single-page web apps + rest api combination: server or client approach?

Context

I'm building a single-page web app using AngularJS and a using REST api as backend.

The rest backend has the following services (simplification):

  • /accounts/:id -- manages accounts
  • /transactions/:id -- manages transactions related to accounts
  • /sms/:id -- manages sending sms and listing sent sms

Problem

The problem emerges when I want to condition sms sending to the current account balance.

How to implement account balance validation while keeping the REST philosophy?

Alternative solutions

The way I see it, I have 2 alternatives:

  • Server-side: sms route handles account and balance checking for sms send request (POST /sms)
  • Client-side: the controller asks first for the account balance and only invokes the sms route if there is a balance

Server-side pros and cons:

  • Pros: account balance checking is transparent for the web app; no account balance validation on the client-side means no chance of hacking (?)
  • Cons: Implies that the sms route will be responsible also for the balance checking

Client-side pros and cons:

  • Pros: keeps REST apis ortogonal
  • Cons: moving validation logic to the client makes it prone to hacking

Any thoughts?

How valuable/sensitive is your data? As a rule of thumb, never trust a client to protect your data. Anything worth protecting should be validated on the server side in addition to any validation you perform on the client side. There's nothing wrong with both, and its common practice to validate both on the client and on the server, it gives your user a richer experience while protecting your domain.

Good luck,

Matt