I have a simple Golang application with a HTTP API that controls the app, the api has a frontend over it powered by a React.js app. The frontend allows users to change settings and POSTS a json object called settings directly to the API /api/settings endpoint (which has simple JWT authentication builtin). I take that object unmarshal it into a struct for the application to use, in case of an error the application uses the default struct and sends an error to the client. My question is; am I doing this correctly or is this insecure; sending the json directly to the app, without any server side validation, but a simple json.unmarshal?
PS:I come from a PHP+MySQL web apps background, where accepting client input for the DB without escaping it was a very dangerous thing to do.
In principle, yes it is bad, however you would need to decide whether the risks outweigh the cost in your specific case as the work required can be quite extensive.
No matter the language used employing the model 'Never trust the client' tends to provide the best security. In this model you assume all requests are malicious therefore should be validated and sanitized. This allows you to gain confidence in the data you are storing, and in principle protects against changing requirements. For example; if you are presenting this stored data back to the users then you can have some trust that nothing malicious is stored, however this should not mean output encoding is not also used.
The final point to consider is how you are accessing the DB and creating the inserts. Assuming this is a SQL DB then ensure your query uses named parameters rather than string concatenation.