BT

Your opinion matters! Please fill in the InfoQ Survey!

Applying Validation for Queryable API in ASP.NET Web API OData

| by Anand Narayanaswamy Follow 0 Followers on Feb 27, 2013. Estimated reading time: 1 minute |

In ASP.NET Web API OData, it is possible to enable OData query syntax for a particular action with the help of Queryable API as shown below

[Queryable]   
public IQueryable<WorkItem> Get(int projectId)


However, if you expose the queryable action outside your organization, you should protect the service by adding a layer of protection with the help of query validation. Hongmei Ge, Program Manager, Microsoft recently examined the various scenarios where you can infuse validation in Queryable API.

The first scenario as pointed out by Hongmei is to only allow queries that contains $top and $skip using a property called AllowedQueryOptions as shown below

[Queryable(AllowedQueryOptions = AllowedQueryOptions.Skip | AllowedQueryOptions.Top)]
public IQueryable<WorkItem> Get(int projectId)

It is possible to limit the value for $top and $skip to 100 and 200 using MaxTop and MaxSkip property

[Queryable(MaxTop = 100)]
public IQueryable<WorkItem> Get(int projectId)


[Queryable(MaxSkip = 200)]
public IQueryable<WorkItem> Get(int projectId)


With the help of AllowedOrderbyProperties, you can order the results by Id propery because the order by arbitrary properties could be slow

[Queryable(AllowedOrderByProperties = "Id")]
public IQueryable<WorkItem> Get(int projectId)


If your clients use equal comparison inside the $filter, then you should validate it using AllowedLogicalOperators

[Queryable(AllowedLogicalOperators = AllowedLogicalOperators.Equal)]
public IQueryable<WorkItem> Get(int projectId)


It is possible to turn off arithmetic operations in $filter by setting the value of AllowedArithmeticOperators to None

[Queryable(AllowedArithmeticOperators = AllowedArithmeticOperators.None)]
public IQueryable<WorkItem> Get(int projectId)


You can limit the usage of function in $filter using AllowedFunctions property

[Queryable(AllowedFunctions = AllowedFunctions.StartsWith)]
public IQueryable<WorkItem> Get(int projectId)


The above code implies that only StartsWith function can be used in $filter.

Hongmei aslo demostrates query validation in advanced scenarios such as customizing default validation logic for $skip, $top, $orderby, $filter and the usage of ODataQueryOptions to validate the query.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

MS should concentrate more on adding more oData features than this by Binoj Antony

MS should concentrate more on adding more oData features than ways to throttle/restrict features.
Have been waiting for $select feature available in oData since ages.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT