this post was submitted on 30 Aug 2024

81 points (100.0% liked)

Programming

420 readers

7 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago

MODERATORS

snowe@programming.dev

Ategon@programming.dev

MaungaHikoi@lemmy.nz

What is your preferred API error response and why? (lemy.lol)

submitted 4 weeks ago* (last edited 4 weeks ago) by iso@lemy.lol to c/programming@programming.dev

52 comments fedilink hide all child comments

I prefer simplicity and using the first example but I'd be happy to hear other options. Here's a few examples:

HTTP/1.1 403 POST /endpoint
{ "message": "Unauthorized access" }

HTTP/1.1 403 POST /endpoint
Unauthorized access (no json)

HTTP/1.1 403 POST /endpoint
{ "error": "Unauthorized access" }

HTTP/1.1 403 POST /endpoint
{
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

HTTP/1.1 200 (🤡) POST /endpoint
{
  "error": true,
  "message": "Unauthorized access",
}

HTTP/1.1 403 POST /endpoint
{
  "status": 403,
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

Or your own example.

top 50 comments

sorted by: hot top controversial new old

[–] gencha@lemm.ee 58 points 4 weeks ago (3 children)

Respect the Accept header from the client. If they need JSON, send JSON, otherwise don't.

Repeating an HTTP status code in the body is redundant and error prone. Never do it.

Error codes are great. Ensure to prefix yours and keep them unique.

Error messages can be helpful, but often lead developers to just display them in the frontend, breaking i18n. Some people supply error messages in multiple languages, depending on the Accept-Language header.

[–] Michal@programming.dev 22 points 4 weeks ago

This guy backends ☝️

[–] pe1uca@lemmy.pe1uca.dev 6 points 4 weeks ago

but often lead developers to just display them in the frontend

Oh boy I feel this one.
My API is meant for scripting (i.e. it's for developers and the errors are for developers), but the UI team uses it and they just straight display the error from their HTTP request for none technical people which might also not get to know all the parameters actually needed for the request.
And even when the error is in fact in my code, and I sent all the data I need to debug and replicate the error, the users can't tell me because the UI truncates the response, so the user only sees something like Error in pe1uca's API: {"error":"bad request","message":"Your request has an error, please check th... (truncated). So the message gets truncated and the link to the documentation is also never shown .-.

[–] FizzyOrange@programming.dev 3 points 4 weeks ago (1 children)

To be fair if it's an exceptional error message (i.e. database timeout; not incorrect password) I don't think i18n matters that much. Most people will just be googling the error message anyway, and if not it should be rare enough that using Google translate isn't an issue.

[–] gencha@lemm.ee 1 points 4 weeks ago

Depends on the product. It's just something to think about when signaling errors. There is information for the API client developer, there is information for the client code, and there's information for the user of the client. Remembering these distinct concerns, and providing distinct solutions, helps. I don't think there is a single approach that is always correct.

[–] ramble81@lemm.ee 36 points 4 weeks ago (5 children)

Giving back a 200 for an error always makes me bristle. Return correct codes people. “But the request to the web server was successful!”

[–] FizzyOrange@programming.dev 11 points 4 weeks ago (1 children)

I use this big expensive simulator called Questa, and if there's an error during the simulation it prints Errors: 1, Warnings: 0 and then exits with EXIT_SUCCESS (0)! I tried to convince them that this is wrong but they're like "but it successfully simulated the error". 🤦🏻‍♂️

We end up parsing the output which is very dumb but also seems to be industry standard in the silicon industry unfortunately (hardware people are not very good at software engineering).

[–] Dark_Arc@social.packetloss.gg 8 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

That's when you use different exit codes. 1 for failure during simulation, 2 for simulation failed.

Shame they wouldn't listen.

[–] fuzzzerd@programming.dev 1 points 3 weeks ago

I generally agree, but with robocopy they went too far with this, because the status code doesn't work the way you expect, and you've got to script around it.

[–] OneCardboardBox@lemmy.sdf.org 3 points 4 weeks ago

I worked on a product that was only allowed to return 200 OK, no matter what.

Apparently some early and wealthy customer was too lazy to check error codes in the response, so we had to return 200 or else their site broke. Then we'd get emails from other customers complaining that our response codes were wrong.

[–] gencha@lemm.ee 2 points 4 weeks ago

I don't necessarily disagree, but I have spent considerable time on this subject and can see merit in decoupling your own error signaling from the HTTP layer.

No matter how you design your API, if you're passing through additional layers, like load balancers and CDNs, you no longer have full control over all responses your clients receive. At this point it may be viable to always signal a successful backend connection with a 200, even if the process resulted in a failure.

Going further, your API may include partial success scenarios, think batch processing, then the result could be a mix of success and failure that doesn't translate to HTTP status.

You could even argue that there is really no reason to couple your API so tightly with a concept of the transport layer it uses.

[–] lemmyvore@feddit.nl 1 points 4 weeks ago

You should consider if you really want to integrate your application super tightly with the HTTP protocol.

Will it always be used exclusively over a REST-ful HTTP API that you control, and it has exactly one hop to the client, or passes through hops that can be trusted to never alter the HTTP metadata significantly? In that case you can afford to make HTTP codes semantically relevant for your app.

But maybe you need to pass data through multiple different types of layers and different mechanisms (socket protocols, pub-sub, file storage etc.) In that case you want all your semantics to be independent from any form of transport.

[–] flashgnash@lemm.ee 1 points 4 weeks ago

It's usually such an easy thing to do as well, in all the web frameworks I've used it's literally a case of changing Ok to Forbidden, 200 to 403 or something very similar

[–] xiodine@programming.dev 19 points 4 weeks ago (3 children)

https://www.rfc-editor.org/rfc/rfc9457.html

[–] iso@lemy.lol 4 points 4 weeks ago

This one looks nice. Very detailed.

[–] madeindjs@programming.dev 3 points 4 weeks ago

I don't get why the RFC show an example returning 403 with body "You do not have enough credit." although there is a dedicated status code " 402 Payment Required". Isn't more correct to use 402 in this situation?

[–] pe1uca@lemmy.pe1uca.dev 2 points 4 weeks ago

Don't know what are the changes since 7807 (which this one obsoletes) but this article helped me quickly understand the first one, hopefully it's still somewhat relevant.
https://lakitna.medium.com/understanding-problem-json-adf68e5cf1f8

[–] houseofleft@slrpnk.net 18 points 4 weeks ago* (last edited 4 weeks ago)

I'm a data engineer, and have seen an ungodly ammount of 200-but-actually-no-stuff-is-broken errors and it's the bane of my life!

We have generic code to handle pulling in api data, and transforming it. It's obviously check the status code, but any time an API implements this we have to choose between:

having code fail wierdly further down the line because can't parse the status
adding in some kind of insane if not response.ok or "actually no there's an error really" in response.content logic

Every time you ignore protocols and invent your own, you are making everyone sad.

Will take recommendations of support groups I can join for victims of terrible apis.

[–] magic_lobster_party@fedia.io 14 points 4 weeks ago (1 children)

I think the general rule of thumb is: Keep it Simple, Stupid.

Don’t include fields “just in case”. If you don’t have a use for a field right now, then don’t include it. It’s often easier to add fields than removing.

Avoid having fields that can be derived from other fields. Code “UNAUTHORIZED” can be derived from 403. Having both adds confusion. It adds the question whether the code field be something other than “UNAUTHORIZED” when the response is 403.

Just 403 with empty body is fine. Add message in a JSON in case it’s useful for the user. If the user needs more fields in the future, then it’s easy to expand the JSON.

[–] huginn@feddit.it 8 points 4 weeks ago (3 children)

403 is a category, not a code. Yes I know they're called http codes but REST calls are more complex than they were in 2001. There are hundreds of reasons you might not be authorized.

Is it insufficient permissions? Authentication required? Blocked by security? Too many users concurrently active?

I'd argue the minimum for modern services is:

403 category
Code for front end error displays
Message as default front end code interpretation

As json usually but if you're all using protobuf, go off King.

[–] Dark_Arc@social.packetloss.gg 1 points 4 weeks ago (1 children)

I've never heard of using protobuf in an HTTP API... But, I guess that should be fine.

[–] bitfucker@programming.dev 1 points 4 weeks ago

The thing is, it does exists a way to convert grpc protobuf to json one

[–] Lysergid@lemmy.ml 1 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

REST calls are same as in 2001. There is no REST 2.0 or REST 2024. Because REST is architecture guideline. It’s just more data sent over it today. HTTP code IS code. Why your system issued it is implementation detail and have nothing to do with resource representation. Examples you provided are not 403. “Too many users active” does not exist in REST because REST is stateless, closest you can get is “too many requests” - 429. Insufficient permissions is 401. I don’t even know what is “blocked by security” but sounds like 401 too. Regardless, you should not provide any details on 401 or 403 to client as it is security concern. No serious app will tell you “password is wrong” or “user does not exist”. Maximum what client should hope for is input validation errors in 400.

For those with “internal tool, I don’t care” argument - you either do not know what security in depth is or you don’t have 403 or 401 scenario in the system in the first place.

Now hear me out, you all can do whatever you want or need with your API. Have state, respond with images instead of error codes, whatever, but calling it REST is wrong by definition

[–] huginn@feddit.it 1 points 4 weeks ago (3 children)

Theory is fine but in the real world I've never used a REST API that adhered to the stateless standard, but everyone will still call it REST. Regardless of if you want it or not REST is no longer the same as it's original definition, the same way nobody pronounces gif as "jif" unless they're being deliberately transgressive.

403 can be thrown for all of those reasons - I just grabbed that from Wikipedia because I was too lazy to dig into our prod code to actually map out specifics.

Looking at production code I see 13 different variations on 422, 2 different variations of 429...

[–] Lysergid@lemmy.ml 1 points 4 weeks ago

“Stateless” is not what “I” want, it is part of definition of REST.

Can do != what spec says you should do. You can also send clown version from the post but don’t be surprised people will find it… funny

Again, I’m not telling you are doing wrong. I’m telling you are mixing REST and RESTful web services

load more comments (2 replies)

load more comments (1 replies)

[–] Dunstabzugshaubitze@feddit.org 9 points 4 weeks ago (1 children)

since none of your examples add anything of value in the body: a plain old 403 is enough.

response bodies for 400 responses are more interesting, since you can often tell why a request was bad and the client can use that information to communicate to the user what went wrong.

best error code remains 418, though.

[–] epyon22@programming.dev 2 points 4 weeks ago

I was annoyed that the one time I wanted to use 418 as a filler Dotnets http library didn't support returning it.

[–] lengau@midwest.social 9 points 4 weeks ago

At a previous job we had an unholy combination of the last two:

HTTP/1.1 200 POST /endpoint 
{
  "data": null,
  "errors": ["403", "unauthorized"],
  "success": false
}

[–] LaggyKar@programming.dev 8 points 4 weeks ago (2 children)

It's 401 unauthorized or 403 forbidden, not 403 unauthorized

[–] iso@lemy.lol 4 points 4 weeks ago

You’re right, I was just giving an example though.

[–] sus@programming.dev 2 points 4 weeks ago* (last edited 4 weeks ago)

to be even more pedantic, if we follow the relevant official RFCs for http (formerly 2616, but now 7230-7235 which have relevant changes), a 403 can substitute for a 401, but a 401 has specific requirements:

The server generating a 401 response MUST send a WWW-Authenticate header field (Section 4.1) containing at least one challenge applicable to the target resource.

(the old 2616 said 403 must not respond with a request for authentication but the new versions don't seem to mention that)

[–] killabeezio@lemm.ee 6 points 4 weeks ago

The status code that gets returned should be the status code of the messenger and not the data. If you want to add a status code about the data, then please do.

If something can return null and empty and it's valid, that is not a 404. That is a 200.

As far as a 403, the messenger is telling you that you shall not pass. There is no data. 403 is appropriate here. The return response can be anything since 403 is pretty self explanatory, but I would probably return json to be consistent. I would also use the field message. Something like the first one for this use case only.

In other cases where i do get data, I would use data, message, status (optional). But status in the json response would be status about the message.

[–] GetOffMyLan@programming.dev 6 points 4 weeks ago* (last edited 4 weeks ago)

I like using Problem detials

It's fully supported by the .net server pretty much out the box and just seems nice to stick to a standard where possible.

[–] Boomkop3@reddthat.com 6 points 4 weeks ago

just 403 and leave the body empty

[–] vasametropolis@lemm.ee 5 points 4 weeks ago* (last edited 4 weeks ago)

1 or 4 but wrapped in a top level error object. It’s usually best to not use the top level namespace because then you can’t add meta details about the request easily later without changing the original response schema.

Codes are great but I’m usually too lazy to introduce them right away, so I instead have message (which is guaranteed to come back) and context, which is any JSON object and doesn’t adhere to a guaranteed structure. Another poster pointed out that code is way easier for localization since you are probably not localizing your message.

The HTTP status code is generally sufficient to describe what happened without having to catalogue every error with a unique “code”. A context blob is useful for dumping validation errors or any other details about the error that a human could at least rely on for help.

Putting the status code on the body seems helpful but is actually useless, since the only place you can assume it’s always provided is on the response itself and not the body.

[–] VonReposti@feddit.dk 4 points 3 weeks ago

The documented one. It is hell to work with APIs where only the happy path is documented.

[–] noride@lemm.ee 4 points 4 weeks ago* (last edited 4 weeks ago)

I like the last one, I think having the status code in the body could help clarify where the error is coming from when traversing a reverse proxy.

[–] snowe@programming.dev 4 points 4 weeks ago

Anything but the last one. Don't duplicate the http code in the body, else you're now maintaining something you don't need to maintain.

I'm not a fan of codes that repeat information in the body either, but I think if you had used a different example like "INVALID_BLAH" or something then the message covered what was invalid, then it would be fine. Like someone else said, the error data should be in an object as well, so that you don't have to use polymorphism to figure out whether it's an error or not. That also allows partially complete responses, e.g. data returns, along with an error.

[–] tun@lemm.ee 3 points 4 weeks ago* (last edited 4 weeks ago) (1 children)

GitHub has OpenAPI specification. Latest version is 3.1, I think.

[–] iso@lemy.lol 1 points 4 weeks ago

Looks like they're recommending object of error code (number) and message.

[–] SorteKanin@feddit.dk 3 points 4 weeks ago (1 children)

A simple error code is sufficient in all of these cases. The error provided gives no additional information. There is no need for a body for these responses.

[–] kogasa@programming.dev 4 points 4 weeks ago (1 children)

There may be a need for additional information, there just isn't any in these responses. Using a basic JSON schema like the Problem Details RFC provides a standard way to add that information if necessary. Error codes are also often too general to have an application specific meaning. For example, is a "400 bad request" response caused by a malformed payload, a syntactically valid but semantically invalid payload, or what? Hence you put some data in the response body.

[–] SorteKanin@feddit.dk 1 points 4 weeks ago

A plain 400 without explanation is definitely not great UX. But for something like 403, not specifying the error may be intentional for security reasons.

[–] dsilverz@thelemmy.club 3 points 4 weeks ago

A mix between the last one and the previous. The key error should be set in order to indicate the presence of an error, while status and code represents, respectively, the error numerical code and the error type, while the error message is supposed to be concatenated to an human-friendly error text.

[–] kevincox@lemmy.ml 3 points 4 weeks ago

HTTP/1.1 403 UNAUTHORIZED
{
  "error": {
    "status": "UNAUTHORIZED",
    "message": "Unauthorized access",
  },
}

I would separate the status from the HTTP status.

The HTTP status is great for reasonable default behaviours from clients.
The application status can be used for adding more specific errors. (Is the access token expired, is your account blocked, is your organization blocked)

Even if you don't need the status now, it is nice to have it if you want to add it in the future.

You can use a string or an integer as the status code, string is probably a bit more convenient for easy readability.

The message should be something that could be sent directly to the user, but mostly helpful to developers.

[–] AsudoxDev@programming.dev 3 points 4 weeks ago* (last edited 4 weeks ago)

Is the last one real? Has any sane dev made something like that monstrosity? It's not like the others are any better, but who would ever think of doing the last one and why?

[–] hex@programming.dev 2 points 4 weeks ago* (last edited 4 weeks ago)

For me it just depends on what I expect. They're all relatively the same thing. As long as the status code is appropriate (403), it doesn't matter whether it's JSON or plaintext. Ideally the API would respect and handle the request header, and return plaintext if you request plaintext.

[–] thesmokingman@programming.dev 2 points 4 weeks ago

There are competing interests here: normal consumers and script kiddies. If I build an API that follows good design, RFCs, pretty specs, all of that, my normal users have a very good time. Since script kiddies brute force off examples from those areas, so do they. If I return 200s for everything without a response body unless authenticated and doing something legit, I can defeat a huge majority of script kiddies (really leaving denial of service). When I worked in video games and healthcare, this was a very good idea to do because an educated API consumer and a sufficiently advanced attacker both have no trouble while the very small amount of gate keeping locks out a ton of annoying traffic. Outside of these high traffic domains, normal design is usually fine unless you catch someone’s attention.

[–] JakenVeina@lemm.ee 1 points 4 weeks ago* (last edited 4 weeks ago)

#4 for me.

Proper HTTP Status code for semantic identification. Duplicating that in the response body would be silly.

User-friendly "message" value for the lazy, who just wanna toss that up to the user. Also, ideally, this would be what a dev looks at in logs for troubelshooting.

Tightly-controlled unqiue identifier "code" for the error, allowing consumers to build their own contextual error handling or reporting on top of this system. Also, allows for more-detailed types of errors to be identified and given specific handling and recovery logic, beyond just the status code. Like, sure, there's probably not gonna be multiple sub-types of 403 error, but there may be a bunch of different useful sub-types for a 400 on a form submission.

load more comments