CODEWITHSUNDEEP
web-servicesrest
Michał Pietraszko
Michał Pietraszko

Reputation: 6199

REST API - Should I return an error if request body has more information than needed?

My current configuration limits the number of properties and size of the request body for every endpoint. Should I return an error if request body has more information than needed?

Let's say that /authenticate endpoint requires JSON body shown below:

{
  "login": "string";
  "password": "string";
}

and the user sends a request 

{
  "login": "mylogin",
  "password": "mypassword",
  "foo": "bar"
}

Should REST API return an error in this case?

Upvotes: 4

Views: 2540

Answers (2)

Andrew
Andrew

Reputation: 49606

There are two options here:

1. Ignoring fields that don't affect request processing and cannot change it.

By default, most of JSON/XML parsers, filling an entity, skip fields that haven't been reflected in the model.

2. Strict field matching and returning the HTTP 422 UNPROCESSABLE ENTITY or 400 BAD REQUEST code.

You could have a list of all allowed fields for each endpoint to compare an incoming request with.

It depends on your API design and the style you want users to follow.

Upvotes: 3

forever-programmer
forever-programmer

Reputation: 13

By default, the request is not validated for additional fields. For json schema there's a parameter 'additionalProperties', whose value can be set to false.

Refer this link Understanding JSON schema validation. Relevant portion copied below.

The additionalProperties keyword is used to control the handling of extra stuff, that is, properties whose names are not listed in the properties keyword. By default any additional properties are allowed. The additionalProperties keyword may be either a boolean or an object. If additionalProperties is a boolean and set to false, no additional properties will be allowed.

Upvotes: 0

Related Questions