Incoming\Outcoming DTO validation (json schema)

wlabeu · July 15, 2025, 4:18pm

hi SS team

I know SS does not implement json validation when it deserialize incoming DTO or serialize outcoming DTO.

Given the very high flexibility of the framework, is there a way to override one or more steps in the SS pipeline to easily implement json schema validation?

The idea is to implement a SS plugin or something similar and use Json.NET Schema - Newtonsoft to achieve the schema validation.

Looking to the order of operations the only one I can see I could use is IAppHost.PreRequestFilters but I don’t want to register a custom binder nor to mark all the app DTO with IRequiresRequestStream.

I’m using SS 5.9.2, any suggestions?

thanks

mythz · July 16, 2025, 1:33am

The RequestStream can only be read once, so if you want to re-read the JSON Request Body you’ll need to buffer the Request Stream:

appHost.PreRequestFilters.Add((httpReq, httpRes) => {
    httpReq.UseBufferedStream = true;  // Buffer Request Input
});

From there you’ll be able to re-read the Request Input Stream from anywhere with access to IRequest with:

string textBody = await httpReq.GetRawBodyAsync(); //read as string

You wont be able to intercept the JSON response since it serializes directly to the Response Stream, you could serialize the DTO to JSON in your Service and validate that but I don’t think you should be validating your outputs at runtime, if you suspect for some reason a serialized DTO doesn’t validate to some schema, this should really be caught with tests not at runtime.

wlabeu · December 15, 2025, 2:01pm

I know I’m back to the topic after a long time, but in the meantime we’ve implemented the feature and, during testing, we’ve discovered a very unusual behaviour.

The issue is the loss of request body in PreRequestFilter despite UseBufferedStream.

The environment is:
.net framework: 4.8
SS v5.9.2, self hosted backend

I’ve implemented the json schema validation for all the endpoint (more than 1000) exposed by the backend.

I’m leveraging the IPreRequestFilter to perform the schema validation. Despite UseBufferedStream=true, reading the request body (for PUT/POST methods) using req.GetRawBody(); fully consumes the stream. As a result, when SS attempts to deserialize the Service DTO immediately afterward, the stream is empty, leaving the DTO unpopulated.

What’s strange is that only few endpoints are impacted. A litte deep analyses ruled out payload size or data errors.
What this endpoints have in common is that the client is JsonServiceClient and not the angular HttpClient library.

For some yet unknown reasons, calls triggered by JsonServiceClient with the right payload, end up empty or truncated on backend side.

If I comment out the PreRequest implementation, everything works fine, the backend deserializes the properly populated DTO.

Any ideas?

mythz · December 15, 2025, 2:16pm

If the request is marked with UseBufferedStream = true it returns the buffered stream:

github.com/ServiceStack/ServiceStack

src/ServiceStack/Host/AspNet/AspNetRequest.cs

v5.9.2


      
          public bool UseBufferedStream
          {
              get => BufferedStream != null;
              set => BufferedStream = value
                  ? BufferedStream ?? request.InputStream.CreateBufferedStream()
                  : null;
          }
          
          public string GetRawBody()
          {
              if (BufferedStream != null)
                  return BufferedStream.ReadBufferedStreamToEnd(this);
          
              return InputStream.ReadToEnd();
          }

There’s nothing else to it, I’d debug GetRawBody() to check it’s using the BufferedStream and it’s not empty.