Removing Unnecessary Request Fields

At the moment, we are allowing the consumer to submit all the properties that our data repository requires, including userId, userName, and created. However, these properties can be set on the server. In fact, the client doesn’t need to know or care about userId.

Exposing the client to more properties than it needs impacts the usability of the API and can also cause security issues. For example, a client can pretend to be any user submitting questions and answers with our current API.

In the following subsections, we are going to tighten up some requests so that they don’t contain unnecessary information. We will start by removing the userId, userName, and created fields from posting questions before moving on to removing the userId and created fields from posting answers.

Removing unnecessary request fields when posting a question

Our QuestionPostRequest model is used both in the data repository to pass the data to the stored procedure as well as in the API controller to capture the information in the request body. This single model can’t properly cater to both these cases, so we are going to create and use separate models. Implement the following steps:

1. In the models folder, create a new model called QuestionPostFullRequest as follows: