Whose responsibility is it to check data validity?
Solution 1:
Both consumer side(client) and provider side(API) validation.
Clients should do it because it means a better experience. For example, why do a network round trip just to be told that you've got one bad text field?
Providers should do it because they should never trust clients (e.g. XSS and man in the middle attacks). How do you know the request wasn't intercepted? Validate everything.
There are several levels of valid:
- All required fields present, correct formats. This is what the client validates.
- # 1 plus valid relationships between fields (e.g. if X is present then Y is required).
- # 1 plus # 2 plus business valid: meets all business rules for proper processing.
Only the provider side can do #2 and #3.
Solution 2:
For an API the callee should always do proper validation and throw a descriptive exception for invalid data.
For any client with IO overhead client should do basic validation as well...