Home > Software engineering >  Rest API: Response HTTP status code for applicative semantic error
Rest API: Response HTTP status code for applicative semantic error

Time:11-27

Suppose to have a REST API which updates the stock of some products in an e-commerce portal:

URL : /products/stock
METHOD : PUT
BODY :

{
 "PRD001": 3,
 "PRD002": 2
}

Where the request body is a map made of <<PRODUCT_CODE>> : <<USER_REQUIRED_QUANTITY>> entries

At some point, the server receives a well-formed syntactic request, but the logic behind the API fails because:

  • One or more of the sent PRODUCT CODES do not exist.
  • The USER_REQUIRED_QUANTITY requested for one of the products having PRODUCT_CODE is unavailable because of insufficient stock.

Which HTTP CODE should the REST API return for these "semantic applicative errors"?

In my opinion:

  • It shouldn't return 400 - BAD REQUEST because the REQUEST is well-formed from a syntactic perspective.
  • In the case of an inexistent product, it shouldn't return 404 -NOT FOUND because the resource is related to a stock and not to a specific product. Returning 404 - NOT FOUND could lead the client intto an error.
  • It could return a 409 - CONFLICT (The request could not be completed due to a conflict with the current state of the resource)
  • It could return a 422 Unprocessable Entity (The server understands the content type and syntax of the request entity, but still server is unable to process the request for some reason). Anyway, this status code is part of WebDAV specific and not part of the HTTP)

What do you think about this specific use case? And, in a more general way, in which way do you handle HTTP Status codes according to applicative semantic errors?

Thank you

CodePudding user response:

Important idea - status codes are metadata of the transfer of documents over a a network domain; they describe the semantics of the HTTP response so that general purpose HTTP components can do intelligent things (e.g. invalidate cached responses).

Which HTTP CODE should the REST API return for these "semantic applicative errors"?

The fact that the values in the request body are the problem strongly suggests that we want some flavor of 4xx Client Error semantics.

I'm inclined to guess that the simplest approach would be to use 403 Forbidden

The 403 (Forbidden) status code indicates that 
the server understood the request but refuses 
to fulfill it.

Any nuance that you need to share with the user/bespoke client is described in the body of the 403 response.

From what I can tell, 409 Conflict isn't right, but also isn't going to get you into a lot of trouble.

For a general purpose component, 403 and 409 are handled essentially the same way -- in theory a general purpose component could try to "resolve the conflict" on its own and resubmit the request, but in practice we don't have a standard for describing the nature of the conflict, which means that the component isn't going to know a way to modify the request.

So while I would decline a pull request (PR) that used a 409 here, I would also accept a PR that used a 409 and also included a decision record documenting the trade offs that the implementer had considered in this specific context (for example - it might be important that your human operators easily be able to distinguish this case from authentication issues when scanning access logs).

In other words, make the boring choice unless you have really good reasons to do something else. If you have really good reasons to do something else, write them down.

422

My doubt about this one is that it is not part to the HTTP specs.

Don't be worried at that. HTTP status codes are intended to be extensible. Anything you find in the IANA status code registry should be considered safe to use.

Also, today, the registered reference for 422 is the current HTTP Semantics specification (RFC 9110).

That said, I wouldn't use it here, because I don't think the semantics are as good a fit for your circumstance as 403.

The 422 (Unprocessable Content) status code indicates that the
server understands the content type of the request content 
(hence a 415 (Unsupported Media Type) status code is inappropriate),
and the syntax of the request content is correct, but it was unable
to process the contained instructions. For example, this status 
code can be sent if an XML request content contains well-formed 
(i.e., syntactically correct), but semantically erroneous XML
instructions.

My interpretation of this is that we're trying to indicate that there's a problem specific to the semantics of the request body (ex: a required field is missing). It announces that we're unable to process the request, rather than announcing that the processing failed.

In other words, 422 is "I don't know what this means", where 403 is "I know what this means, but I won't do it."

We also have considered using the 403 - FORBIDDEN code, but it seems to be more related to authorization issues.

The specification gives wider latitude than the most common usage.

a request might be forbidden for reasons unrelated 
to the credentials.

That said, choosing a different status code can be the right engineering trade off. If the benefits of doing the right thing are small, and the costs (in particular, the support and operational costs) are large, well... maybe being successful is more important than being right.

Page link:https//www.codepudding.com/Softwareengineering/623469.html

Prev:Javascript / Node JS - using regex to transform a string?
Next:need to generate a new data frame with more no. of similar record from an existing data frame
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding