Implement a way to track points state to work with web services.

<skyred> e0ipso: how can I extend jsonapi on Patch to do custom validation?
3:33 PM <e0ipso> skyred: what do you need to do?
3:37 PM <skyred> e0ipso: I am trying to implement a banking system with JSONAPI. Here is the use case, how can I ensure all the requests follow this pattern: One request initialization time has be later than the previous request finishing time 
3:37 PM <skyred> e0ipso: I am trying a few different things. One thing I was wondering if JSONAPI module can be extended for custom validation
3:38 PM <e0ipso> skyred: that seems like something on top of JSON API
3:39 PM <e0ipso> that implies some sort of session
3:39 PM <e0ipso> but JSON API is stateless
3:40 PM <skyred> e0ipso: Yeah, stateless, therefore, my question was how to implement a banking system with this given constrain. If custom validation is allowed, then that's one answer.
3:45 PM <skyred> e0ipso: I am in the process of porting Userpoints to D8, above question is about how to make Userpoints to work with JSONAPI
3:47 PM <e0ipso> skyred: I used userpoints in the past
3:47 PM <e0ipso> but I can't remember how it stored the data
3:48 PM <e0ipso> However it "should be" just updting an entity
3:48 PM <skyred> e0ipso: it doesn't matter how the data is stored. Points is a field on an entity. So, if two clients sent 1 request each to PATCH this field via JSONAPI, how to ensure the second request is aware of the first request OR the second request should be failed.
3:53 PM <skyred> e0ipso: for example, a user has 100 credits now, if there are two upcoming requests, the first one is one user earns 50 credits. The PATCH request would look like SET points=150. the second request is this user uses 75 points. The PATCH would look like SET points to -25
3:55 PM <e0ipso> skyred: Can you prevent concurrency issues at the client level?
3:56 PM <skyred> e0ipso: that wouldn't do much good. Considering supporting many distributed clients. 
3:56 PM <e0ipso> so you can't
3:57 PM <e0ipso> skyred: in that case I'd recommend to include an addition/substraction RPC endpoint
3:58 PM <skyred> e0ipso: that's way to do it. Then, I probably need to implement something to block JSONAPI if it is enabled on the site
3:58 PM <skyred> one way*
3:58 PM <e0ipso> skyred: you can do entity access there
4:02 PM <skyred> e0ipso: another thing that I am currently trying: In D8, Points is an entity, so I am adding a psudo-field called snapshot, and do the preSave() validation, if snapshot != the current value, then preSave() fail. When client uses JSONAPI to update Points (reference), they need to also provide this snapshot field
4:03 PM <e0ipso> state keeping can get complex over time, but it's a valid solution