API Security — Request/ Response Validation using WSO2 API Manager
Covid-19 pandemic is in full swing at the moment and, for most of us, this is a new experience in our life.
As a result of this calamity, all the enterprises are trying to adapt to new ways of doing their businesses. Enterprises are trying to move away from the traditional lockdown mode and, open up their business to the outside world so they can survive during these difficult times.
Enterprises who are already API-driven, will start opening up their businesses to consumers and partners. They will be ahead of the game. Others will try to get their API strategy in place as fast as possible to expand their reach.
The moment we open up the enterprise firewall through APIs, it will add a lot of extra complexities/ challenges and risk which we have to handle carefully. We use an API Management platform to help us manage these challenges.
There are many useful features of API Management platforms such as rate-limiting, throttling, caching, burst control, spike arrest, orchestration, marketplace, lifecycle management, etc. and API Security is something which takes the highest priority among the rest.
Security is one of the many Quality of Services (QoS) that are introduced by an API Management layer. API Managers will add a set of additional security features on top of the existing APIs layer.
JSON Schema Validator is one of those additional security features which WSO2 API Manager provides as part of its latest release — API Manager 3.0.
Scenario 1 — From the functionality perspective, it’s always best to avoid unwanted requests going through the gateway to the backend services. It will tax the gateway and the backend services unnecessarily. While we apply all the validations at the client applications level (desktop/ web/ mobile), its best to have another extra check at the gateway level and stop the request going to the backend if the request is not valid/ legitimate.
- Ex: Mismatch of the number of input parameters or the data type of the input parameters. (Sending 2 integer parameters when the backend service is expecting 2 string parameters.)
In the above scenario, even if the client application forgets or skips the input validation accidentally, having a check/ validation for incoming payloads at the gateway level can stop sending the request to the backend services so it does not tax the backend services unnecessarily.
Scenario 2 — From the security perspective, it’s always best to validate the incoming payloads and send only the validated requests to the backend services. Attackers may try to break the API Gateway and the backend services by sending malicious payloads. And the client application alone will not be able to prevent this. Therefore, it is vital to have thorough client-side validation to validate all the requests and responses to reduce backend failures.
The solution to this problem is using JSON Schema Validator which comes with the WSO2 API Manager.
The JSON Schema Validator in WSO2 API Manager evaluates the incoming payload and checks whether it is compatible with the defined JSON schema, which is defined in the “swagger.json” file, by ensuring that the required properties and the additional constraints are present.
If the request fails the validations, the JSON Schema Validator sends a bad request error (status code = 400) and blocks the request from reaching the backend. Likewise, if the response fails the validations, the JSON Schema Validator sends an internal server error (status code = 500) to the client.
Let’s assume that we have defined a schema as shown below:
According to the above schema, “name” and “photoUrls” fields should be required parameters, and “name” should be a string, and “photoUrls” should be an array, and properties should be an integer type and in Int64 format. If we have enabled JSON Schema Validator here, and if we are not adhering to the above schema, the validator will fail with a Bad Request response and blocks the request reaching the backend.
How it works
The JSON Schema Validator uses the “swaggerSchemavalidator” handler to validate the API schema. When the users enable schema validation either via the API Publisher Portal or via REST API, the “swaggerSchemavalidator” handler is enabled for the API Synapse configuration file. Once the API request/response comes into the validator handler it builds the message and extracts the payload. Furthermore, the particular handler extracts the relevant schema and create an inline schema model and handover to the third-party library. The JSON Schema Validator validates the requests before forwarding them to the backend, and it also validates all the response payloads against the defined response schema before responding to the client.
Let’s examine how Request and Response validation flow and how it works.
Sending a valid request — the following diagram illustrates the message flow when sending a valid request.
Sending an invalid request — the following diagram illustrates the message flow when sending an invalid request.
Below is a sample response we receive from the JSON Validator when we send an invalid request:
Valid response from the backend — the following diagram illustrates the message flow when sending a valid response from the backend.
Invalid response from the backend— the following diagram illustrates the message flow when sending an invalid response from the backend.
Below is a sample response we receive from the JSON Validator when we receive an invalid response from the backend:
Enabling the JSON Schema Validator
We can enable JSON Schema Validator using the API Publisher web portal.
When the JSON schema validation is enabled, it will trigger the payload to be built for all requests and responses. Therefore, this will have an impact on the round-trip time of an API request. Pay extra attention when enabling this feature.
JSON Schema Validator which comes with the WSO2 API Manager will provide a set of additional functional and security validation capabilities with a small price of performance.
Go ahead and evaluate it to see how it can fit into the use cases in your API journey.