Menu
Even after reading many documents, books, spec I couldn't 100% be certain whether I should use http status code 403 or 409 in my case.
Some argue that 403 should be used only with an authorization issue, but seeing twitter's api using 403 for update limits violation, I think 403 actual use is broader than just authorization issues. Maybe it can be used to tell a request has violated a server-side constraint.
And, from the spec, 409 seems to be used when we can expect that client can resolve the issue.
I'd appreciate some variety of real world examples of when to use 403 and when to use 409, and for an opinion on which code to use in my case, which I will lay out in the abstract below (so as not to violate NDA).
After edit: The example is lengthy but, simply put, it is about what code to return when constraint validation fails. Do you always return 400 when constraint validation fails? Should I return 400 and not 403 or 409?
There is a client that tells service A which shelf contains a specific book. While recording to the DB which book is on which shelf, service A is able to tell the client that the client is trying to put the book in a wrong shelf. Service A can tell this by asking another service B that basically has some logic in deciding where a book should go to.
What http code should service A use in this case?
(The request conflicts with service B's decision -- 409? -- but the client is not able to resolve this problem because when service B makes a decision it is permanent. And book id and bookshelf id is both in the path parameter (ie, they are the only parameters in this endpoint) so the client can't really make any change to resolve the issue with the same request)
Additionally, the client is able to tell service A that a bookshelf should no longer be used (because it is full or for whatever reason). When the client tells service A that bookshelf C is not in use anymore, and then later the client tells service A that it wants to put another book on bookshelf C, service A should tell the client that it can't do that. What http code should service A use in this case? (The request will conflict the database status that says bookshelf C is not in use -- 409? But client is not able to resolve this problem because when a bookshelf is not in use, it is permanent in service A and it is never in use again -- not 409?)
Thank you in advance for your time and input!
518
The HTTP 403 Forbidden response status code indicates that the server understands the request but refuses to authorize it. This status is similar to 401 , but for the 403 Forbidden status code re-authenticating makes no difference.
endpoint. HTTP 409 error status: The HTTP 409 status code (Conflict) indicates that the request could not be processed because of conflict in the request, such as the requested resource is not in the expected state, or the result of processing the request would create a conflict within the resource.
Conflicts are most likely to occur in response to a PUT request. For example, you may get a 409 response when uploading a file that is older than the existing one on the server, resulting in a version control conflict.
401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.
There is a lot of confusion that arises between HTTP status codes on when to use what, especially in the 400 series. If we look at their technical description, it mentions - 401 is for Unauthorized and 403 is for Forbidden. Now, what are these 2 words: Unauthorized and Forbidden?
Ultimate Guide to Understanding HTTP Status Codes – 400 Series 1 400 – Bad Request 2 401 – Unauthorized 3 403 – Forbidden 4 404 – Not Found 5 405 – Method Not allowed 6 406 – Not Acceptable 7 407 – Proxy Authentication Required 8 429 – Too Many Requests More ...
Also is it okay to do something like : 400 – request is bad, syntactically (division/pincode or other mandatory values not provided) 403 – authorize user 400 – request is bad, data specific validation (heavier operation, requiring to hit DB) [EDIT] we preferred not to use 422 error code
HTTP 409 is not very common. It describes a conflict (like a deadlock or some other type of issue) that resulted in an error. I think Mozilla gives good advice when it describes this error most commonly occurring with with the PUT verb. For a broader error condition, I would recommend using a 500 error code
Of the two codes mentioned, HTTP 403 is far more common and describes a valid (but unauthorized) request
HTTP 409 is not very common. It describes a conflict (like a deadlock or some other type of issue) that resulted in an error. I think Mozilla gives good advice when it describes this error most commonly occurring with with the PUT verb.
For a broader error condition, I would recommend using a 500 error code
137
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
