What is the correct REST method for performing server side validation?

Question

If I don't want to update a resource, but I just want to check if something is valid (in my case, a SQL query), what's the correct REST method?

I'm not GETting a resource (yet). I'm not PUTting, POSTing, or PATCHing anything (yet). I'm simply sending part of a form back for validation that only the server can do. Another equivalent would be checking that a password conforms to complexity requirements that can only be known by the domain, or perhaps there are other use cases.

Send object, validate, return response, continue with form. Using REST. Any ideas? Am I missing something?

Answer 1

What is the correct REST method for performing server side validation?

Asking whether a representation is valid should have no side effects on the server; therefore it should be safe.

If the representation that you want to validate can be expressed within the URI, then, you should prefer to use GET, as it is the simplest choice, and gives you the best semantics for caching the answer. For example, if we were trying to use a web site to create a validation api for a text (and XML or JSON validator, for instance), then we would probably have a form with a text area control, and construct the identifier that we need by processing the form input.

If the representation that you want to validate cannot be expressed within the URI, then you are going to need to put it into the message body.

Of the methods defined by RFC 7231, only POST is suitable.

Additional methods, outside the scope of this specification, have been standardized for use in HTTP. All such methods ought to be registered within the "Hypertext Transfer Protocol (HTTP) Method Registry" maintained by IANA, as defined in Section 8.1.

The HTTP method registry gives you a lot of options. For this case, I wouldn't bother with them unless you find either a perfect match, or a safe method that accepts a body and is close enough.

So maybe REPORT, which is defined in RFC 3253; I tend to steer clear of WebDAV methods, as I'm not comfortable stretching specifications for "remote Web content authoring operations" outside of their remit.

Answer 2

TLDR; There's a duplicate question around the topic of creating validation endpoints via REST:

In your case a GET request would seem sufficient.

The HTTP GET method is used to read (or retrieve) a representation of a resource. In the “happy” (or non-error) path, GET returns a representation in XML or JSON and an HTTP response code of 200 (OK). In an error case, it most often returns a 404 (NOT FOUND) or 400 (BAD REQUEST).

restapitutorial.com

For validating your SQL query you could use a GET request to get the valid state of your query potentially using a query parameter to achieve this.

GET: api/validateQuery?query="SELECT * FROM TABLE"

Returning:

• 200 (OK): Valid Query
• 400 (MALFORMED): Invalid Query
• 404 (NOT FOUND): Query valid but returns no results (if you plan on executing the query)

Answer 3

I think this type of endpoint is best served as a POST request. As defined in the spec, POST requests can be used for

Providing a block of data, such as the fields entered into an HTML form, to a data-handling process

The use of GET as suggested in another post, for me, is misleading and impractical based on the complexity & arbitrarity of SQL queries.