I am new to backend REST API development. I am creating the CRUD APIs for books using spring boot. I have a model class lets say 'user'. It will have many fields, like id, name, email, status, created_at, etc.
I have multiple APIs for the user related action like login, register, update, delete, and so on. How do I ensure that the user sends the correct amount of data for the particular API. For eg: id, status is not required for registration. Status should not be updated during update api call.
And also while sending the user information, i should not send the password to the user. How do i ensure i do that.
One solution i get is using DTOs in spring boot. Then, I will have to create different DTO for different API, which will be a lot. Another is doing manually, which is also not feasible.
-
2Does the number of DTOs really matter? It seems that each of these would be associated with different actions/behaviours, and therefore each represent a separate requirement, with their own method, implementation and tests, so it seems perfectly reasonable for them to have their own DTO as well.Ben Cottrell– Ben Cottrell08/07/2024 11:43:27Commented Aug 7, 2024 at 11:43
-
3Yes, you need DTO and validation for each endpoint. Don't expect things to happen automagically. You need to declare, preferably explicitly, what is required.freakish– freakish08/07/2024 11:43:57Commented Aug 7, 2024 at 11:43
1 Answer 1
You cannot ensure clients send valid information. In fact, it is best if you assume they are sending incomplete or malicious information. Furthermore, you cannot prevent the client from sending sensitive information. You cannot trust the client.
Unfortunately, the very thing you don't want to do (validate input and create DTOs for each endpoint) is precisely the thing we all do. This is an opportunity to leverage the framework better. Web frameworks typically have a certain way things should be done, and this includes validating DTOs and forming standardized responses. You will need to research the idiomatic way to do this in the Spring framework.
There is no automatic way to declare requests, responses, and validate input. This depends on the application you are building. While there might be predictable patterns for how you write code in this circumstance, you won't have predictable code. No machine or algorithm can write this for you without you telling that machine what to do (be it speaking to a large language model which generates code, or informing the computer by typing code on a keyboard).
This is very feasible, but that depends on the estimate given for the work. If the estimate is too small, then the estimate is to blame, not how software needs to be built. If you provided the estimate, then you should incorporate this lesson in future estimates. If someone provided the estimate for you, then consider speaking with them about the challenges they did not account for. Be warned, however, that defining a bunch of custom DTOs and validations is not out of the ordinary.
You might just need some practice and more experience at this. It gets easier and faster each time.
On a technical level, the thing you don't want to do is the thing that should be done. If there is a tight deadline for this work, don't hide the fact you are unable to get it done on time. Communicate this as early as you can. Provide an estimate for what you think it will take to do the work so the team can at least have a conversation.