#1 2015-04-07 01:12:35

ws
Member
Registered: 2015-03-17
Posts: 19

Server Side Validation

The TSQLServerRest class, already had the ServerSideValidate property, if yes, why was excluded?

Offline

#2 2015-04-07 09:28:08

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,371
Website

Re: Server Side Validation

I do not understand what you mean, sorry.
sad

Offline

#3 2015-04-07 14:10:59

ws
Member
Registered: 2015-03-17
Posts: 19

Re: Server Side Validation

sorry, I'll try again.

this link "http://synopse.info/forum/viewtopic.php?id=1500" has a reference to this property.

TSQLServerRest.ServerSideValidate := true;

Offline

#4 2015-04-07 14:44:35

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,371
Website

Re: Server Side Validation

This patch has never been integrated into the main source code.
AFAIR it was just a trial from one mORMot user: proper integration would require much more work, and would slow down the whole process.

The validation should be done at business level, not at ORM/REST level.
At ORM/REST level, the framework works with "pure" JSON content, with no temporary conversion to a TSQLRecord instance.
It is able to directly create the SQL from the JSON, for best speed.
So validation should be done on client side, before sending the data to the server.

Offline

#5 2015-04-07 20:28:09

ws
Member
Registered: 2015-03-17
Posts: 19

Re: Server Side Validation

Thanks ab!

Offline

#6 2015-04-08 06:21:31

jonjbar
Member
Registered: 2012-12-27
Posts: 37

Re: Server Side Validation

ab wrote:

So validation should be done on client side, before sending the data to the server.

Clients must never be trusted!

Offline

#7 2015-04-08 06:46:12

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,371
Website

Re: Server Side Validation

REST clients should be trusted, otherwise you may introduce unexpected business logic within resource access.
See http://stackoverflow.com/a/16461863

It is similar to the concern of putting the business logic within a SQL database using triggers, or only relying on table definition ("foreign key").
Definitively not a good approach.
The persistence details should be abstracted from the logic.

Basic security is available in the framework, to access a REST resource, i.e. a table, for Read or Write operations.
See http://synopse.info/files/html/Synopse% … #TITLE_488

In application layer is where your business logic should reside.
In application layer is where validation should take place.

Offline

#8 2015-04-08 09:28:11

jonjbar
Member
Registered: 2012-12-27
Posts: 37

Re: Server Side Validation

IMHO any kind of clients (REST included) must be put on a leash as there are plenty of bad things they could do which they shouldn't be allowed to. From the top of my head, I can think about:
- Access resources (rows/fields) without proper permission
- Delete/Update resources without proper permission
- Send invalid data which could result in either data corruption or server crash
- Send malformed (string instead of int, data is too long...) or missing data (required field) which could lead to future problems (data analysis, report generation...)

Where it should be done is another question which should be carefully thought out:
- Invalid access permissions should be checked (at the very least) before returning data to the client. If not before accessing data in the persistence storage
- Invalid modification access should be checked before modifying the persistence storage
- Invalid formated data or missing data should be checked before modifying the persistence storage
- Invalid data resulting in server crash should be handled as soon as it is received (e.g data flood, invalid characters, invalid requests...)
- Invalid data resulting in data corruption should be handled before writing to persistence storage

Regarding table access security, this is great but not enough for most systems: row-level and even field-level security and validation should be handled from the server.
I admit I do not know mORMot enough to say that it is not possible to do so or that it should handle everything.
But as far as I can tell mORMot includes both the data persistence access and REST server with direct interactions between them so it should provide a way to interfere and add safe guards between both.

I hope you'll see those remarks as constructive, not critics wink

Offline

Board footer

Powered by FluxBB