I prefer simplicity and using the first example but I’d be happy to hear other options. Here’s a few examples:

HTTP/1.1 403 POST /endpoint
{ "message": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
Unauthorized access (no json)
HTTP/1.1 403 POST /endpoint
{ "error": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
{
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}
HTTP/1.1 200 (🤡) POST /endpoint
{
  "error": true,
  "message": "Unauthorized access",
}
HTTP/1.1 403 POST /endpoint
{
  "status": 403,
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

Or your own example.

  • huginn@feddit.it
    link
    fedilink
    arrow-up
    14
    ·
    4 months ago

    403 is a category, not a code. Yes I know they’re called http codes but REST calls are more complex than they were in 2001. There are hundreds of reasons you might not be authorized.

    Is it insufficient permissions? Authentication required? Blocked by security? Too many users concurrently active?

    I’d argue the minimum for modern services is:

    403 category
    Code for front end error displays
    Message as default front end code interpretation

    As json usually but if you’re all using protobuf, go off King.

    • hexbatch@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      Yes, the more information and standards in an api response the better. There should be front end messages and developer messages. URL links to documentation are great too. Standards assist automation and testing.

      I understand other viewpoints about maintenance and redundancy, this can cause errors. And the above is too much work for some projects .

      But most api start as a temporary or one person project. It’s tempting to be terse and cool with responses . Even more tempting is this is a great cost cutter to not have overly detailed responses.

      However

      It’s much easier to add in more data to responses now than later. And a future you years later, or strangers who use it , will be grateful. It may be the thing that allows an api to be popular, rather than people use it despite the api

    • Lysergid
      link
      fedilink
      arrow-up
      1
      arrow-down
      3
      ·
      edit-2
      4 months ago

      REST calls are same as in 2001. There is no REST 2.0 or REST 2024. Because REST is architecture guideline. It’s just more data sent over it today. HTTP code IS code. Why your system issued it is implementation detail and have nothing to do with resource representation. Examples you provided are not 403. “Too many users active” does not exist in REST because REST is stateless, closest you can get is “too many requests” - 429. Insufficient permissions is 401. I don’t even know what is “blocked by security” but sounds like 401 too. Regardless, you should not provide any details on 401 or 403 to client as it is security concern. No serious app will tell you “password is wrong” or “user does not exist”. Maximum what client should hope for is input validation errors in 400.

      For those with “internal tool, I don’t care” argument - you either do not know what security in depth is or you don’t have 403 or 401 scenario in the system in the first place.

      Now hear me out, you all can do whatever you want or need with your API. Have state, respond with images instead of error codes, whatever, but calling it REST is wrong by definition

      • huginn@feddit.it
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        Theory is fine but in the real world I’ve never used a REST API that adhered to the stateless standard, but everyone will still call it REST. Regardless of if you want it or not REST is no longer the same as it’s original definition, the same way nobody pronounces gif as “jif” unless they’re being deliberately transgressive.

        403 can be thrown for all of those reasons - I just grabbed that from Wikipedia because I was too lazy to dig into our prod code to actually map out specifics.

        Looking at production code I see 13 different variations on 422, 2 different variations of 429…

          • huginn@feddit.it
            link
            fedilink
            arrow-up
            1
            ·
            4 months ago

            You missed the point:

            The original creator of a thing does not control the current usage.

            It’s analogous.

        • Lysergid
          link
          fedilink
          arrow-up
          1
          ·
          4 months ago

          “Stateless” is not what “I” want, it is part of definition of REST.

          Can do != what spec says you should do. You can also send clown version from the post but don’t be surprised people will find it… funny

          Again, I’m not telling you are doing wrong. I’m telling you are mixing REST and RESTful web services