Removing unnecessary request fields
At the moment, we are allowing the consumer to submit all the properties that our data repository requires, including userId
, userName
, and created
. However, these properties can be set on the server. In fact, the client doesn't need to know or care about userId
.
Exposing the client to more properties than it needs impacts the usability of the API and can also cause security issues. For example, a client can pretend to be any user submitting questions and answers with our current API.
In the following subsections, we are going to tighten up some requests so that they don't contain unnecessary information. We will start by removing the userId
, userName
, and created
fields from posting questions before moving on to removing the userId
and created
fields from posting answers.
Removing unnecessary request fields from posting a question
Our QuestionPostRequest...