Mike Lindegarde... Online

Things I'm likely to forget.


Validating API input in ASP.NET Core 1.1 with FluentValidation

Jump to Instructions

It doesn't matter if your API is nothing more than a facade for simple CRUD operations built on-top of an Active Record implementation or if your API is merely the gateway into your complex Domain Driven Design that leverages the latest and greatest CQSR/ES patterns to scale on demand:  you need to validate your input.

Writing code to validate input is quite possibly one of the most tedious task ever created (right next to doing any sort of processing that involves any file format from the medical world).  Thankfully we are far from the days of having to manually handle that task.  

When I started my latest ASP.NET Core 1.1 project I wanted a more expressive way to handle validation.  Enter FluentValidation:  a small library that does an excellent job handling input validation (high level validation before you get into the heart of your business logic).  Below I show you the three phases my validation code went through before I finally end up where I probably should have started.

Getting Started

Before getting to far into this tutorial you'll want to make sure you:

The First Pass (Also Known as the Really Bad Idea)

I knew I wanted to use FluentValidation and I know that ASP.Net has built in model validation.  What I didn't know was how to bring them together.  Eventually I got there, but it took a few passes.  The first step was a given, add the required dependencies to my project.json file:

  "dependencies": {
    "Microsoft.NETCore.App": {
      "version": "1.1.0",
      "type": "platform"
    "Microsoft.AspNetCore.Mvc": "1.1.0",
    // other dependencies removed for brevity
    "StructureMap.Microsoft.DependencyInjection": "1.3.0",
    "FluentValidation.AspNetCore": "6.4.0-beta9",
    "Serilog": "2.3.0",
    "Serilog.Extensions.Logging": "1.3.1",
    "Serilog.Sinks.Literate": "2.0.0"
  // other sections removed for brevity

With that in place I wrote a few validators for the input into my POST and PUT action handlers.  You can find all of the documentation for FluentValidation here.  Below is an example command and it's related validator:

public class AddRecipe
	public Guid Id {get; set;}
	public Guid CreatedBy {get; set;}
	public DateTime CreatedAt {get ;set;}
	public string Title {get; set;}
	public string Instructions {get; set;}
	public List<string> Ingredients {get; set;}

public class AddRecipeValidator : AbstractValidator<AddRecipe>
	private static readonly DateTime MinDate = new DateTime(2000, 1, 1);
	private static readonly DateTime MaxDate = new DateTime(2100, 1, 1);

	public AddRecipeValidator()
		RuleFor(cmd => cmd.Id).NotEmpty();
		RuleFor(cmd => cmd.CreatedBy).NotEmpty().NotEqual(cmd => cmd.Id);
		RuleFor(cmd => cmd.CreatedAt).Must(BeValidDate)
			.WithMessage("'Created At' must be a valid date");
		RuleFor(cmd => cmd.Title).Length(5, 100);
		RuleFor(cmd => cmd.Ingredients).NotEmpty();

	private bool BeValidDate(DateTime input)
		return input.Date > MinDate && input.Date < MaxDate;

Next, I wanted a generic way to get the validator for a given class based on the class's type.  I didn't want to have to know what the exact type of the validator implementation was.  This seemed like a good time to use StructureMap (in reality, it wasn't).  Here's how you could use StructureMap if you really really wanted to (for some reason):

In your StructureMap scanner configuraiton add the following line:


ConnectImplementationsToTypesClosing will allow you to get an instance of a given validator knowing only the type of the object the validator handles.  I wanted to be able to get an instance of a validator using the same syntax I would use to get any other object from my IoC container.  While I generally avoid extension methods, this seems like a good place to put the pattern to use:

public static class StructureMapUtilities
	public static IValidator TryGetValidatorInstance<T>(this IContainer container)
		return container.TryGetInstance<AbstractValidator<T>>();

With that in place, you can validate the input to your controller's action methods as follows:

public IActionResult Post([FromBody,Required] AddIngredient command)
	if(command == null)
		return BadRequest();

	ValidationResult result = 

	if(result?.IsValid == false)
		return BadRequest(result);

	return CreatedAtRoute("GetIngredient", new {id = Guid.NewGuid()}, null);

That's, ummm.... not good.  There are a few major problems with this solution:

  • It requires injecting my IoC container into the controller (leaky abstraction, I might as well have my repositories return IQueryable while I'm at it)
  • I have to type the same few lines at the beginning of every method where I want to validate the input

The Second (Less Bad) Solution

Surface level validation is kind of a cross-cutting concern right?  Aspect Oriented Programming is a way to handle cross-cutting concerns... AOP frequently uses attributes... I can use an attribute to handle my validation.  A few degrees short of Kevin Bacon and I have a new direction: ValidateInputAttribute:

public class ValidateInputAttribute : ActionFilterAttribute
	public override void OnActionExecuting(ActionExecutingContext context)

		context.Result = new BadRequestObjectResult(context.ModelState);


This solution allowed me to pull the IoC container out of my controllers.  It also simplified the code for validating input:

public IActionResult Post([FromBody,Required] AddReview command)
	return CreatedAtRoute("GetReview", new {id = Guid.NewGuid()}, null);

Unfortunately I still had one problem:  I can't inject my logging framework of choice into an Attribute.  Well, where there's a will there's a way... but if you have to work that hard to get something to work, there's probably a better solution...

The Third and Final Attempt (for Now)

Filters allow you to execute code in the MVC Action Pipeline prior to the action being executed but after the model had been bound via Action Filters.  This seems like the perfect place to solve my problem.

Before we can handle validation errors in a Filter we first need to update our Startup class's ConfigureServices method:

public IServiceProvider ConfigureServices(IServiceCollection services)
			fv => fv.RegisterValidatorsFromAssemblyContaining<Startup>());

	return services.AddStructureMap();

The highlighted lines above will configure things so that FluentValidation handles validating input for you and updates the ModelState accordingly.  Note, using this approach does not require StructureMap.

Next you need to add an implementation of IActionFilter to handle validation errors:

public class ValidateInputFilter : IActionFilter
	private readonly ILogger _logger;

	#region Constructor
	public ValidateInputFilter(ILogger logger)
		_logger = logger.ForContext<ValidateInputFilter>();

	#region IActionFilter Implementation
	public void OnActionExecuting(ActionExecutingContext context)

			_logger.Warning("Model validation failed for {@Input} with validation {@Errors}",
					.SelectMany(kvp => kvp.Value.Errors)
					.Select(e => e.ErrorMessage));

		context.Result = new BadRequestObjectResult(
			from kvp in context.ModelState
			from e in kvp.Value.Errors
			let k = kvp.Key
			select new ValidationError(ValidationError.Type.Input, null, k, e.ErrorMessage));

	public void OnActionExecuted(ActionExecutedContext context)
		// This filter doesn't do anything post action.

The above code should be pretty straight forward.  If there are no errors in the given model, simply return and do nothing.  Let the next filter do it's thing.  If there is a problem with the ModelState, log it and let the client know that a Bad Request was made (HTTP status code 400).

Note, in the current version of FluentValidation if a null object is passed into your action method context.ModelState.IsValid will return true.  Given what I read here, that's not what I expected.


I double my current solution is perfect and I'm almost certain it'll go through another refactoring (or two) as I continue to work on the project.  Hopefully you found something useful above.  If not, thanks for taking the time to read this article and I would appreciate any feedback you might have.

You can find a working example on GitHub: https://github.com/mlindegarde/examples-validation-api

Useful links

The links below my help answer any questions you may have:

Lessons Learned: Always Present the Problem When Asking for Help with a Solution

This is a series of short posts that outline some important things I've learned over the years.  While most of these should be obvious to a seasoned developer, a lot of them aren't so obvious to those just getting started.  You can find other posts in this series here.

Avoid the Rabbit Hole

I'm as guilty as anyone of this:  you're trying to solve a problem and you're convinced you're going down the right path.  Eventually you come to a sticking point and off to Stack Overflow and/or Google you go to find the answer to your very specific question.

Inevitably you get a response or find a solution that answers your question.  However, somewhere in that answer is the suggestion that what you're attempting to do is a bit odd.  Your immediate reaction is something along the lines of "don't tell me I shouldn't be doing this, just tell me how to do it."  Or, "trust me, I'm solving a unique problem in an ingenious way."

Present the Complete Picture

If you've ever find yourself in that situation, odds are there is a better solution.  The problem is that the solution requires a completely different approach than the one you've taken.  If you don't present the problem you're actually trying to solve no one can point out that there is a better solution.

Don't let your current knowledge limit your possible solutions.

When asking for help (be it from the Internet or a colleague) always start with the big picture.  Describe the problem you originally set out to solve.  Don't just ask how to ensure that the HTTP request you're sending via JavaScript doesn't get cancelled before the browser closes.  Instead explain that you have concerns about user session length and security, then outline your current approach and the problem(s) you're having with it.  Odds are you'll learn something.

You can't ask questions about things you don't know exist.  Don't let your current knowledge limit your possible solutions.

Lazy Loading Properties with the Null-Coalescing Operator

Every now and again I want to lazily load a properties value using the null-coalescing operator.  Inevitably I've forgotten the proper syntax by the next time I want to use it:

public SomeObject PropertyName => 
    _someField ?? (_someField = _container.GetInstance<TObject>());

Visual Studio, .NET Core, and ErrorCode = '0x80004005'

I'm working on a new project.  The solution and initial projects were setup by another developer (who did / is doing a great job).  When I first attempted to run the project things didn't go quite as expected.  Instead of running, the ASP.NET MVC website immediately closed on me.  No errors in the output, no exceptions thrown.  It didn't matter if I ran it in IIS Express or in a console host.

At first I thought it was an issue with missing dependencies.  While I've had Node.js and NPM installed for a long time, I thought there might be a configuration issue between my NPM install and Visual Studio.  While that was a problem (thank you very much Mr. Hanselman), it wasn't the root problem. 

Next I took a look at the Windows Event View to see what I could find in the system logs.  When I tried to run the application via IIS Express it generated the following error:

Failed to start process with commandline '"C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Extensions\Microsoft\Web Tools\ProjectSystem\VSIISExeLauncher.exe" -debug -p "C:\Program Files\dotnet\dotnet.exe" -a "C:\My Dev\Remslogic\RemsLogic\src\RemsLogic\bin\Debug\netcoreapp1.0\RemsLogic.dll" -pidFile "C:\Users\mikel\AppData\Local\Temp\tmp93DD.tmp" -wd "C:\My Dev\Remslogic\RemsLogic\src\RemsLogic"', ErrorCode = '0x80004005'.

According to the Google box, error code 0x80004005 in ASP.NET apparently means it can't connect to the database.  I checked my connection strings.  Everything looked right.

Finally it occurred to me to look at project.json and see what I might be missing.  There it was, plan as day.  This project is using .NET Core 1.1.  I'm using a different computer than my normal dev work.  I only had .NET Core 1.0 installed.  You can install .NET core 1.1 here.  Be sure you're looking at Current downloads and not LTS.

Moral of the story, always look at project.json before barking up the wrong forest.

Using Serilog, Elasticsearch 5, and Kibana 5 for Effective Error Logging

Why use Serilog over NLog

Skip to the instructions

For the longest time I didn't understand why everyone was so excited about Serilog.  I've used NLog for a long time and it seemed more than capable of doing what I needed:  logging messages to some data store (log files, databases, etc...).

Then I stared using Elasticsearch.  Suddenly I saw the light.  Structured event data always struck me as one of those neat features that wasn't really needed.  However, once you start using something like Elasticsearch the power of structured event data quickly become evident.

Adding the visualizations offered by Kibana takes your logging to the next level.  A quick glance at a dashboard and you instantly know if there has been an uptick in errors (or whatever you might be logging).  The interactive visualizations allow you to quickly filter out noise and identify the root cause of problems you or your users might be experiencing.


Installing the JDK

This part is frequently overlooked.  You need to have Java installed and running on the box you're planning to use as your Elasticsearch server.  For the purposes of this tutorial I'm going to assume that you're going to set things up on a Windows machine.  You'll also need to ensure that the JAVA_HOME environment variable is correctly set.

Step 1: Download the JDK

You can download the current JDK from Oracle.  You'll want to click on the "Java Platform (JDK) 8u111 / 8u112" link.  On the following page download the appropriate package (in my case it's jdk-8u111-windows-x64.exe).  Once the download completes run the installer and let it do it's thing.  In most cases the default options (install location, etc...) are just fine.

Step 2: Setting the JAVA_HOME Environment Variable

In order for Elasticsearch to work you'll need to have the JAVA_HOME variable set.  In order to set the JAVA_HOME variable you'll need to access the Advanced System Settings in Windows.  You can do that by:

  1. Click on the Start Menu
  2. Right click on Computer
  3. Select Properties

In the window that appears, select Advanced System Settings in the upper left.  That will bring up a small dialog window with five tabs across the top:

  1. Select Advanced.
  2. Click on Environment Variables...
  3. In the System variables section click New...
  4. For the Variable Name use JAVA_HOME and for the value use the location of your install's bin directory


Setting up Elasticsearch and Kibana

I'm not going to teach you the ins and outs of Elasticsearch.  I'm going to give you just enough information to get things up and running.  Elasticsearch is incredibly powerful and I strongly encourage you to get a book or consult with someone more knowledgeable than me.

Step 1: Download and Install Elasticsearch 

Elastic does a great job walking you through the steps necessary to setup Elasticsearch on any platform.  Rather than repeating that information here, I'll simply point you in the right direction: https://www.elastic.co/downloads/elasticsearch.

Although the download page has some basic installation instructions, I found the instruction in the documentation to be much more helpful.  You can find that information here.

I would strongly recommend setting up Elasticsearch as a service.  However, you'll want to make sure you have Elasticsearch successfully running before setting up the service.  It's much easier to resolve problems when you can see the errors in the console window.

Step 2: Download and Install Kibana

Installing Kibana goes pretty much exactly like installing Elasticsearch.  Simply download the compressed file, decompress to wherever you like, then run the bat file.  You can download Kibana from here:  https://www.elastic.co/downloads/kibana.  You can find better installation documentation here.

If you want to setup Kibana to run as a service you can use the following command in the Windows Console or your preferred terminal (you can see my setup here):

sc create "ElasticSearch Kibana 4.0.1" binPath= "{path to batch file}" depend= "elasticsearch-service-x64"

That handy little line comes to you courtesy of Stack Overflow.

At this point you should be able to verify that Elasticsearch is running at http://localhost:9200 and that Kibana is running at http://localhost:5601 by visiting those URLs in your preferred browser.


Using Serilog

As mentioned in the introduction, we'll be using Serilog instead of NLog.  This is so that we can take advantage of the structured data Serilog gives us in our Elasticsearch indexes.  Setting up Serilog with .NET Core is pretty straight forward.

Step 1: Add the Required Packages

Add the following packages to your project.json file:

  "dependencies": {
    "Microsoft.NETCore.App": {
      "version": "1.0.0",
      "type": "platform"
    "Swashbuckle": "6.0.0-beta902",
    "Microsoft.ApplicationInsights.AspNetCore": "1.0.0",
    "Microsoft.AspNetCore.Mvc": "1.0.0",
    // removed for length
    "Microsoft.Extensions.Options.ConfigurationExtensions": "1.0.0",
    "Serilog": "2.3.0",
    "Serilog.Extensions.Logging": "1.3.1",
    "Serilog.Sinks.Literate": "2.0.0",
    "Serilog.Sinks.ElasticSearch": "4.1.1"
  // truncated to save space

Save your project.json file and let Visual Studio restore the packages.

Step 2: Modify Your Startup.cs

You'll need to modify your Startup.cs in two places: the constructor and in the Config method.  First we'll look at the changes to the constructor:

ElasticsearchConfig esConfig = new ElasticsearchConfig();

LoggerConfiguration loggerConfig = new LoggerConfiguration()
	.Enrich.WithProperty("Application","App Name")

	loggerConfig.WriteTo.Elasticsearch(new ElasticsearchSinkOptions(esConfig.Uri)
		AutoRegisterTemplate = true,
		MinimumLogEventLevel = (LogEventLevel)esConfig.MinimumLogEventLevel,
		CustomFormatter = new ExceptionAsObjectJsonFormatter(renderMessage:true),
		IndexFormat = esConfig.IndexFormat

Log.Logger = loggerConfig.CreateLogger();

Looking at the code you should notice that loading settings from my appsettings.json file.  If you need some help with that you read my previous post.

I've enriched my events in two ways.  First I've configured Serilog to use the LogContext.  For more information take a look at the Serilog documentation here.  The second enrichment simply puts the application name on every event generated by Serilog.

I always want Serilog to write to the console (at least while the application is being developed).  To accomplish that I'm using the LiterateConsole Sink.  If you want to know why I'm using the LiterateConsole over the ColoredConsole you can read more about it here.

Lastly, depending on the value in esConfig.Enabled I'm conditionally setting up the Elasticsearch sink.  You can find all the information about the various configuration options here.  Here is the short version:

  • AutoRegisterTemplate - Tells Serilog to automatically register a template for the indexes it creates using a template optimized for working with Serilog events.
  • MinimumLogEventLevel - Kind of straight forward.
  • CustomFormatter - In order to avoid deeply nested objects Serilog writes inner exceptions as an array of exceptions.  This can be problematic for visualizations and some queries.  You can change this behavior using the ExceptionAsJsonObjectFormatter.
  • IndexFormat - This is the pattern Serilog will use to generate the indexes it creates.  Typically it's something like "api-logs-{0:yyyy.MM.dd}".  If you do not provide a format Serilog will use it's default value.

Finally, modify your Configure method:

public void Configure(
	IApplicationBuilder app, 
	IHostingEnvironment env, 
	ILoggerFactory loggerFactory,
	IApplicationLifetime appLifetime)



That's it.  Now you're ready to start writing some events to Elasticsearch.

Step 3: Write some exceptions to Elasticsearch

You'll need to use Serilog's ILogger interface wherever you need to log an event.  I tend to use StructureMap as my IoC container instead of the default implementation Microsoft offers.  This means I need to register the interface in my StructureMap configuration:


Once that is done, I can easily inject Serilog into any object created via the IoC container (i.e. my controllers).  Writing an event with structured data to Elasticsearch is as simple as making the following call in your code wherever appropriate:

_logger.Error(ex, "Failed to create object requested by {@staff}", _staff)

For more information about the features Serilog offers please refer to their documentation.  I encourage you to take advantage of source contexts whenever possible.  Having the SourceContext property in your event data makes filtering a lot easier.


Using Kibana

It's taken a while, but you've finally got Elasticsearch setup, Kibana installed and running, and your source code writing events to an Elasticsearch index.  Great... now it's time to start seeing the effort pay off.

Step 1: Setup Your Index Pattern

If this is the first time you've run Kibana you will most likely be looking at the screen where Kibana asks you to tell it about your index pattern:

The welcome screen

If you recall, back when we setup the Serilog Elasticsearch sink one of the properties we configured was the IndexFormat.  This is the value you'll want to use here less the date format portion of the string.  If you used "api-logs-{0:yyyy.MM.dd}" for your IndexFormat, then the Index Pattern is "api-logs-".

With the Index Pattern set you'll want to head over to the Discover tab.

Step 2: Save a Simple Query

Before you can discover anything you'll need to make sure you've logged at least a few events to Elasticsearch.  You'll also want to make sure that they occurred within the time frame you're currently viewing (look in the upper right corner of the Kibana window).  As long as you have some events stored in ES, clicking on Discover should display a window that looks something like this:

Discover tab with no filters

In order to create a visualization you're going to need to save a search.  You can find the full Discover documentation here.  For the purposes of moving forward, we'll save a simple search:

  1. In the Query bar type in: level:Error
  2. Click on the search button (magnifying glass)
  3. Click on Save in the upper right corner
  4. Give the search a slick name like All Errors
  5. Click Save

Step 3: Create a Simple Visualization

With the search saved it's time to move over to the Visualize section of Kibana.

There are several visualizations you can create.  In this example we'll create a simple Vertical Bar Chart using a Date Histogram to group the errors by date and time.  Creating this visualization is pretty straight forward:

  1. Select the Vertical Bar Chart option from the list of visualizations
  2. On the right you can select All Errors from the list of saved searches
  3. In the next window select X-Axis
  4. Under Aggregation choose Date Histogram
  5. Leave all of the default settings
  6. Click on the run button (Looks like a play button)
  7. Click Save in the upper right

Step 4: Build your dashboard

With the visualization saved you can easily add it to your dashboard.  You can find a lot more information about building dashboards than I can find in the official Kibana documentation.