Enable ASP.NET ModelState validation by default

Due to recent enhancements, this produces better error messages for missing required relationships and avoids 500 errors due to foreign key constraint violations.

Author: Bart Koelman

docs/usage/options.md

@@ -100,9 +100,10 @@ options.SerializerOptions.DictionaryKeyPolicy = null;
 Because we copy resource properties into an intermediate object before serialization, JSON annotations such as `[JsonPropertyName]` and `[JsonIgnore]` on `[Attr]` properties are ignored.
 
 
-## Enable ModelState Validation
+## ModelState Validation
 
-If you would like to use ASP.NET ModelState validation into your controllers when creating / updating resources, set `ValidateModelState` to `true`. By default, no model validation is performed.
+[ASP.NET ModelState validation](https://docs.microsoft.com/en-us/aspnet/core/mvc/models/validation) can be used to validate incoming request bodies when creating and updating resources. Since v5.0, this is enabled by default.
+When `ValidateModelState` is set to `false`, no model validation is performed.
 
 How nullability affects ModelState validation is described [here](~/usage/resources/nullability.md).
 
@@ -117,5 +118,8 @@ public class Person : Identifiable<int>
     [Required]
     [MinLength(3)]
     public string FirstName { get; set; }
+
+    [Required]
+    public LoginAccount Account : get; set; }
 }
 ```

docs/usage/resources/nullability.md

@@ -2,7 +2,7 @@
 
 Properties on a resource class can be declared as nullable or non-nullable. This affects both ASP.NET ModelState validation and the way Entity Framework Core generates database columns.
 
-Note that ModelState validation is turned off by default. It can be enabled in [options](~/usage/options.md#enable-modelstate-validation).
+ModelState validation is enabled by default since v5.0. In earlier versions, it can be enabled in [options](~/usage/options.md#enable-modelstate-validation).
 
 # Value types
 

src/Examples/JsonApiDotNetCoreExample/Startup.cs

@@ -49,7 +49,6 @@ public void ConfigureServices(IServiceCollection services)
                     {
                         options.Namespace = "api/v1";
                         options.UseRelativeLinks = true;
-                        options.ValidateModelState = true;
                         options.IncludeTotalResourceCount = true;
                         options.SerializerOptions.WriteIndented = true;
                         options.SerializerOptions.Converters.Add(new JsonStringEnumConverter());

src/JsonApiDotNetCore/Configuration/IInverseNavigationResolver.cs

@@ -5,7 +5,7 @@ namespace JsonApiDotNetCore.Configuration
 {
     /// <summary>
     /// Responsible for populating <see cref="RelationshipAttribute.InverseNavigationProperty" />. This service is instantiated in the configure phase of the
-    /// application. When using a data access layer different from EF Core, you will need to implement and register this service, or set
+    /// application. When using a data access layer different from Entity Framework Core, you will need to implement and register this service, or set
     /// <see cref="RelationshipAttribute.InverseNavigationProperty" /> explicitly.
     /// </summary>
     [PublicAPI]

src/JsonApiDotNetCore/Configuration/IJsonApiOptions.cs

@@ -103,7 +103,7 @@ public interface IJsonApiOptions
         PageNumber? MaximumPageNumber { get; }
 
         /// <summary>
-        /// Whether or not to enable ASP.NET Core model state validation. False by default.
+        /// Whether or not to enable ASP.NET ModelState validation. True by default.
         /// </summary>
         bool ValidateModelState { get; }
 

src/JsonApiDotNetCore/Configuration/JsonApiApplicationBuilder.cs

@@ -96,7 +96,7 @@ public void ConfigureResourceGraph(ICollection<Type> dbContextTypes, Action<Reso
         }
 
         /// <summary>
-        /// Configures built-in ASP.NET Core MVC components. Most of this configuration can be adjusted for the developers' need.
+        /// Configures built-in ASP.NET MVC components. Most of this configuration can be adjusted for the developers' need.
         /// </summary>
         public void ConfigureMvc()
         {

src/JsonApiDotNetCore/Configuration/JsonApiOptions.cs

@@ -66,7 +66,7 @@ public sealed class JsonApiOptions : IJsonApiOptions
         public PageNumber? MaximumPageNumber { get; set; }
 
         /// <inheritdoc />
-        public bool ValidateModelState { get; set; }
+        public bool ValidateModelState { get; set; } = true;
 
         /// <inheritdoc />
         public bool AllowClientGeneratedIds { get; set; }

src/JsonApiDotNetCore/Configuration/JsonApiValidationFilter.cs

@@ -9,7 +9,7 @@
 namespace JsonApiDotNetCore.Configuration
 {
     /// <summary>
-    /// Validation filter that blocks ASP.NET Core ModelState validation on data according to the JSON:API spec.
+    /// Validation filter that blocks ASP.NET ModelState validation on data according to the JSON:API spec.
     /// </summary>
     internal sealed class JsonApiValidationFilter : IPropertyValidationFilter
     {

src/JsonApiDotNetCore/Configuration/ResourceGraphBuilder.cs

@@ -66,9 +66,9 @@ public ResourceGraphBuilder Add(DbContext dbContext)
 
         private static bool IsImplicitManyToManyJoinEntity(IEntityType entityType)
         {
-#pragma warning disable EF1001 // Internal EF Core API usage.
+#pragma warning disable EF1001 // Internal Entity Framework Core API usage.
             return entityType is EntityType { IsImplicitlyCreatedJoinEntityType: true };
-#pragma warning restore EF1001 // Internal EF Core API usage.
+#pragma warning restore EF1001 // Internal Entity Framework Core API usage.
         }
 
         /// <summary>

src/JsonApiDotNetCore/Controllers/Annotations/DisableQueryStringAttribute.cs

@@ -7,7 +7,7 @@
 namespace JsonApiDotNetCore.Controllers.Annotations
 {
     /// <summary>
-    /// Used on an ASP.NET Core controller class to indicate which query string parameters are blocked.
+    /// Used on an ASP.NET controller class to indicate which query string parameters are blocked.
     /// </summary>
     /// <example><![CDATA[
     /// [DisableQueryString(JsonApiQueryStringParameters.Sort | JsonApiQueryStringParameters.Page)]

src/JsonApiDotNetCore/Controllers/Annotations/DisableRoutingConventionAttribute.cs

@@ -4,7 +4,7 @@
 namespace JsonApiDotNetCore.Controllers.Annotations
 {
     /// <summary>
-    /// Used on an ASP.NET Core controller class to indicate that a custom route is used instead of the built-in routing convention.
+    /// Used on an ASP.NET controller class to indicate that a custom route is used instead of the built-in routing convention.
     /// </summary>
     /// <example><![CDATA[
     /// [DisableRoutingConvention, Route("some/custom/route/to/customers")]

src/JsonApiDotNetCore/Controllers/Annotations/HttpReadOnlyAttribute.cs

@@ -3,7 +3,7 @@
 namespace JsonApiDotNetCore.Controllers.Annotations
 {
     /// <summary>
-    /// Used on an ASP.NET Core controller class to indicate write actions must be blocked.
+    /// Used on an ASP.NET controller class to indicate write actions must be blocked.
     /// </summary>
     /// <example><![CDATA[
     /// [HttpReadOnly]

src/JsonApiDotNetCore/Controllers/Annotations/NoHttpDeleteAttribute.cs

@@ -3,7 +3,7 @@
 namespace JsonApiDotNetCore.Controllers.Annotations
 {
     /// <summary>
-    /// Used on an ASP.NET Core controller class to indicate the DELETE verb must be blocked.
+    /// Used on an ASP.NET controller class to indicate the DELETE verb must be blocked.
     /// </summary>
     /// <example><![CDATA[
     /// [NoHttpDelete]

src/JsonApiDotNetCore/Controllers/Annotations/NoHttpPatchAttribute.cs

@@ -3,7 +3,7 @@
 namespace JsonApiDotNetCore.Controllers.Annotations
 {
     /// <summary>
-    /// Used on an ASP.NET Core controller class to indicate the PATCH verb must be blocked.
+    /// Used on an ASP.NET controller class to indicate the PATCH verb must be blocked.
     /// </summary>
     /// <example><![CDATA[
     /// [NoHttpPatch]

src/JsonApiDotNetCore/Controllers/Annotations/NoHttpPostAttribute.cs

@@ -3,7 +3,7 @@
 namespace JsonApiDotNetCore.Controllers.Annotations
 {
     /// <summary>
-    /// Used on an ASP.NET Core controller class to indicate the POST verb must be blocked.
+    /// Used on an ASP.NET controller class to indicate the POST verb must be blocked.
     /// </summary>
     /// <example><![CDATA[
     /// [NoHttpost]

src/JsonApiDotNetCore/Controllers/BaseJsonApiController.cs

@@ -13,7 +13,7 @@
 namespace JsonApiDotNetCore.Controllers
 {
     /// <summary>
-    /// Implements the foundational ASP.NET Core controller layer in the JsonApiDotNetCore architecture that delegates to a Resource Service.
+    /// Implements the foundational ASP.NET controller layer in the JsonApiDotNetCore architecture that delegates to a Resource Service.
     /// </summary>
     /// <typeparam name="TResource">
     /// The resource type.

src/JsonApiDotNetCore/Controllers/BaseJsonApiOperationsController.cs

@@ -16,7 +16,7 @@
 namespace JsonApiDotNetCore.Controllers
 {
     /// <summary>
-    /// Implements the foundational ASP.NET Core controller layer in the JsonApiDotNetCore architecture for handling atomic:operations requests. See
+    /// Implements the foundational ASP.NET controller layer in the JsonApiDotNetCore architecture for handling atomic:operations requests. See
     /// https://jsonapi.org/ext/atomic/ for details. Delegates work to <see cref="IOperationsProcessor" />.
     /// </summary>
     [PublicAPI]

src/JsonApiDotNetCore/Errors/InvalidModelStateException.cs

@@ -15,7 +15,7 @@
 namespace JsonApiDotNetCore.Errors
 {
     /// <summary>
-    /// The error that is thrown when model state validation fails.
+    /// The error that is thrown when ASP.NET ModelState validation fails.
     /// </summary>
     [PublicAPI]
     public sealed class InvalidModelStateException : JsonApiException

src/JsonApiDotNetCore/JsonApiDotNetCore.csproj

@@ -7,7 +7,7 @@
 
   <PropertyGroup>
     <PackageTags>jsonapidotnetcore;jsonapi;json:api;dotnet;asp.net</PackageTags>
-    <Description>A framework for building JSON:API compliant REST APIs using .NET Core and Entity Framework Core. Includes support for Atomic Operations. The ultimate goal of this library is to eliminate as much boilerplate as possible by offering out-of-the-box features such as sorting, filtering and pagination. You just need to focus on defining the resources and implementing your custom business logic. This library has been designed around dependency injection making extensibility incredibly easy.</Description>
+    <Description>A framework for building JSON:API compliant REST APIs using ASP.NET and Entity Framework Core. Includes support for Atomic Operations. The ultimate goal of this library is to eliminate as much boilerplate as possible by offering out-of-the-box features such as sorting, filtering and pagination. You just need to focus on defining the resources and implementing your custom business logic. This library has been designed around dependency injection making extensibility incredibly easy.</Description>
     <PackageProjectUrl>https://www.jsonapi.net/</PackageProjectUrl>
     <PackageLicenseExpression>MIT</PackageLicenseExpression>
     <PackageRequireLicenseAcceptance>false</PackageRequireLicenseAcceptance>

src/JsonApiDotNetCore/Repositories/EntityFrameworkCoreRepository.cs

@@ -330,8 +330,8 @@ public virtual async Task DeleteAsync(TId id, CancellationToken cancellationToke
 
             foreach (RelationshipAttribute relationship in _resourceGraph.GetResourceType<TResource>().Relationships)
             {
-                // Loads the data of the relationship, if in EF Core it is configured in such a way that loading the related
-                // entities into memory is required for successfully executing the selected deletion behavior.
+                // Loads the data of the relationship, if in Entity Framework Core it is configured in such a way that loading
+                // the related entities into memory is required for successfully executing the selected deletion behavior.
                 if (RequiresLoadOfRelationshipForDeletion(relationship))
                 {
                     NavigationEntry navigation = GetNavigationEntry(resourceTracked, relationship);
@@ -475,7 +475,7 @@ public virtual async Task RemoveFromToManyRelationshipAsync(TResource leftResour
             {
                 var leftResourceTracked = (TResource)_dbContext.GetTrackedOrAttach(leftResource);
 
-                // Make EF Core believe any additional resources added from ResourceDefinition already exist in database.
+                // Make Entity Framework Core believe any additional resources added from ResourceDefinition already exist in database.
                 IIdentifiable[] extraResourceIdsToRemove = rightResourceIdsToRemove.Where(rightId => !rightResourceIds.Contains(rightId)).ToArray();
 
                 object? rightValueStored = relationship.GetValue(leftResource);

src/JsonApiDotNetCore/Resources/Annotations/RelationshipAttribute.cs

@@ -32,8 +32,8 @@ public abstract class RelationshipAttribute : ResourceFieldAttribute
         internal Type? RightClrType { get; set; }
 
         /// <summary>
-        /// The <see cref="PropertyInfo" /> of the EF Core inverse navigation, which may or may not exist. Even if it exists, it may not be exposed as a JSON:API
-        /// relationship.
+        /// The <see cref="PropertyInfo" /> of the Entity Framework Core inverse navigation, which may or may not exist. Even if it exists, it may not be exposed
+        /// as a JSON:API relationship.
         /// </summary>
         /// <example>
         /// <code><![CDATA[

src/JsonApiDotNetCore/Serialization/Request/IJsonApiReader.cs

@@ -5,7 +5,7 @@
 namespace JsonApiDotNetCore.Serialization.Request
 {
     /// <summary>
-    /// Deserializes the incoming JSON:API request body and converts it to models, which are passed to controller actions by ASP.NET Core on `FromBody`
+    /// Deserializes the incoming JSON:API request body and converts it to models, which are passed to controller actions by ASP.NET on `FromBody`
     /// parameters.
     /// </summary>
     [PublicAPI]

test/JsonApiDotNetCoreTests/IntegrationTests/AtomicOperations/ModelStateValidation/AtomicModelStateValidationTests.cs

@@ -3,20 +3,18 @@
 using System.Threading.Tasks;
 using FluentAssertions;
 using JsonApiDotNetCore.Serialization.Objects;
-using JsonApiDotNetCoreTests.Startups;
 using Microsoft.EntityFrameworkCore;
 using TestBuildingBlocks;
 using Xunit;
 
 namespace JsonApiDotNetCoreTests.IntegrationTests.AtomicOperations.ModelStateValidation
 {
-    public sealed class AtomicModelStateValidationTests
-        : IClassFixture<IntegrationTestContext<ModelStateValidationStartup<OperationsDbContext>, OperationsDbContext>>
+    public sealed class AtomicModelStateValidationTests : IClassFixture<IntegrationTestContext<TestableStartup<OperationsDbContext>, OperationsDbContext>>
     {
-        private readonly IntegrationTestContext<ModelStateValidationStartup<OperationsDbContext>, OperationsDbContext> _testContext;
+        private readonly IntegrationTestContext<TestableStartup<OperationsDbContext>, OperationsDbContext> _testContext;
         private readonly OperationsFakers _fakers = new();
 
-        public AtomicModelStateValidationTests(IntegrationTestContext<ModelStateValidationStartup<OperationsDbContext>, OperationsDbContext> testContext)
+        public AtomicModelStateValidationTests(IntegrationTestContext<TestableStartup<OperationsDbContext>, OperationsDbContext> testContext)
         {
             _testContext = testContext;
 

test/JsonApiDotNetCoreTests/IntegrationTests/EagerLoading/EagerLoadingTests.cs

@@ -4,19 +4,18 @@
 using FluentAssertions;
 using JsonApiDotNetCore.Configuration;
 using JsonApiDotNetCore.Serialization.Objects;
-using JsonApiDotNetCoreTests.Startups;
 using Microsoft.EntityFrameworkCore;
 using TestBuildingBlocks;
 using Xunit;
 
 namespace JsonApiDotNetCoreTests.IntegrationTests.EagerLoading
 {
-    public sealed class EagerLoadingTests : IClassFixture<IntegrationTestContext<ModelStateValidationStartup<EagerLoadingDbContext>, EagerLoadingDbContext>>
+    public sealed class EagerLoadingTests : IClassFixture<IntegrationTestContext<TestableStartup<EagerLoadingDbContext>, EagerLoadingDbContext>>
     {
-        private readonly IntegrationTestContext<ModelStateValidationStartup<EagerLoadingDbContext>, EagerLoadingDbContext> _testContext;
+        private readonly IntegrationTestContext<TestableStartup<EagerLoadingDbContext>, EagerLoadingDbContext> _testContext;
         private readonly EagerLoadingFakers _fakers = new();
 
-        public EagerLoadingTests(IntegrationTestContext<ModelStateValidationStartup<EagerLoadingDbContext>, EagerLoadingDbContext> testContext)
+        public EagerLoadingTests(IntegrationTestContext<TestableStartup<EagerLoadingDbContext>, EagerLoadingDbContext> testContext)
         {
             _testContext = testContext;
 

test/JsonApiDotNetCoreTests/IntegrationTests/InputValidation/ModelState/ModelStateDbContext.cs

@@ -8,6 +8,7 @@ namespace JsonApiDotNetCoreTests.IntegrationTests.InputValidation.ModelState
     [UsedImplicitly(ImplicitUseTargetFlags.Members)]
     public sealed class ModelStateDbContext : DbContext
     {
+        public DbSet<SystemVolume> Volumes => Set<SystemVolume>();
         public DbSet<SystemDirectory> Directories => Set<SystemDirectory>();
         public DbSet<SystemFile> Files => Set<SystemFile>();
 
@@ -18,6 +19,12 @@ public ModelStateDbContext(DbContextOptions<ModelStateDbContext> options)
 
         protected override void OnModelCreating(ModelBuilder builder)
         {
+            builder.Entity<SystemVolume>()
+                .HasOne(systemVolume => systemVolume.RootDirectory)
+                .WithOne()
+                .HasForeignKey<SystemVolume>("RootDirectoryId")
+                .IsRequired();
+
             builder.Entity<SystemDirectory>()
                 .HasMany(systemDirectory => systemDirectory.Subdirectories)
                 .WithOne(systemDirectory => systemDirectory.Parent!);

test/JsonApiDotNetCoreTests/IntegrationTests/InputValidation/ModelState/ModelStateFakers.cs

@@ -9,6 +9,11 @@ namespace JsonApiDotNetCoreTests.IntegrationTests.InputValidation.ModelState
 {
     internal sealed class ModelStateFakers : FakerContainer
     {
+        private readonly Lazy<Faker<SystemVolume>> _lazySystemVolumeFaker = new(() =>
+            new Faker<SystemVolume>()
+                .UseSeed(GetFakerSeed())
+                .RuleFor(systemVolume => systemVolume.Name, faker => faker.Lorem.Word()));
+
         private readonly Lazy<Faker<SystemFile>> _lazySystemFileFaker = new(() =>
             new Faker<SystemFile>()
                 .UseSeed(GetFakerSeed())
@@ -22,6 +27,7 @@ internal sealed class ModelStateFakers : FakerContainer
                 .RuleFor(systemDirectory => systemDirectory.IsCaseSensitive, faker => faker.Random.Bool())
                 .RuleFor(systemDirectory => systemDirectory.SizeInBytes, faker => faker.Random.Long(0, 1_000_000)));
 
+        public Faker<SystemVolume> SystemVolume => _lazySystemVolumeFaker.Value;
         public Faker<SystemFile> SystemFile => _lazySystemFileFaker.Value;
         public Faker<SystemDirectory> SystemDirectory => _lazySystemDirectoryFaker.Value;
     }

test/JsonApiDotNetCoreTests/IntegrationTests/InputValidation/ModelState/ModelStateValidationTests.cs

@@ -4,18 +4,17 @@
 using System.Threading.Tasks;
 using FluentAssertions;
 using JsonApiDotNetCore.Serialization.Objects;
-using JsonApiDotNetCoreTests.Startups;
 using TestBuildingBlocks;
 using Xunit;
 
 namespace JsonApiDotNetCoreTests.IntegrationTests.InputValidation.ModelState
 {
-    public sealed class ModelStateValidationTests : IClassFixture<IntegrationTestContext<ModelStateValidationStartup<ModelStateDbContext>, ModelStateDbContext>>
+    public sealed class ModelStateValidationTests : IClassFixture<IntegrationTestContext<TestableStartup<ModelStateDbContext>, ModelStateDbContext>>
     {
-        private readonly IntegrationTestContext<ModelStateValidationStartup<ModelStateDbContext>, ModelStateDbContext> _testContext;
+        private readonly IntegrationTestContext<TestableStartup<ModelStateDbContext>, ModelStateDbContext> _testContext;
         private readonly ModelStateFakers _fakers = new();
 
-        public ModelStateValidationTests(IntegrationTestContext<ModelStateValidationStartup<ModelStateDbContext>, ModelStateDbContext> testContext)
+        public ModelStateValidationTests(IntegrationTestContext<TestableStartup<ModelStateDbContext>, ModelStateDbContext> testContext)
         {
             _testContext = testContext;