Apigee handles empty form parameters nicely as long as they have an equals sign next to them, like the following:
param_with_value=bla¶m_without_value=&another_param_with_value=bla
However, if the caller omits the equals sign next to param_without_value then Apigee will silently just not parse any of the form parameters that were sent in. That is to say, if you had a flow condition looking at the value of any form parameters they will just be empty.
Now the interesting part is that if you have a JavaScript policy with a simple context.getVariable(“request.formparams.names”) Apigee will throw an error like Execution of debug-policy failed on line 1 with error: Bad Form Data. The same happens if you do it in a Java callout, in which case you get the following exception:
com.apigee.rest.framework.BadRequestException{ code = protocol.http.BadFormData, message = Bad Form Data, associated contexts = []}
at com.apigee.protocol.http.msg.Body.getFormParams(Body.java:79)
at com.apigee.messaging.adaptors.http.message.HttpTransportMessage.getFormParams(HttpTransportMessage.java:310)
at com.apigee.messaging.adaptors.http.message.HttpTransportMessage.getFormParamValue(HttpTransportMessage.java:336)
at com.apigee.messaging.adaptors.http.message.HttpTransportMessage.getP.....
This means that Apigee does in fact have some sort of request parameter validation in place, but it silently accepts invalid input until you use in a JS or Java policy.
There are a few ways that this can be solved with custom policies (e.g. have a JS or Java policy peek at request.formparams.names and raise a fault if that fails, or even apply a regular expression on the incoming request) but I’d rather have Apigee handle it for me.
Is there a way to tell Apigee not to accept such requests without having to add any custom policies to PreFlow?