1

I'm learning about Software Architecture and especially about scaffolding large-scale architecture and patterns for modern web applications.

I've noticed that I don't have a pattern for data validation or rules, sometimes I add validations or checks () in client-side layer and others in the server-side or by adding requirement in databases schemas but I see several redundant validations.

Let's say I have an input with a username and this username should have max 10 characters, as far as I understand one validation in front-end layer ( client-side ) is enough without adding requirements/validations in a database for this property of our schema ( user in MongoDB).

My question how do I organize or create a standard validation flow for a web application?

I appreciate you if you can recommend a practical book, a blog, or a series of videos from an expert.

Menai Ala Eddine - Aladdin
  • 245
  • 1
  • 3
  • 11

2 Answers2

2

Validation should always take place server-side. You can't trust the client to do the right thing.

There are various kinds of validations, and various places those validations can occur depending on your architecture. For example, validating domain fields such as social security numbers and customer IDs generally takes place in the Model, for those architectures with an M in their abbreviation (i.e. MVVM, MVC and MVP). However, verification and validation of users (and granting of roles and privileges) generally takes place somewhere between the Model and the View (in the Controller, for MVC).

For convenience reasons, you can also perform validation in the client. But this validation is not "official;" the server side validation has the final say.

Robert Harvey
  • 199,517
  • Yes, I understand that but what confuses me is database requirements, as I mentioned in the question why we need to add requirements in our schema if I will do validations in the front-end or back-end code. – Menai Ala Eddine - Aladdin May 03 '20 at 00:06
  • 1
    Because validations are not one of those things that you do in one place. System security is about using layers of validation. The database is one such layer; providing adequate validations in that layer insures that your database system is capable of maintaining its data integrity. – Robert Harvey May 03 '20 at 00:56
  • Exactly, this is a proven answer, thank you @Robert, may you suggest a book to expand my knowledge about this topic. – Menai Ala Eddine - Aladdin May 03 '20 at 01:01
  • 2
    You must do validation server side because you must assume that the client is an attacker.

    You should do validation on the client side to improve the user experience by not letting them do things the server won’t allow. On the other side, client validation that rejects valid client requests will annoy users and cost you money. And you need to realise that while the user is busy entering data, that data will be invalid until they are finished.

     – gnasher729 May 03 '20 at 09:02
  • @gnasher729, so instead of enforcing users when entering data or ( Real-time ) validation, it's better to create validation only when the server receives requests from the client. – Menai Ala Eddine - Aladdin May 03 '20 at 19:53
  • @MenaiAlaEddine: Validation is also done on the client, for convenience reasons. Imagine having to take a round-trip to the server every time you get a field wrong in a form. Very annoying. – Robert Harvey May 03 '20 at 20:22
  • @RobertHarvey, yes you're right and I see many websites wait for you to fill long-form then tell you the wrong of them after clicking submit. Also, as I understand that validations have 3 tiers: on the client ( if the user does not make a request or query ) , on the server ( only for requests ) and databases for guarantee data schema and relationships. – Menai Ala Eddine - Aladdin May 03 '20 at 20:39
0

... as far as I understand one validation in front-end layer ( client-side ) is enough ...

Short answer: Your understanding is wrong.

You should trust nothing that comes from anywhere that you don't have complete control over (be that a machine / browser / user entry). A web browser running on someone else's machine? You have next to zero control, so zero trust. Assume everything is tainted until your Server application can satisfy itself that it's not.

What makes you think that the "person" (or "Bot"?) sending this data to ("at"?) your server application is even doing so from the HTML that you sent them?

Obligatory Reference to one of the best posts on the subject:

What technical details should a programmer of a web application consider before making the site public?

Phill W.
  • 12,181
  • Yes, as I mentioned in comments, if a user makes a request all validations must be in server or middleware or proxy but if the user only interacts with UI, we can add validations in front-end ( React/Redux) for example. – Menai Ala Eddine - Aladdin May 04 '20 at 13:23
  • Yes, you can /add/ validation in the client UI to make life /easier/ for the User. But you CANNOT rely on that validation - anything that runs on the client's computer must be treated as Suspect. Just because your server application /sent/ a UI for the User to interact with DOES NOT guarantee that subsequent requests to your server application will come /from/ from that UI! A [malicious] User can /throw away/ that HTML and send /whatever they want/ against your Server API. That's why you /always/ do meaningful validation server-side - it's the /only/ place you can trust. – Phill W. May 05 '20 at 14:26