I'm trying to wrap my head around the value of request validation in API Gateway when setting up a REST endpoint. So, during the method request phase, you can opt to validate the request body against your API's defined models. However, I see some limitations with this approach:
1. If the request body is invalid, it just returns a vague "Invalid request body" message without any details on what went wrong.
2. The model is essentially a JSON Schema, which can't handle complex validation scenarios or conditional checks.
3. Regardless, you would likely perform validation in your backend integration, like with a Lambda function, which means the API Gateway's validation ends up being redundant and needs manual synchronization with your backend logic.
The AWS documentation suggests that this could help lessen the load on your integrations by filtering out bad requests right away. This might be worthwhile for APIs with extremely high traffic or for endpoints forwarding to external services, but for most, the drawbacks seem to outweigh the benefits. I'm curious to know if anyone else feels the same way or if I've missed some advantages of using request validation in API Gateway?
5 Answers
In essence, using API Gateway can help you avoid charges for invalid requests and minimize processing with your backend. The goal is to streamline your code to focus mainly on business logic, handling bad requests right at the gateway level.
Consider these points: 1. Saves you costs on lambda invocation. 2. You could customize the error response rather than just getting "Invalid request body." 3. Relying on gateway typing means you might not even need to validate in your backend that rigorously. It keeps your backend logic focused on handling business specifics.
Validating at the gateway can really save you on lambda invocation costs if most validation can be handled there. It's potentially a good deal of savings, especially with high traffic!
Ugh, I know! The whole load reduction logic sounds good for heavy traffic, but those error messages are so unhelpful. We always end up doing extra validation in Lambda anyway, which is quite the hassle.
True, the error messaging could use some improvement. It's a pain to handle validations in both places.
There are many APIs that receive tons of traffic and just pass through requests to other APIs. But whether you use all these validation options is totally up to you. AWS is all about picking what works for your needs. You don't have to implement every feature if it doesn't add value!
Exactly! That's why I'm exploring this feature—to see if it's worth implementing.
I came here to say the same! Validating at the gateway is a huge cost-saver. That said, your concerns are valid about error messaging and redundancy, but prioritizing validation can help against volumetric attacks. Bumping issues higher up in the stack is a good move.