Should you expect unexpected values from external APIs?
Lets say you are coding a function that takes input from an external API MyAPI.
That external API MyAPI has a contract that states it will return a string or a number.
Is it recommended to guard against things like null, undefined, boolean, etc. even though it's not part of the API of MyAPI? In particular, since you have no control over that API you cannot make the guarantee through something like static type analysis so it's better to be safe than sorry?
I'm thinking in relation to the Robustness Principle.
design api api-design web-services functions
asked 57 mins ago
Adam ThompsonAdam Thompson
22217
add a comment |
Lets say you are coding a function that takes input from an external API MyAPI.
That external API MyAPI has a contract that states it will return a string or a number.
Is it recommended to guard against things like null, undefined, boolean, etc. even though it's not part of the API of MyAPI? In particular, since you have no control over that API you cannot make the guarantee through something like static type analysis so it's better to be safe than sorry?
I'm thinking in relation to the Robustness Principle.
design api api-design web-services functions
asked 57 mins ago
Adam ThompsonAdam Thompson
22217
3
What are the impacts of not handling those unexpected values if they are returned? Can you live with these impacts? Is it worth the complexity to handle those unexpected values to prevent having to deal with the impacts?
– Vincent Savard
56 mins ago
@VincentSavard I know I won't get an absolute answer without this data, but I'm looking for an in general answer.
– Adam Thompson
17 mins ago
add a comment |
Lets say you are coding a function that takes input from an external API MyAPI.
That external API MyAPI has a contract that states it will return a string or a number.
Is it recommended to guard against things like null, undefined, boolean, etc. even though it's not part of the API of MyAPI? In particular, since you have no control over that API you cannot make the guarantee through something like static type analysis so it's better to be safe than sorry?
I'm thinking in relation to the Robustness Principle.
design api api-design web-services functions
asked 57 mins ago
Adam ThompsonAdam Thompson
22217
Lets say you are coding a function that takes input from an external API MyAPI.
That external API MyAPI has a contract that states it will return a string or a number.
Is it recommended to guard against things like null, undefined, boolean, etc. even though it's not part of the API of MyAPI? In particular, since you have no control over that API you cannot make the guarantee through something like static type analysis so it's better to be safe than sorry?
I'm thinking in relation to the Robustness Principle.
design api api-design web-services functions
design api api-design web-services functions
asked 57 mins ago
Adam ThompsonAdam Thompson
22217
asked 57 mins ago
Adam ThompsonAdam Thompson
22217
asked 57 mins ago
Adam ThompsonAdam Thompson
22217
asked 57 mins ago
Adam ThompsonAdam Thompson
22217
asked 57 mins ago
Adam ThompsonAdam Thompson
22217
22217
3
What are the impacts of not handling those unexpected values if they are returned? Can you live with these impacts? Is it worth the complexity to handle those unexpected values to prevent having to deal with the impacts?
– Vincent Savard
56 mins ago
@VincentSavard I know I won't get an absolute answer without this data, but I'm looking for an in general answer.
– Adam Thompson
17 mins ago
add a comment |
3
What are the impacts of not handling those unexpected values if they are returned? Can you live with these impacts? Is it worth the complexity to handle those unexpected values to prevent having to deal with the impacts?
– Vincent Savard
56 mins ago
@VincentSavard I know I won't get an absolute answer without this data, but I'm looking for an in general answer.
– Adam Thompson
17 mins ago
3
3
What are the impacts of not handling those unexpected values if they are returned? Can you live with these impacts? Is it worth the complexity to handle those unexpected values to prevent having to deal with the impacts?
– Vincent Savard
56 mins ago
What are the impacts of not handling those unexpected values if they are returned? Can you live with these impacts? Is it worth the complexity to handle those unexpected values to prevent having to deal with the impacts?
– Vincent Savard
56 mins ago
@VincentSavard I know I won't get an absolute answer without this data, but I'm looking for an in general answer.
– Adam Thompson
17 mins ago
@VincentSavard I know I won't get an absolute answer without this data, but I'm looking for an in general answer.
– Adam Thompson
17 mins ago
add a comment |
4 Answers
4
active
oldest
votes
You should never trust the inputs to your software, regardless of source. Not only validating the types is important, but also ranges of input and the business logic as well.
Failing to do so will at best leave you with garbage data that you have to later clean up, but at worst you'll leave an opportunity for malicious exploits if that upstream service gets compromised in some fashion (q.v. the Target hack). The range of problems in between includes getting your application in an unrecoverable state.
answered 41 mins ago
PaulPaul
2,209913
add a comment |
Let's compare the two scenarios and try to come to a conclusion.
Scenario 1
Our application assumes the external API will behave as per the agreement.
Scenario 2
Our application assumes the external API can misbehave, hence add precautions.
In general, there is a chance for any API or software to violate the agreements; may be due to a bug or unexpected conditions. Even an API might be having issues in the internal systems resulting in unexpected results.
If our program is written assuming the external API will adhere to the agreements and avoid adding any precautions; who will be the party facing the issues? It will be us, the ones who has written integration code.
For example, the null values that you have picked. Say, as per the API agreement the response should have not-null values; but if it is suddenly violated our program will result in NPEs.
So, I believe it will be better to make sure your application has some additional code to address unexpected scenarios.
answered 44 mins ago
lkamallkamal
1333
New contributor
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Yes, of course. But what makes you think the answer could be different?
You surely don't want to let your program behave in some unpredictable manner in case the API does not return what the contract says, don't you? So at least you have to deal with such a behaviour somehow. A minimal form of error handling is always worth the (very minimal!) effort, and there is absolutely no excuse for not implementing something like this.
However, how much effort you should invest to deal with such a case is heavily case dependent and can only be answered in context of your system. Often, a short log entry and letting the application end gracefully can be enough. Sometimes, you will be better off to implement some detailed exception handling, dealing with different forms of "wrong" return values, and maybe have to implement some fallback strategy.
But it makes a hell of a difference if you are writing just some inhouse spreadsheet formatting application, to be used by less than 10 people and where the financial impact of an application crash is quite low, or if you are creating a new autonomous car driving system, where an application crash may cost lives.
So there is no shortcut against reflecting about what you are doing, using your common sense is always mandatory.
answered 30 mins ago
Doc BrownDoc Brown
131k23240379
add a comment |
You should always validate incoming data -- user-entered or otherwise -- so you should have a process in place to handle when the data retrieved from this external API is invalid.
Generally speaking, any seam where extra-orgranizational systems meet should require authentication, authorization (if not defined simply by authentication), and validation.
answered 34 mins ago
StarTrekRedneckStarTrekRedneck
1711
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "131"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsoftwareengineering.stackexchange.com%2fquestions%2f385497%2fshould-you-expect-unexpected-values-from-external-apis%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You should never trust the inputs to your software, regardless of source. Not only validating the types is important, but also ranges of input and the business logic as well.
Failing to do so will at best leave you with garbage data that you have to later clean up, but at worst you'll leave an opportunity for malicious exploits if that upstream service gets compromised in some fashion (q.v. the Target hack). The range of problems in between includes getting your application in an unrecoverable state.
answered 41 mins ago
PaulPaul
2,209913
add a comment |
You should never trust the inputs to your software, regardless of source. Not only validating the types is important, but also ranges of input and the business logic as well.
Failing to do so will at best leave you with garbage data that you have to later clean up, but at worst you'll leave an opportunity for malicious exploits if that upstream service gets compromised in some fashion (q.v. the Target hack). The range of problems in between includes getting your application in an unrecoverable state.
answered 41 mins ago
PaulPaul
2,209913
add a comment |
You should never trust the inputs to your software, regardless of source. Not only validating the types is important, but also ranges of input and the business logic as well.
Failing to do so will at best leave you with garbage data that you have to later clean up, but at worst you'll leave an opportunity for malicious exploits if that upstream service gets compromised in some fashion (q.v. the Target hack). The range of problems in between includes getting your application in an unrecoverable state.
answered 41 mins ago
PaulPaul
2,209913
You should never trust the inputs to your software, regardless of source. Not only validating the types is important, but also ranges of input and the business logic as well.
Failing to do so will at best leave you with garbage data that you have to later clean up, but at worst you'll leave an opportunity for malicious exploits if that upstream service gets compromised in some fashion (q.v. the Target hack). The range of problems in between includes getting your application in an unrecoverable state.
answered 41 mins ago
PaulPaul
2,209913
answered 41 mins ago
PaulPaul
2,209913
answered 41 mins ago
PaulPaul
2,209913
answered 41 mins ago
PaulPaul
2,209913
2,209913
add a comment |
add a comment |
Let's compare the two scenarios and try to come to a conclusion.
Scenario 1
Our application assumes the external API will behave as per the agreement.
Scenario 2
Our application assumes the external API can misbehave, hence add precautions.
In general, there is a chance for any API or software to violate the agreements; may be due to a bug or unexpected conditions. Even an API might be having issues in the internal systems resulting in unexpected results.
If our program is written assuming the external API will adhere to the agreements and avoid adding any precautions; who will be the party facing the issues? It will be us, the ones who has written integration code.
For example, the null values that you have picked. Say, as per the API agreement the response should have not-null values; but if it is suddenly violated our program will result in NPEs.
So, I believe it will be better to make sure your application has some additional code to address unexpected scenarios.
answered 44 mins ago
lkamallkamal
1333
New contributor
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Let's compare the two scenarios and try to come to a conclusion.
Scenario 1
Our application assumes the external API will behave as per the agreement.
Scenario 2
Our application assumes the external API can misbehave, hence add precautions.
In general, there is a chance for any API or software to violate the agreements; may be due to a bug or unexpected conditions. Even an API might be having issues in the internal systems resulting in unexpected results.
If our program is written assuming the external API will adhere to the agreements and avoid adding any precautions; who will be the party facing the issues? It will be us, the ones who has written integration code.
For example, the null values that you have picked. Say, as per the API agreement the response should have not-null values; but if it is suddenly violated our program will result in NPEs.
So, I believe it will be better to make sure your application has some additional code to address unexpected scenarios.
answered 44 mins ago
lkamallkamal
1333
New contributor
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Let's compare the two scenarios and try to come to a conclusion.
Scenario 1
Our application assumes the external API will behave as per the agreement.
Scenario 2
Our application assumes the external API can misbehave, hence add precautions.
In general, there is a chance for any API or software to violate the agreements; may be due to a bug or unexpected conditions. Even an API might be having issues in the internal systems resulting in unexpected results.
If our program is written assuming the external API will adhere to the agreements and avoid adding any precautions; who will be the party facing the issues? It will be us, the ones who has written integration code.
For example, the null values that you have picked. Say, as per the API agreement the response should have not-null values; but if it is suddenly violated our program will result in NPEs.
So, I believe it will be better to make sure your application has some additional code to address unexpected scenarios.
answered 44 mins ago
lkamallkamal
1333
New contributor
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Let's compare the two scenarios and try to come to a conclusion.
Scenario 1
Our application assumes the external API will behave as per the agreement.
Scenario 2
Our application assumes the external API can misbehave, hence add precautions.
In general, there is a chance for any API or software to violate the agreements; may be due to a bug or unexpected conditions. Even an API might be having issues in the internal systems resulting in unexpected results.
If our program is written assuming the external API will adhere to the agreements and avoid adding any precautions; who will be the party facing the issues? It will be us, the ones who has written integration code.
For example, the null values that you have picked. Say, as per the API agreement the response should have not-null values; but if it is suddenly violated our program will result in NPEs.
So, I believe it will be better to make sure your application has some additional code to address unexpected scenarios.
answered 44 mins ago
lkamallkamal
1333
New contributor
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 44 mins ago
lkamallkamal
1333
New contributor
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 44 mins ago
lkamallkamal
1333
answered 44 mins ago
lkamallkamal
1333
1333
New contributor
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
lkamal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Yes, of course. But what makes you think the answer could be different?
You surely don't want to let your program behave in some unpredictable manner in case the API does not return what the contract says, don't you? So at least you have to deal with such a behaviour somehow. A minimal form of error handling is always worth the (very minimal!) effort, and there is absolutely no excuse for not implementing something like this.
However, how much effort you should invest to deal with such a case is heavily case dependent and can only be answered in context of your system. Often, a short log entry and letting the application end gracefully can be enough. Sometimes, you will be better off to implement some detailed exception handling, dealing with different forms of "wrong" return values, and maybe have to implement some fallback strategy.
But it makes a hell of a difference if you are writing just some inhouse spreadsheet formatting application, to be used by less than 10 people and where the financial impact of an application crash is quite low, or if you are creating a new autonomous car driving system, where an application crash may cost lives.
So there is no shortcut against reflecting about what you are doing, using your common sense is always mandatory.
answered 30 mins ago
Doc BrownDoc Brown
131k23240379
add a comment |
Yes, of course. But what makes you think the answer could be different?
You surely don't want to let your program behave in some unpredictable manner in case the API does not return what the contract says, don't you? So at least you have to deal with such a behaviour somehow. A minimal form of error handling is always worth the (very minimal!) effort, and there is absolutely no excuse for not implementing something like this.
However, how much effort you should invest to deal with such a case is heavily case dependent and can only be answered in context of your system. Often, a short log entry and letting the application end gracefully can be enough. Sometimes, you will be better off to implement some detailed exception handling, dealing with different forms of "wrong" return values, and maybe have to implement some fallback strategy.
But it makes a hell of a difference if you are writing just some inhouse spreadsheet formatting application, to be used by less than 10 people and where the financial impact of an application crash is quite low, or if you are creating a new autonomous car driving system, where an application crash may cost lives.
So there is no shortcut against reflecting about what you are doing, using your common sense is always mandatory.
answered 30 mins ago
Doc BrownDoc Brown
131k23240379
add a comment |
Yes, of course. But what makes you think the answer could be different?
You surely don't want to let your program behave in some unpredictable manner in case the API does not return what the contract says, don't you? So at least you have to deal with such a behaviour somehow. A minimal form of error handling is always worth the (very minimal!) effort, and there is absolutely no excuse for not implementing something like this.
However, how much effort you should invest to deal with such a case is heavily case dependent and can only be answered in context of your system. Often, a short log entry and letting the application end gracefully can be enough. Sometimes, you will be better off to implement some detailed exception handling, dealing with different forms of "wrong" return values, and maybe have to implement some fallback strategy.
But it makes a hell of a difference if you are writing just some inhouse spreadsheet formatting application, to be used by less than 10 people and where the financial impact of an application crash is quite low, or if you are creating a new autonomous car driving system, where an application crash may cost lives.
So there is no shortcut against reflecting about what you are doing, using your common sense is always mandatory.
answered 30 mins ago
Doc BrownDoc Brown
131k23240379
Yes, of course. But what makes you think the answer could be different?
You surely don't want to let your program behave in some unpredictable manner in case the API does not return what the contract says, don't you? So at least you have to deal with such a behaviour somehow. A minimal form of error handling is always worth the (very minimal!) effort, and there is absolutely no excuse for not implementing something like this.
However, how much effort you should invest to deal with such a case is heavily case dependent and can only be answered in context of your system. Often, a short log entry and letting the application end gracefully can be enough. Sometimes, you will be better off to implement some detailed exception handling, dealing with different forms of "wrong" return values, and maybe have to implement some fallback strategy.
But it makes a hell of a difference if you are writing just some inhouse spreadsheet formatting application, to be used by less than 10 people and where the financial impact of an application crash is quite low, or if you are creating a new autonomous car driving system, where an application crash may cost lives.
So there is no shortcut against reflecting about what you are doing, using your common sense is always mandatory.
answered 30 mins ago
Doc BrownDoc Brown
131k23240379
edited 24 mins ago
answered 30 mins ago
Doc BrownDoc Brown
131k23240379
answered 30 mins ago
Doc BrownDoc Brown
131k23240379
answered 30 mins ago
Doc BrownDoc Brown
131k23240379
131k23240379
add a comment |
add a comment |
You should always validate incoming data -- user-entered or otherwise -- so you should have a process in place to handle when the data retrieved from this external API is invalid.
Generally speaking, any seam where extra-orgranizational systems meet should require authentication, authorization (if not defined simply by authentication), and validation.
answered 34 mins ago
StarTrekRedneckStarTrekRedneck
1711
add a comment |
You should always validate incoming data -- user-entered or otherwise -- so you should have a process in place to handle when the data retrieved from this external API is invalid.
Generally speaking, any seam where extra-orgranizational systems meet should require authentication, authorization (if not defined simply by authentication), and validation.
answered 34 mins ago
StarTrekRedneckStarTrekRedneck
1711
add a comment |
You should always validate incoming data -- user-entered or otherwise -- so you should have a process in place to handle when the data retrieved from this external API is invalid.
Generally speaking, any seam where extra-orgranizational systems meet should require authentication, authorization (if not defined simply by authentication), and validation.
answered 34 mins ago
StarTrekRedneckStarTrekRedneck
1711
You should always validate incoming data -- user-entered or otherwise -- so you should have a process in place to handle when the data retrieved from this external API is invalid.
Generally speaking, any seam where extra-orgranizational systems meet should require authentication, authorization (if not defined simply by authentication), and validation.
answered 34 mins ago
StarTrekRedneckStarTrekRedneck
1711
answered 34 mins ago
StarTrekRedneckStarTrekRedneck
1711
answered 34 mins ago
StarTrekRedneckStarTrekRedneck
1711
answered 34 mins ago
StarTrekRedneckStarTrekRedneck
1711
1711
add a comment |
add a comment |
Thanks for contributing an answer to Software Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsoftwareengineering.stackexchange.com%2fquestions%2f385497%2fshould-you-expect-unexpected-values-from-external-apis%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
What are the impacts of not handling those unexpected values if they are returned? Can you live with these impacts? Is it worth the complexity to handle those unexpected values to prevent having to deal with the impacts?
– Vincent Savard
56 mins ago
@VincentSavard I know I won't get an absolute answer without this data, but I'm looking for an in general answer.
– Adam Thompson
17 mins ago