What are suitable response codes and messages for:
- fields submitted the wrong way (URL parameters vs body) or missing fields
- fields getting invalid values (string instead of numbers, timestamp in future)
- algunos personajes como
?, /break stuff in URL parameters
- Actual failures: invalid credentials, repeating already-done action
At present, we use 400 for all.
preguntado el 04 de julio de 12 a las 10:07
Cases 1, 2 and 3 in your question are essentially syntactic errors in the request
=> 400 Bad Request
(RFC 2616 says: The request could not be understood by the server due to malformed syntax.)
As to case 4:
a. Invalid credentials
=> 401 no autorizado
b. Repeating already-done action
=> 403 Prohibida
(The RFC says: El servidor entendió la solicitud, pero se niega a cumplirla. La autorización no ayudará y la solicitud NO DEBE repetirse.)
Pero entonces Conflicto 409 y 410 desaparecido make sense when trying to modify stuff incorrectly (PUT) or accessing resources already deleted, respectively.
Y aqui esta RFC 2616 Sección 10.
Read the HTTP spec for each response code to get some information about what to return in the response body. 4xx, for example, says "Except when responding to a HEAD request, the server SHOULD include a representation containing an explanation of the error situation, and whether it is a temporary or permanent condition."
The primary point to keep in mind is that the HTTP response codes are designed to be uniform, and therefore have much more to do with fostering interoperability than feeding the detailed needs of individual applications. Use the response body, not the code, to include minute details in a format that you expect your clients to understand.
1 fields submitted the wrong way (URL parameters vs body) or missing fields
Return "404 Not Found". Querystring parameters are part of the URI and are used to identify a resource.
/foo/bar?a=1&b=2 identifies a different resource than
foo/bar. If the resource does not exist, return 404. It does not matter that the same logic in your code is used to handle any querystring parameters for the same path: those details are intentionally hidden behind the uniform interface. See the URI spec para más información.
2 fields getting invalid values (string instead of numbers, timestamp in future)
400 is best here, unless the resource is in a state which conflicts with the request that the user might reasonably be able to resolve (and then resubmit the request), in which case return 409.
3 some characters like ?, / break stuff in URL parameters
If such breakage is due to your server not correctly handling reserved characters in the querystring component, return 500. If the client submitted a malformed Request-URI, return 400. If the URI identifies a resource which your server does not handle, return 404.
4 Actual failures: invalid credentials, repeating already-done action
Invalid credentials should result in "401 Unauthorized". Repeating an action that has already been done should result in 200 OK (or a redirect, etc) if the request method is idempotente (GET, HEAD, PUT, DELETE). For POST, repeating an action depends entirely on the nature of the action, and practically any status code may be returned. 400/409 is common, but many such resources simply perform the action again, which is often desirable.