this post was submitted on 30 Aug 2024
131 points (99.2% liked)

Programming

17538 readers
98 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 2 years ago
MODERATORS
snowe
Ategon
[email protected]
131
What is your preferred API error response and why? (lemy.lol)
submitted 3 months ago* (last edited 3 months ago) by [email protected] to c/programming
90 comments fedilink hide all child comments
 

I prefer simplicity and using the first example but I'd be happy to hear other options. Here's a few examples:

HTTP/1.1 403 POST /endpoint
{ "message": "Unauthorized access" }

HTTP/1.1 403 POST /endpoint
Unauthorized access (no json)

HTTP/1.1 403 POST /endpoint
{ "error": "Unauthorized access" }

HTTP/1.1 403 POST /endpoint
{
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

HTTP/1.1 200 (🤡) POST /endpoint
{
  "error": true,
  "message": "Unauthorized access",
}

HTTP/1.1 403 POST /endpoint
{
  "status": 403,
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

Or your own example.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 22 points 3 months ago (9 children)

I think the general rule of thumb is: Keep it Simple, Stupid.

Don’t include fields “just in case”. If you don’t have a use for a field right now, then don’t include it. It’s often easier to add fields than removing.

Avoid having fields that can be derived from other fields. Code “UNAUTHORIZED” can be derived from 403. Having both adds confusion. It adds the question whether the code field be something other than “UNAUTHORIZED” when the response is 403.

Just 403 with empty body is fine. Add message in a JSON in case it’s useful for the user. If the user needs more fields in the future, then it’s easy to expand the JSON.

[–] [email protected] 15 points 3 months ago (8 children)

403 is a category, not a code. Yes I know they're called http codes but REST calls are more complex than they were in 2001. There are hundreds of reasons you might not be authorized.

Is it insufficient permissions? Authentication required? Blocked by security? Too many users concurrently active?

I'd argue the minimum for modern services is:

403 category
Code for front end error displays
Message as default front end code interpretation

As json usually but if you're all using protobuf, go off King.

[–] [email protected] 0 points 3 months ago (1 children)

I've never heard of using protobuf in an HTTP API... But, I guess that should be fine.

[–] bitfucker 1 points 3 months ago

The thing is, it does exists a way to convert grpc protobuf to json one

load more comments (6 replies)
load more comments (6 replies)