What would be the correct HTTP response for a change password request where the old password entered is incorrect?

Question

In a change password request, if the old password is not right, what would be the correct response?

I'm thinking 401 Unauthorized? Or is it 400 Bad Request?

Answer 1

It's a bit tricky because I think you can make the argument for either, and I also feel that 409 and 422 could be argued.

Ultimately I think that it's important to use a more specific HTTP status code, if a generic client can do something useful with the response. Because of this, I think it doesn't really matter in this case.

I think I would be tempted to not use 401, because I associate that close to the Authorization header, and you're probably not using it in this case.

422or 400 are the best. This is entirely based in opinion. Either of those indicate that there was something wrong with the request (422 a bit more specific: there's nothing wrong with the format, but there is something wrong with the actual values sent to the server).

409 is sometimes used to indicate that the current request is valid, but the current state of the server prevents it from being successful. Given that the current state of the server is "the current password was something else", 409 could be appropriate.

Ultimately I don't think any is really wrong, and it's not really important but my vote would go to 422 first, and 400 next.

Some sources (first few are mine, last link is from one of the authors of the http specification)

• https://evertpot.com/http/400-bad-request
• https://evertpot.com/http/422-unprocessable-entity
• https://evertpot.com/http/409-confict
• https://www.mnot.net/blog/2017/05/11/status_codes