Rinat Abdullin

There had been a couple of questions on the place of validation within the Command-Query Responsibility Segregation principles:

• Validation: should it be UI-based only?
• Where does validation belong?
• How do validation and business rules fit into the CQRS world?

Let's try to figure this out along the lines of what we already know about CQRS and validation.

Validation

Validation generally ensures that the input data is valid at the moment of entry, within the limited scope of the UI or data adapter. This means that the data passing validation does not necessarily comply with all the rules and requirements of the organization, but at least it makes a lot of sense.

So if we are creating a customer in the UI (if for some reason, all this is included in a single command), then the validation for this operation will make sure that:

• NewCustomer has first name and last name
• NewCustomer has billing address
• NewCustomer has email that fits the standards (and is probably unique).
• etc

In the CQRS world this validation could run in form of various UI-driven rules and additional request-response checks against the available query data sources (i.e.: in-memory collection of all the emails within the system). Result of such validation is about preventing user from sending invalid command to the server.

For example, for ASP.NET MVC, validation code might look like:

[HttpPost]
public ActionResult Start(CreateNewCustomerForm form)
{
   ModelState.Validate(form, CreateNewCustomerRule);

   if (ModelState.IsValid)
   {
     var requestId = Guid.NewGuid();
     MessageBus.Send(MapFormToCommand(form, requestId));

     return RedirectToAction("wait", new {id = requestId});
   }

   return View(form);
}

The desktop alternative is similar:

var result = _createNewCustomerView
 .GetData(Rules.CreateNewCustomerRule);

if (result.IsSuccess)
{
  MessageBus.Send(MapModelToCommand(customer));
  _customerView.AddToList(customer);
}

You can check out .NET Validation application block for some inspiration on writing fluent and reusable validation rules for the UI. Keep in mind, though, that this block was developed within the xLim 3 and does not completely fit into the CQRS paradigm at the moment.

Once the user has made its way through, result of this validation is a command, that has really high probability of being correct. Ratio of success of 99.9% and above is something that we are aiming at. Although the remaining fraction of percent is important, we don't have to ensure absolute consistency at this moment of time. This small allowance let's us keep the client-side validation rather simple and scalable.

This validation process is scalable for two reasons:

• almost all the calculations are performed on the client-side.
• validation against the cache (queries) are inherently scalable due to the potentially distributed nature of the queries (which happens thanks to the fact, that commands can be 99.9% correct at the moment of UI Validation).

Valid command is sent to the server, which passes it into the messaging system, eventually reaching the command handler. After the server gets this command, it should also run the validation locally. First of all, we don't trust anybody. Second, now we run same validation rules, but within the transaction, to ensure 100% validity.

So at this moment we already see, that validation is not just UI-based. It could be applied to the command, as a logical entity, and thus should be executed either at server or client.

If the validation fails due to some simple reason (customer name is missing or does not follow the rules), then we could probably discard the command completely. We don't expect such failing commands to arrive (since we already do client-side validation), and are probably facing some hacking attempt. By discarding invalid commands we tighten the security without any penalties for the client-side experience.

Business Rules

In addition to the validity of the input data, organization would have additional business rules that define correctness and outcome of an operation. These additional rules might depend on the current context. Examples of these are:

• NewCustomer from USA must have address that makes sense for the postal services
• NewCustomer can't use email from the disposable email service.
• NewCustomer from Russia should be granted a welcome bonus of 50RUB on the account.

Checking these things at the UI level would've been too complex and would've required coupling to the additional services. So this is where separation between the validation and business rules in CQRS comes into play - we run this business logic at the server side. It does not merely answer the question "is the command correct", but rather "the command is correct, what does it do?"

For example, if the customer uses an email from the disposable email service, we could suspend the registration process and send him a validation email with the emphasis on no-spam policies in the company. American customers might get a long-running check against the US Postal address verification service. Outcome of a failed checked might be the extra validation step in the welcome email.

We could even have some plugged workflows defined by the DSL or visual designers.

All this logic might fit into the handler that is responsible for processing the command; or it might be fired by subsequent handlers. Anyway this process of business rules obviously requires more CPU power, than a simple validation and could become a bottleneck in the classical architecture. Luckily with the command-query segregation approach we don't have the problems:

• Commands are queued and could be processed by the server at it's own pace;
• Commands could be executed against different servers, based on the aggregate key (sharding). This means, that the aggregates are also distributed;
• CPU-scaling could be dynamic (a characteristic of the self-tuning applications) and adjust to the actual processing load;
• Messaging guarantees that the command will get it's chance to be processed even if the database is deadlocked or the entire server is down.

Corner Cases

Additionally with the validation and expected business scenarios, we would need to explicitly handle that tiny percent of commands (less than 0.1% probability) that were correct at the moment of creation, but happened to become invalid at the moment of handling. This handling is really important, as it provides a safety net against potentially stressful situations that could create losses for the business.

We handle such situations within the business context.

For example, customer's email was unique within the email cache, but is no longer unique at the moment of adding the row to the actual database. Then the desired business outcome might be sending a message to that email, saying:

There was another customer registration on this email, while we were processing your request. We can't proceed, but here are the details. You can create a new customer (link) or update the details of your existing registration (link).

Another possible and more complex situation is when we add items to the shopping cart. At the moment of ordering, we've got everything in the inventory. What do we do, if the order command arrives after somebody else has bought same items from the stock, and they were the last ones? Probability of this is quite low (since it usually takes a few moments to process the order), but we should handle it explicitly at the server side.

There are a few options. First one - send message (notification or email) to the customer, apologizing for the problem and giving up. Unfortunately this would result in a potential customer walking away. Let's try to avoid this.

Smarter approach works within the business context and rules. What do sales people do, when they don't have something? They quickly order the item from the supplier and apologize for the delay. We could do exactly the same thing here - extend the shipping time estimate, say sorry to the customer and give him a discount for the next purchase, if he agrees to wait a little bit for the current order to arrive. Not only we increase the probability of keeping customer happy, we might still make some profit out of this uneasy situation after all.

Under normal conditions this workflow would happen at extremely rare cases. However if we get sudden visibility, run some unexpectedly effective promotions or simply sell really popular item (like iPad), then we might run into the situation where:

• There are a lot of orders within the first 30 minutes after the the item goes on sale.
• We accept all these orders, but servers are stressed and it takes some time for them to process (or it takes some time for the cloud fabric to detect the load and deploy the additional servers).
• Within this interval a few more orders are created.

Anyway nothing bad will happen here, since we will ship all the items from the stock, while immediately handling customers that were a few seconds late (potentially keeping them and making some profit). Also, during all the time, the client UI will stay rather responsive, since it does not face any CPU-heavy processing or database-level deadlocks.

This scenario is slightly better, than the situation when the entire web site (built with a classical SOA architecture) goes down under the stress, isn't it?

Summary

As we can see, in the approach based on CQRS we logically separate Validation from the Business Rules.

Validation (in a task-based UI) ensures that a command is valid within some limited context. Validation is executed on the client side, updating all the UI with the details of any problems found (so that the user could fix them). Valid commands are sent to the server, which runs validation again, followed by the actual business logic.

This article is a part of xLim 4 body of knowledge (CQRS section). You can subscribe to the feed to stay tuned to all the updates.

What do you think about all this? Do you use validation and business rules in your solutions? Have you faced similar challenges in your projects?