this a few hours ago!
So far the only reference I've found is here:
http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings.html
For non-GET method types, expand Request Models, and for Content Type and Model name, type the content type and choose the name of a model that will transform caller-supplied data into the expected format.
So seems it's more for transformation than validation - but it's not particularly clear how this actually works.
UPDATE
I just noticed this HackerNews thread:
https://news.ycombinator.com/item?id=9880683
One of the AWS engineers responded on there, and said:
Models are not required for validation. They are simply used to generate the objects in the client SDKs.
63
This feature has been released as of 04/11/2017. See https://aws.amazon.com/blogs/compute/how-to-remove-boilerplate-validation-logic-in-your-rest-apis-with-amazon-api-gateway-request-validation/
32
Anyway input/model validation at the API Gateway should only be considered as an additional layer of defence from a security point of view.
Your service MUST always validate the inputs/models it's not something you can delegate!
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
