1
In a backend that has separate validation functions to check the validity of the data, if this data is invalid the procedure (return a 400 or print something on the screen, for example) must occur in this part of validation or is a task for the controller?
In the frontend where I have a party that handles requests to the server (services), when an error is received from one of these requests, notify the user is the task of the service itself or the controller?
Whose responsibility it is?
simple example with php (the question is not focused on any language, just for example)
main.php:
//Forma 1
isValidPassword("123", "321");
//Forma 2
isValidPassword("123", "321") or die("senhas diferente");
php validation.:
//Forma 1
function isValidPassword($password, $confirm) {
$password === $confirm or die("senhas diferente");
}
//Forma 2
function isValidPassword($password, $confirm) {
return $password === $confirm;
}
In frontend the idea is the same, execute a alert()
controller or validation function?
William, I couldn’t quite understand your question. But from what I understand, all validation functions as required field, maximum and minimum value, compare fields, should be done at the front end, due to speed and unnecessary sending to your backend, your backend has to be responsible for all processing of your business rule.
– Paulo Alexandre
I do not agree with what I said, this should be done both on the front (because of ux and non-performance) as on the back, for security reasons, someone could easily create requests with invalid or badly formatted data and the back cannot save these
– Costamilam
You can apply security to your backend, that only your front can communicate with it, there are several ways to do this. However I agree with Oce regarding not letting invalid data be saved, but if a well constructed security can hardly be a requirement can be passed undesirably
– Paulo Alexandre
Sorry, but @Pauloalexandre is completely wrong. There is no way to know where the request comes from, this is easily forged. Any user can submit any value. You can test this yourself using Curl, for example, so you can send any information. The content analysis, if it is according to what you expect, should be done on the server. Of course, as mentioned, it can also do on the client side, just for the sake of optimizing the user experience.
– Inkeliz
what I say @lnkeliz if Voce places an authentication, it has no way to be called by Curl, only if the person knows how to authenticate to your server.
– Paulo Alexandre
@Pauloalexandre And how will authentication work? What will prevent a traffic monitoring and know how authentication is done? There is no such magic if you are receiving arbitrary content from other people. The only way to "authenticate" would be to have secure hardware that also contains a non-extractable cryptographic key. So the user would send the content to such device and it would sign, if correct. Thus the server would accept, valid signatures, this is similar to FIDO U2F’s "Challenge". However, this is purely unviable.
– Inkeliz
I speak in. NET which is where I have most experience, Voce could put authentication in your whole api, with OAUTH 2.0, as it works in GOOGLE, Voce can only call the Apis if Voce has a valid TOKEN, which is acquired when Voce does a Rest with your user, password and api Voce wants to access
– Paulo Alexandre
@Pauloalexandre this remains useless. OAUTH only says whether or not someone is authorized to make the requisition. However, once you have a valid session, a valid token, Voce can send any request. That is, there is no filter of what may or may not be sent, the server remains responsible for restricting what is valid or not, so the use of "front-end restrictions" is useless, in the security aspect.
– Inkeliz
@Guilherme Costamilam, also do not use
$password === $confirm
, this is vulnerable to Attack timing. PHP has hash_equals, which compares securely, and better yet, has password_hash.– Inkeliz
Thanks @Inkeliz, the code is very basic, just for example
– Costamilam