2

I've been reading about microservices and I have some doubts about what's the data that should be sent on the body, and what's the data that should be populated in the server (by means of an id).

For example, imagine that we have a real estate agency, and the domain models are agent, client and house. Imagine that for an agent to submit a deal he has to:

  • log in into the agency's system with his account
  • create client's profile in system
  • fill transaction form with
    • client data
    • house to be sold
  • click on submit (this submits the data to the sales service)

Now my question is, if the sales service requires fields like client's first and last name, client's contacts, house's address and so on, should we:

  • send all the required data from the browser, or just the id of the house and client and the service will handle the rest?
  • if we have a restriction in the system that says that "you can only sell houses to your clients", how do we guarantee in the sales service that this agent is selling a house to his client (how can I trust the data that comes from the browser)?

Thanks in advance.

jun.hanamaki
  • 55
  • 4

1 Answers1

0

send all the required data from the browser, or just the id of the house and client and the service will handle the rest?

Typically, if the house and client aren't changing in this request, just send their IDs, e.g. 

{
  sale: {
    price: "100000.00",
    houseID: 123,
    clientID: 456
  }
}

if we have a restriction in the system that says that "you can only sell houses to your clients", how do we guarantee in the sales service that this agent is selling a house to his client (how can I trust the data that comes from the browser)?

The answer is you can't trust data from the client. If you get an incoming sale request, you have to verify it on the server. Typically you would have guard clauses or pre-filters to check any operation against constraints (along with other stuff like cleansing the data and checking the user's permission).

mahemoff
  • 44,526
  • 36
  • 160
  • 222
  • Hi, thanks for the reply. Yes I agree, sending the id's and checking on server side is what I would normally do, but since this is a micro service I question this practice. For example, if this request is sent to a service responsible for the sales how can I check if this agent can make transactions with this client? I know about denormalization to have required data in each micro service, but I don't understand if I should be using it to also check for this kind of validation/authorization. – jun.hanamaki Jun 07 '15 at 04:34
  • The main purpose of microservices is separation of concerns, so by definition microservices should behave as regular services and shouldn't magically give special privileges to incoming requests. Even if you control both microservices and even if you don't (yet) have any other clients for the receiving microservice, it still needs to conduct standard authorization and validation procedures in order to be fully autonomous and independently verifiable. – mahemoff Jun 07 '15 at 09:50
  • 1
    Hi. From what I understand you mean that a micro service should be able to do every validations required by itself, as such the "sales" micro service should have all the required information regarding the clients of each agent. Thank you again for your inputs. – jun.hanamaki Jun 09 '15 at 09:32
  • Correct. Microservices are best treated as independent/autonomous, otherwise it defeats the purpose. – mahemoff Jun 09 '15 at 16:44
  • 1
    Thanks, your input were really helpful! – jun.hanamaki Jun 09 '15 at 20:52