Never again without a contract: dry-validation

by Espartaco Palma

In the talk titled "Never Again Without a Contract: Dry Validation," Espartaco Palma discusses the importance of implementing validation protocols for external inputs in software development, emphasizing the necessity of having clear, enforceable contracts.

The presentation covers several key points:

Introduction and Background: Espartaco introduces himself and shares a personal anecdote about his own experience with exploitation in the workplace, which led to the lesson of ensuring that work is done under contract agreements.
What is Dry Validation?: He defines Dry Validation as akin to JSON Schema but superior in application, highlighting its use in structural validation of input data, particularly for Ruby applications.
The Significance of Contracts: Contracts are discussed as essential elements in managing expectations and establishing rules for data validation. While not every interaction requires a contract, they become invaluable in more complex systems.
Understanding Data Integrity: The need for robust validation becomes pertinent as applications scale and communicate with external agents. Espartaco stresses the importance of guarding systems against harmful inputs.
Detailed Examples of Validation Rules: He provides specific use cases illustrating how validation checks must ensure that data conforms to required formats, including examples such as conditionally required fields.
- For instance, he explains how start and end dates must be validated together to maintain logical data integrity.
- The practical need for immediate feedback on incorrect input formats is highlighted.
Community Acknowledgment: Espartaco acknowledges the support of the Dry RB community and encourages attendees to adopt best practices in their own projects.
Conclusion: He concludes with an affirmation that Dry Validation is a formidable tool for managing system boundaries and ensuring data integrity, inviting developers to reconsider their approach to handling validation in their applications.

This session emphasizes the intersection of contracts, validation frameworks, and data integrity in the software engineering space, aligning with the core theme of never compromising on clear agreements in technical projects.

00:00:00 Ready for takeoff.

00:00:17 Okay, I'd like to start so we all have enough time later. Hopefully, I can make it today.

00:00:27 Uh, questions? Let's go ahead.

00:00:32 Uh, this is the talk: "Never Again Without a Contract: Dry Validation."

00:00:36 I had to put just 'Dry Validation' on the program, but that's fine.

00:00:49 Who am I? It's really important to explain who I am. I'm one of the top rejected Ruby talks and conferences according to speakerline.io.

00:01:12 I dare you to help me get accepted. I've been an open source contributor since the 2000s.

00:01:27 My code is in your MacBooks somehow because I've contributed to Ruby. I understand that library, but it's not a big deal.

00:01:43 I want to thank my sponsors, especially for the Jane Foundation donation, which makes it possible for me to be here with all of you.

00:01:59 I work for a company called Any Road as a staff software engineer and technical lead. It means I'm experienced; I've been in this industry for 20 years.

00:02:13 My name is Espartaco, but I go by Sparta everywhere.

00:02:51 Please join me as we go through the agenda. We will cover the intro, the what, the why, the who, and the conclusions.

00:03:07 This session will include a lot of information, but we will get through it together.

00:03:19 In my previous job, I experienced exploitation; I learned a lot, but I was paid in cash every 10 days. When I got chickenpox and informed my employer, I was told to return whenever I felt ready.

00:03:46 When I got better, I returned to that job, only to be told I no longer had a job. That experience taught me: never again without a contract.

00:04:03 I was just 17 or 19 years old when that happened, and it has occurred many times. So, I tried to quit, thinking 'never again.'

00:04:22 Now, let's discuss Dry Validation. It is very much like Jason Schema but better. If you're not familiar, you can Google it.

00:04:36 Ruby can be used because it’s pure Ruby, which allows for data structures including JSON.

00:04:46 The focus is on structural validation. It uses filters and introspection and is very performant. It's fast and supports a lot of composition and reuse.

00:05:12 Dry Validation includes type checking and can be applied in mobile-oriented applications, but it approaches things from a functional programming perspective.

00:05:39 Monoids are an important concept here. A monoid is a structure with an associative binary operation and an identity element.

00:06:01 Now, let’s establish our understanding: the essence of these concepts may be complex, but they are feasible to grasp.

00:06:17 Further discussion leads us to contracts. At some point, schemas aren't enough; we need to create contracts where rules and conditions apply.

00:06:32 It's like anything else in life; we don't contract over everything. However, when we come to an agreement on something, a contract becomes necessary.

00:06:54 But, we must still have an agreement of sorts, even if it’s informal, to guide our communications. Contracts should serve as guidance.

00:07:17 Now, contracts include not only the definition of the schemas but also macros, dependency injection, and rules. Unfortunately, we can't cover everything in this presentation, but I'll introduce key concepts quickly.

00:07:50 If you're still present, you might be asking why these distinctions and agreements matter.

00:08:12 As our systems grow and scale, requiring more complex communication with internal and external agents, the necessity of understanding and applying security measures becomes paramount.

00:08:39 We must not blindly trust anyone sending payloads to our controllers—even with API security in place.

00:09:03 Schemas and contracts may offer some security and if we are not vigilant, our systems may become vulnerable to harmful inputs.

00:09:31 We are not predominantly focusing on security today, but it's something we might touch on later.

00:10:06 While I pitched this talk to you, I highlighted that sometimes, simply using active mode is sufficient, particularly for simple applications.

00:10:39 You may not need to adjust your parameters every single time you're building a new feature. Sometimes, strong parameters might suffice.

00:11:00 However, as your application demands evolve, there comes a point when the necessity for more robust solutions arises.

00:11:39 Ryan Bake, my benefactor and sponsor, recently wrote about this topic on ryanbake.com, which saved me about 10 minutes in preparation for this talk.

00:12:13 Also, Andreas suggested a book related to boundaries and project practices. I encourage you to explore that resource.

00:12:57 The key is to ensure that data flows properly and doesn’t cross the boundaries of validated inputs. This isn't just applicable to web interfaces; it applies across all types of systems.

00:13:27 Next, we’ll consider a use case where your company needs to connect across standards.

00:13:54 Let’s explore a simple API endpoint. You send a request containing product ID as a required attribute.

00:14:27 The payload must conform to certain standards—business wants structured data.

00:14:46 Validation is vital, especially if we require fields which may impose rules.

00:15:06 Getting that right means sending the requisite parameters while effectively dismissing those that aren't relevant or valid.

00:15:34 When the input isn't meeting the specifications, it should be rejected instantly. Validation needs to deliver immediate feedback on incorrect formats.

00:16:05 Next, let's discuss something more complex with fields that are conditionally required—like start and end dates.

00:16:34 For fields that may depend on one another, we must enforce that both are complete and valid—error checking ensures data integrity.

00:17:09 Validation does not simply check types; it requires establishing relational rules across inputs—a different type of scrutiny.

00:17:36 The contracts ensure certain requirements hold: if one value exists, another must also exist, presenting logical consistency.

00:18:10 Set rules clarify expectations. A robust validation framework can handle inputs precisely to avoid any miscommunication.

00:18:34 Thus, as you define these contracts, you must rigorously test assumptions to ensure that your validations are enforced as intended.

00:19:07 I want to acknowledge the extensive community around Dry RB; their contributions have been invaluable for anyone working with Ruby.

00:20:01 I invite you to consider how implementing these best practices can transform the way your applications handle validation.

00:20:35 In conclusion, Dry Validation is a powerful tool for managing your system's boundaries and ensuring data integrity.

00:20:59 Thank you for your attention.