Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Which HTTP status code to use when REST API user is trying to acces an object and there is an error?

Tags:

rest

http

http-status-codes

mongodb

I am trying to find the proper status code to return, here's what I have in mind so far:

  1. GET /api/documents/1 - document exists, user has access - 200 OK
  2. GET /api/documents/2 - document exists, user does not have access - 403 Forbidden
  3. GET /api/documents/3 - document does not exist (cannot check if has access or not) - 404 Not Found? 403 Forbidden?
  4. GET /api/documents/a - id is invalid (should be a number) - 400 Bad Request? 404 Not Found? 403 Forbidden?

The problem with my backend (using MongoDB) at the moment is that the first thing I do is check if the user has access to a document by checking it against a list of document IDs he has access to. If the document_id is not found in the list, 403 Forbidden is automatically returned. This helps me to avoid fetching the document from the db first to see if the user can access it.

I am not sure what would be the best practise here - should I pursue better HTTP status codes (and thus creating extra db requests) or would 403 Forbidden work for the last 2 cases (3 and 4) as well?

like image 908
ragulka Avatar asked Jan 15 '13 21:01

ragulka

1 Answers

I'd suggest 404 for both #3 and #4.

1. GET /api/documents/1 - document exists, user has access - 200 OK

200 is appropriate.

2. GET /api/documents/2 - document exists, user does not have access - 403 Forbidden

403 is appropriate.

3. GET /api/documents/3 - document does not exist (cannot check if has access or not) - 404 Not Found? 403 Forbidden?

404 is appropriate here since the document does not exist at the specified URI.

4. GET /api/documents/a - id is invalid (should be a number) - 400 Bad Request? 404 Not Found? 403 Forbidden?

404 is still appropriate here since no resource exists at the specified URI. For reference, a 400 refers to malformed syntax, but the URI and request are perfectly valid syntactically; it's just that there isn't a corresponding resource available on your server.

In general, you should think first about the API and following standard HTTP approaches. Whether or not this requires another internal database request is an implementation detail. I'd suggest avoiding premature optimizations, especially those that will have such a direct impact on your clients.

like image 98
shelley Avatar answered Sep 24 '22 16:09

shelley
Sign in to Comment

Related questions

How to create nanohttpd server in android?
jQuery ajax back to $_POST instead of REQUEST payload
Why do I get "Error parsing HTTP request header" when POSTing a JSON string?
Can I use HTTP response 424 when a request requires another request to be done first?
How to unmarshall `text/plain` as JSON in Akka HTTP
@NotNull annotation not working as expected Java Jersey
HTTP: Is an IP address allowed in the host header field?
How do I upload a file to a pre-signed URL in AWS using Node.js and Axios?
Getting TTFB (time till first byte) for an HTTP Request
Compacting Http Headers
Is AJAX push a HTTP protocol aberration?
Query string after the domain name
.NET HttpListener Prefix issue with anything other than localhost
Getting a stock's price history
How to pass POST data to the PHP-CGI?
If a Tomcat server says "Client Aborted", and the client says "Premature EOF", who is right?
Throttle HTTP request in Java Servlet
HTTPClient 4.x Connection reuse not happening
Is it possible to detect whether a http git remote is smart or dumb?
How to mock Net::HTTP::Post?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!