0

I would like to prevent users to put additionnal properties in body when they post/patch in my API.

Let's say we have the following model:

{ "test": "value"}

If a user POSTs the following:

{ "test": "value", "anotherProp":"value"}

I would like to return a BadRequestResult (400) because 'anotherProp' is NOT expected. All I want, is a body with a 'test' property.

Baral
  • 3,103
  • 2
  • 19
  • 28
  • Does this answer your question? [Throw error when unknown property found in input API request?](https://stackoverflow.com/questions/30481251/throw-error-when-unknown-property-found-in-input-api-request) – knittl Dec 03 '20 at 18:53
  • Does this answer your question? https://stackoverflow.com/questions/21030712/detect-if-deserialized-object-is-missing-a-field-with-the-jsonconvert-class-in-j – knittl Dec 03 '20 at 18:54
  • @knittl, no. I don't want any other property. I just want to receive 'test'. – Baral Dec 03 '20 at 18:56
  • 2
    yes, and both questions show a way to have your deserialization fail if it encounters "anotherProp". How does that not answer your question? Please extend your question with an explanation why this does not do what you want (sample inputs, sample outputs, i.e. a "minimal reproducable example") – knittl Dec 03 '20 at 18:58
  • this is a little broad, but there should be an array of form data, you can just iterate over it and throw if there isn't a property that you're expecting. However from my POV this seems a bit pointless, just let them pass the extra data – johnny 5 Dec 03 '20 at 18:58
  • Maybe [this](https://learn.microsoft.com/en-us/aspnet/core/mvc/advanced/custom-model-binding?view=aspnetcore-5.0) can help. – dcg Dec 03 '20 at 19:03
  • I don't know if the unknown properties show up in ModelState.Keys, but if they do you could look in there for anything that doesn't belong. Personally I'd just ignore the extra stuff unless there's some cause for concern. – MetalMikester Dec 03 '20 at 19:27

1 Answers1

0

Here ya go. Follow along with the comments in the code below...

    public class MyObject
    {
        public string MyProperty { get; set; }
    }

    class Program
    {
        static void Main()
        {
            // This is a valid json instance of MyProperty
            string json1 = "{\"MyProperty\" : \"foobar\"}";

            // This is NOT a valid json instance of MyProperty, as it has an unwanted property.
            string json2 = "{\"MyProperty\" : \"foobar\", \"MyProperty2\" : \"foobar2\"}";

            // This will deserialize 'json1' into MyProperty
            MyObject myObject1 = JsonConvert.DeserializeObject<MyObject>(json1);

            // This will deserialize 'json2' into MyProperty, ignoring the unwanted property.
            MyObject myObject2 = JsonConvert.DeserializeObject<MyObject>(json2);

            try
            {
                // This will throw an error: Could not find member 'MyProperty2' on object of type 'MyObject'.
                JsonConvert.DeserializeObject<MyObject>(json2, new JsonSerializerSettings
                {
                    MissingMemberHandling = MissingMemberHandling.Error
                });
            }
            catch (JsonSerializationException ex)
            {
                Console.WriteLine(ex.Message);
            }
        }
    }

Here's the documentation on this: https://www.newtonsoft.com/json/help/html/DeserializeMissingMemberHandling.htm

Casey Crookston
  • 13,016
  • 24
  • 107
  • 193
  • How is this answer different from the answer to https://stackoverflow.com/questions/21030712/detect-if-deserialized-object-is-missing-a-field-with-the-jsonconvert-class-in-j? – knittl Dec 04 '20 at 15:37