Does API Gateway automatically validate input model?

Question

I've created simple API in AWS API gateway with following endpoint:

POST /v1/users

In method execution / method request I've added request model:

This model schema looks like this:

However when I make a request to that endpoint with json body { "foo": "bar" } it does not reject it and my lambda function is executed...

So why there is option to define JSON schema if it is not used to validate requests?

RemoteCTO · Accepted Answer · 2015-08-28T23:39:00.520

21

Just trying to figure this out myself, and I see you also only just asked this a few hours ago!

So far the only reference I've found is here:

http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings.html

For non-GET method types, expand Request Models, and for Content Type and Model name, type the content type and choose the name of a model that will transform caller-supplied data into the expected format.

So seems it's more for transformation than validation - but it's not particularly clear how this actually works.

UPDATE

I just noticed this HackerNews thread:

https://news.ycombinator.com/item?id=9880683

One of the AWS engineers responded on there, and said:

Models are not required for validation. They are simply used to generate the objects in the client SDKs.

edited Aug 28 '15 at 23:39

answered Aug 28 '15 at 19:27

RemoteCTO

818
8
21

3

I also found `In API Gateway, a model defines the format, also known as the schema or shape, of some data. You create and use models to make it easier to create mapping templates. Because API Gateway is designed to work primarily with JavaScript Object Notation (JSON)-formatted data, API Gateway uses JSON Schema to define the expected schema of the data.` in docs so it seems that all that schemas are useless (sad) and the best way would be to passthrough data... – user606521 Aug 28 '15 at 19:49
9

It could well be something like - they do plan to release schema based validation as a feature, but are waiting for enough people to try using it / complain about it not working - to actually go ahead with implementing it. Here's hoping it becomes a feature soon. – RemoteCTO Aug 28 '15 at 23:07
9

What a waste of resources. Validation based on Models would be the number 1 reason for me to use API Gateway with Swagger templates. That doesn't make too much sense to me :( – zanona Mar 02 '16 at 21:56

score 7 · Answer 2 · answered Apr 11 '17 at 18:02

7

This feature has been released as of 04/11/2017. See https://aws.amazon.com/blogs/compute/how-to-remove-boilerplate-validation-logic-in-your-rest-apis-with-amazon-api-gateway-request-validation/

answered Apr 11 '17 at 18:02

RyanG

3,973
25
19

score 1 · Answer 3 · answered Feb 18 '17 at 10:54

1

Anyway input/model validation at the API Gateway should only be considered as an additional layer of defence from a security point of view.

Your service MUST always validate the inputs/models it's not something you can delegate!

answered Feb 18 '17 at 10:54

Daniel Gartmann

11,678
12
45
60

1

I see a quote here, but what are you quoting? – leafmeal Nov 18 '20 at 18:04

Does API Gateway automatically validate input model?

3 Answers3