Does API Gateway automatically validate input model?

Question

I've created simple API in AWS API gateway with following endpoint:

POST /v1/users

In method execution / method request I've added request model:

This model schema looks like this:

However when I make a request to that endpoint with json body { "foo": "bar" } it does not reject it and my lambda function is executed...

So why there is option to define JSON schema if it is not used to validate requests?

Answer 1

Just trying to figure this out myself, and I see you also only just asked this a few hours ago!

So far the only reference I've found is here:

http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings.html

For non-GET method types, expand Request Models, and for Content Type and Model name, type the content type and choose the name of a model that will transform caller-supplied data into the expected format.

So seems it's more for transformation than validation - but it's not particularly clear how this actually works.

UPDATE

I just noticed this HackerNews thread:

https://news.ycombinator.com/item?id=9880683

One of the AWS engineers responded on there, and said:

Models are not required for validation. They are simply used to generate the objects in the client SDKs.

Answer 2

This feature has been released as of 04/11/2017. See https://aws.amazon.com/blogs/compute/how-to-remove-boilerplate-validation-logic-in-your-rest-apis-with-amazon-api-gateway-request-validation/

Answer 3

Anyway input/model validation at the API Gateway should only be considered as an additional layer of defence from a security point of view.

Your service MUST always validate the inputs/models it's not something you can delegate!