Wrong REST API HTTP Response codes

[TyronX]

I just spent 2 hours figuring out why a POST to /core/members returns a 403 Forbidden altough I did double and triple check that I did grant access to those api calls. 

Turns out the call was successfull but a member with the same email exists - that's a terrible idea to use the HTTP Response codes to denote an error that is not related to http communication itself - thats not what they are made for...

This makes it incompatible with PHPs HTTP Wrapper methods because they - understandably - expect a 200 OK from the server!

PHP Warning:  file_get_contents(https://www.example.com/api/core/members): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden
 in /var/www/html/lib/core.php on line 248
 

[Charles]

Actually when using REST that is indeed what the HTTP Response codes are for.

[Mark]

To elaborate - in HTTP, the response code denotes the status of the request. If a request is to create a member, a 2xx response should only be used if that member wasn't created. If the request could not be fulfilled, an error code is appropriate - 4xx errors tell you there was something wrong with your request (in this case, the email you sent isn't acceptable), 5xx errors indicate the error is out of your control - in all 3 cases, the response body should contain more details. This applies to both requests for pages sent by a web browser, and a REST API using the HTTP protocol. For more information, http://www.restapitutorial.com is quite a good resource which also has a list of all the HTTP status codes.

 

Incidentally you should really turn off reporting of warnings on production servers  

Quote

This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet).

 

[Colonel_mortis]

On 16/10/2016 at 10:44 PM, Mark said:

To elaborate - in HTTP, the response code denotes the status of the request. If a request is to create a member, a 2xx response should only be used if that member wasn't created. If the request could not be fulfilled, an error code is appropriate - 4xx errors tell you there was something wrong with your request (in this case, the email you sent isn't acceptable), 5xx errors indicate the error is out of your control - in all 3 cases, the response body should contain more details. This applies to both requests for pages sent by a web browser, and a REST API using the HTTP protocol. For more information, http://www.restapitutorial.com is quite a good resource which also has a list of all the HTTP status codes.

 

Incidentally you should really turn off reporting of warnings on production servers  

 

A 4xx error would be correct, but 403 is not. The semantically correct code would be 400 (Bad Request) or 409 (Conflict).

The article you linked has nothing to do with reporting warnings... That is about displaying errors on the page, not logging them to stderr (aka the apache error log) which is where it looks like that error message has come from. Logging warnings is fine (and generally encouraged).

In the original post, it says "the call was successful" - I haven't tested it, but to me that means that the member was created, in which case a 200 or 201 response would be appropriate; if that only means that the request made it to the API dispatcher, then, as I said, a 4xx code is correct, but 403 is not the right choice in my opinion.